Tens of thousands of iOS applications contain a security hole which can be exploited to send and receive malicious data remotely, without the victim being aware of the attack.
Skycure's research finds iPhone users would be unaware of changes made to where apps receive data from. (Reuters)
Announced by IT security company Skycure at the RSA Conference taking place this week in Amsterdam, the exploit is claimed to affect "tens of thousands" of the most popular iPhone and iPad applications, and uses a relatively simple 'man-in-the-middle' attack to intercept requests for data sent by the device.
Although man-in-the-middle attacks, where requests for data through browsers and apps are intercepted by an attacker connected to the same unsecured Wi-Fi network, are nothing new, Skycure found iOS caches the addresses it uses to request data through applications.
If an iPhone user opens a news application; the app sends a request for data to the news organisation and the latest headlines are returned. An attacker logged onto the same unsecured Wi-Fi network can hijack this request for data, provide a fake connection error, then tell the app to try again through a different address of the attacker's choosing.
Because iOS caches this address, the attacker can continue to send bogus news stories - or any other fake information - to the victim every time their apps request new content, while no longer needing to share the same Wi-Fi network.
Because apps do not display an address bar like a browser, it is impossible for the victim to identify where the displayed content is coming from.
Called HTTP Request Hijacking (HRH), the attacks can be maintained by the hacker until the victim deletes and reinstalls the application, which will then request data from the correct address when first launched.
Skycure CTO and co-founder Yair Amit wrote on the company's blog that after the exploit worked on "a well-known iOS application," he and his team "went on to test a bunch of high profile applications, and were amazed to find that about half of them were susceptible to HRH attacks. Focusing on leading App Store news apps, we found many of them vulnerable and easy to exploit."
Tens of thousands of vulnerable apps
In an email to Ars Technica, Amit said: "Due to the fact [that] almost half of [the apps tested] were susceptible to HRH, we estimate that the number of vulnerable apps is very large, probably tens of thousands."
Opting not to name any applications found to be vulnerable, Skycure has instead published instructions for developers explaining how to secure their apps and prevent HRH attacks.
Amit adds that, while further testing is required, other mobile platforms such as Android and Windows Phone could also be vulnerable to such attacks.
IBTimes UK contacted Apple for a response to the reported vulnerability, but at the time of publication had not received a resopnse.