Users of the App Store have been vulnerable to attack because Apple didn't fully encrypt traffic travelling between its App Store and end users.

Three researchers are credited by Apple for discovering the vulnerability with the itunes.apple.com domain. Recurity Labs' Bernhard 'Bruhns' Brehm, Google's Elie Bursztein, and Bejoi LLC's Rahul Iyer are highlighted by Apple in its latest Apple Web Server notifications document.

It has taken Apple six months to deploy the necessary protection in its iOS app that connects to the App Store. Google researcher Bursztein discovered the security hole and reported various iOS flaws to Apple's security team in July.

This suggests that the App Store has been running without SSL encryption for a period of at least six months. Potentially longer.

However, it may be the case that parts of the App Store were protected by HTTPS while other parts were not, suggests Ars Technica, noting that Bursztein wrote: "By abusing the lack of encryption (HTTPS) in certain parts of the communication with the App Store the dynamic nature of the App Store pages, and the lack of confirmation, an active network attacker can perform" various attacks.

Why Apple needed HTTPS

iOS customers were open to attack because Apple's engineers had not implemented HTTPS technology to encrypt traffic traveling between iOS devices and the App Store.

Encryptions should be used to prevent attackers from intercepting traffic. HTTPS also provides assurance that the server truly belongs to Apple and is not an impostor.

Without HTTPS imposters could set up fake App Stores issuing fake apps and app upgrades, putting users at risk.

Was the App Store under attack?

Theoretically iOS is so locked down that it would not be possible to install a fake app. Although, as ZDnet notes, an attacker could swap application purchase/download parameters, forcing a victim to purchase a more expensive app.

In another attack, outlined by Google researcher Bursztein: "The user opens the App Store, which will trigger the App Store app to fetch the list of update available from the server. The attacker intercepts the reply and injects a javascript prompt into it that asks for the user Apple Id password. From the user's perspective it seems that opening the application triggered the prompt which is very deceiving. The password is then exfiltrated by including it into a script insertion url."

Bursztein has published videos demonstrating password stealing and the fake upgrade attack.

Sophos Paul Ducklin also highlights potential vulnerabilities: "Firstly, some of those Apps will identify aspects of your life that would be handy for a social engineer to know: the bank you use, the newspapers you like, the games you play, the share-trading services you invest with, and more."

"Secondly, the complete selection of Apps on your device may very well be unique to you, thus making it a handy form of digital fingerprint for an attacker," he adds.

Security firm Qualys has also highlighted itunes.apple.com as being "vulnerable to the BEAST attack". In its recent SSL Report. At various points in the report it was noted that the server was "insecure" and "weak".

Follow Karen Haslam on Twitter / Follow MacworldUK on Twitter

Related

The Android malware problem is not hyped, researchers say

Understanding iOS passcode security

iOS Apps collect more data than Android apps in bid to make money, report

iPhone iOS 6.1 security flaw lets attackers bypass passcode lock

Apple to settle class action lawsuit on in-app purchases by minors