Mobile apps vulnerable to HTTP Request Hijacking

Posted by on Oct 31, 2013

Image from http://blog.farreachinc.com

Image from http://blog.farreachinc.com

Like many people, I like to start my day by selecting the news app on my Smartphone, and reading about what’s going on around the world. I totally trusted my news application for reading the daily news, until I stumbled upon this blogpost that talks about vulnerabilities in mobile phone apps. According to the researchers of Israel-based Skycure, large numbers of iPhone and iPad apps are susceptible to hacks that will cause them to interact with a malicious server instead of a legitimate one. The majority of the mobile apps interacts with the server to send or retrieve data.

An attacker can carry out an attack by altering the server URL from which the app loads its data and redirect victim’s app to a malicious server. By redirecting to a malicious server, the apps that display news, social media content, or stock quotes can be manipulated to display fraudulent contents. Also the data sent by the end user can be intercepted. Once an app is tampered, it will continue to connect to the hacker-controlled server for a prolonged time.

The team at Skycure came across this redirection bug in their own app. Soon after that, they tested a bunch of high profile apps and found out that about half of the apps were vulnerable to such attacks. This kind of vulnerability or weakness is called an HTTP request hijacking (HRH) and is estimated to affect at least 10,000 titles in the Apps Store.

Browsers and apps store HTTP redirections in a cache, so that they can use the updated address if the end user wants to visit the old address. An app or browser receives an HTTP response known as 301 Moved Permanently status code when an URL address is changed. The hacker can exploit this Moved Permanently HTTP response to alter and control the applications without the victim knowing about it. It is not possible for us to visually figure out which server we are connecting to while using a mobile app. On the contrary, the address-forwarding mechanism can be easily noticed in the address bar of Web browsers.

Image from http://www.skycure.com

Image from http://www.skycure.com

In order to conduct this attack, a hacker first performs a Man-In- the-Middle attack on an unsecured Wi-Fi connection. When a user opens a vulnerable app the attacker intercepts the HTTP request it sends and responds with a fake 301 status response. From now on the app will connect to the hacker-controlled server even though it is connected to a trustworthy network. As per the research of Skycure team, this kind of attack can only happen if – the attacker is physically near to victim for initial poisoning (the next steps of the attack does not depend on the location of the victim) and HTTP connection is used to connect to the server. Apps that use HTTPS protection correctly is less likely to fall prey of such an attack. However a victim can be socially engineered to install a malicious profile that includes fraudulent digital certificates. Besides iOS, apps that run on Android and Microsoft’s Window Phone are also vulnerable, but the security researchers at Skycure have not performed enough testing to be sure.

How to protect yourself from HTTP Request Hijacking attacks?

  • If you are suspicious that one of their connections is hacked then they should immediately remove the app and reinstall it.
  • Always use apps that use HTTPS connection, that way you will be protected against malicious attacks. HTTPS encrypts the communication channels over the Internet. Therefore, it is difficult to break into an HTTPS connection compared to an HTTP connection.
  • Skycure recommends a remediation method for app developers, that is to create a new subclass object NSURLCache that avoids 301 redirection caching.
Image from http://www.skycure.com

Image from http://www.skycure.com

 Secure your data with SpiderOak

 For most developers and users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.


2 Responses to “Mobile apps vulnerable to HTTP Request Hijacking”

  1. Mike says:

    I think the use of apps is such a natural part of our everyday experience now and we don’t think of them as a vulnerable spot. Hackers are always ahead of the technology curve and this is a definite weakness that can be exploited. The ability to find software that can protect these apps from hackers using unsecure wifi spots would be very important.

  2. Paul R says:

    It would make sense for all developers to use HTTPS connections. This wouldn’t necessarily eliminate malicious activity all together, but would significantly reduce it’s potential threat. As far as encrypting personal information is concerned, SpiderOak seems to set the benchmark. Cloud storage is convenient, but in my opinion not very secure.

Leave a Reply