Users of the App Store have been vulnerable to attack because Apple didn't fully encrypt traffic travelling between its App Store and end users.
Three researchers are credited by Apple for discovering the vulnerability with the itunes.apple.com domain. Recurity Labs' Bernhard 'Bruhns' Brehm, Google's Elie Bursztein, and Bejoi LLC's Rahul Iyer are highlighted by Apple in its latest Apple Web Server notifications document.
It has taken Apple six months to deploy the necessary protection in its iOS app that connects to the App Store. Google researcher Bursztein discovered the security hole and reported various iOS flaws to Apple's security team in July.
This suggests that the App Store has been running without SSL encryption for a period of at least six months. Potentially longer.
However, it may be the case that parts of the App Store were protected by HTTPS while other parts were not, suggests Ars Technica, noting that Bursztein wrote: "By abusing the lack of encryption (HTTPS) in certain parts of the communication with the App Store the dynamic nature of the App Store pages, and the lack of confirmation, an active network attacker can perform" various attacks.
Why Apple needed HTTPS
iOS customers were open to attack because Apple's engineers had not implemented HTTPS technology to encrypt traffic traveling between iOS devices and the App Store.
Encryptions should be used to prevent attackers from intercepting traffic. HTTPS also provides assurance that the server truly belongs to Apple and is not an impostor.
Without HTTPS imposters could set up fake App Stores issuing fake apps and app upgrades, putting users at risk.
Was the App Store under attack?
Theoretically iOS is so locked down that it would not be possible to install a fake app. Although, as ZDnet notes, an attacker could swap application purchase/download parameters, forcing a victim to purchase a more expensive app.
Sophos Paul Ducklin also highlights potential vulnerabilities: "Firstly, some of those Apps will identify aspects of your life that would be handy for a social engineer to know: the bank you use, the newspapers you like, the games you play, the share-trading services you invest with, and more."
"Secondly, the complete selection of Apps on your device may very well be unique to you, thus making it a handy form of digital fingerprint for an attacker," he adds.
Security firm Qualys has also highlighted itunes.apple.com as being "vulnerable to the BEAST attack". In its recent SSL Report. At various points in the report it was noted that the server was "insecure" and "weak".