iOS apps vulnerable to HTTP request hijacking

Several Apple iOS apps are vulnerable to a redirection bug that can allow remote attackers to control and alter how apps operate.

The apps were prone to HTTP Request Hijacking (HRH) which requires attackers launch a two-prong attack.

The first part of the HRH, known as the injection phase, is when an attacker changes the logic of the app. That was followed by a highjacking bid by attackers that took control over an app's traffic, Skycure cofounder Yair Amit who reported the flaw said.

“The first phase starts with a man-in-the-middle (MiTM) scenario,” Amit said.

“That can happen when the victim connects to a coffeeshop, hotel or airport Wi-Fi – a very popular target for MiTM attacks."

Attackers then captured requests issued as applications were used and answered with 301 HTTP responses that directed the victim's apps to interact with their controlled server.

“If the applications honor 301 HTTP responses, they would remember this directive and from that moment on will practically persistently change their logic and keep interacting with the new, attacker-controlled URLs, even though their developers specifically coded these applications to work with their designated servers,” Amit said.

Amit used a news app as an example, stating that the attacker can modify the content being delivered from the vendor.

He added that during his research he has seen stocks, social and even banking apps that are also vulnerable to HRH.

“One interesting example for this would be the huge effect the Syrian Electronic Army had when they hijacked the Associated Press Twitter account earlier this year and tweeted about explosions in the White House and the injury of President Barack Obama,” Amit said.

“As you may remember, that led to about $136 billion being erased from the S&P 500 in a matter of three minutes.”

The exploitation is hard to detect for the average user because a successful HRH attack results in “persistent” change of the URLs to which the apps connect and, since most apps do not display web addresses, the owner may go on using the altered app for some time. However, a technical person who analyzes app traffic might be able to make the discovery.

Amit, who posted the findings in a blog post, offered some best practices to avoid getting drawn into this vulnerability.

“As a best practice, it is always advisable to program applications to interact via an encrypted channel, such as HTTPS, instead of HTTP,” Amit said. “However, this is a mitigation of HRH, not a fix. An attacker might utilize techniques such as malicious profiles in order to circumvent the SSL layer, and perform a persistent attack even if the victim removes the malicious profile.

A more thorough fix for HRH would be to change the caching policy of the application to not store persistent redirections, Amit said.