Nixu’s cybersecurity consultant Aapo Oksman has been researching vulnerabilities that allow intercepting secure network connections made by devices and software. The research revealed a vulnerability in the App Store application in the Apple iOS. This vulnerability allows an attacker to listen in and alter network traffic made by some parts of the App Store application.
Security issue at App Store
Oksman tested if he can act as a man-in-the-middle in between an iPhone running iOS and the App Store servers during his vulnerability research. He wanted to find out how the iPhone and iPads and their applications handle the verification of servers. How do the devices verify that they are connecting to the real servers and not malicious attackers?
Oksman succeeded in tricking the server validation of the iPhone: he was able to see the applications downloaded from App Store and alter the traffic. When he noticed this, he reported the issue to Apple. Apple released the update involving Aapo’s finding on April 26.
Malicious apps in disguise
The vulnerability requires that the iPhone first connects to the attacker; this is hard to be done unless the target is in public wifi or another insecure network where the attacker can intercept their connections. “A cyber-criminal could offer you a hoax app instead of the real one,” Oksman explains. “But then again, Apple would verify the content and prevent any fraudulent apps from being downloaded. You would only get a notification that ‘This app is not available’ or something else.”
The remaining impact here is that the attacker can listen in on the connections. Still, the scale makes the finding more severe. “Any vulnerability that concerns millions of people is a serious one,” says Oksman.
Threat to privacy, especially in non-democratic countries
In countries where legislation allows administration or other entities to see which apps people are downloading, this security issue is a threat to privacy. If certain applications are deemed illegal, and the authorities can directly see which apps are being downloaded. If your connection goes through a server of a non-democratic country, an official may hijack the traffic.
“That’s why TLS (Transport Layer Security) is used – it protects your network traffic in a public wifi or other insecure networks when implemented correctly,” Oksman says. “And that’s why TLS connections are interesting for cybersecurity experts to investigate.”
Bug bounty hunting supported by Nixu
At work and in his spare time, Aapo Oksman likes to investigate vulnerabilities. One of his current interests has been studying connections using SSL (Security Sockets Layer) and TLS; and verify, if they are secure.
Oksman creates a malicious server that pretends to be the server that different software and applications connect to. If the connection is accepted, there’s something wrong with the validation.
Oksman sees that the support he gets from Nixu is important in the look-up for new vulnerabilities. “The investigations I carry out in my free time support my consultant work at Nixu and vice-versa. That’s why I think it’s nice to mention Nixu at the reports that I make to the technology companies.”
The security issue found by Oksman may be a serious vulnerability, but criminals cannot exploit it much further. Apple pays large sums of award money for hackers who report security issues that allow criminals to exploit Apple users directly. “We’re talking about a million-dollar reward,” says Oksman. In this case, the exploitability is not that high.
For his finding, the bounty amount depends on the severity and the business risk of the issue at hand. Only Apple has complete visibility to the risk the vulnerability created.
A new area for Oksman
Apple usually takes security to the next level by not only verifying the connections but also investigating a bit of the content that the server is offering. This makes it difficult for malicious actors to penetrate the network because they don’t only need to pretend to be the server but also pass other verification methods.
For Oksman, this security issue was the first one in the iOS and involving Apple products. “Apple has a good level of security measures in general, better than other application providers. That’s why it’s interesting to find holes in their security protocols.”
To start using the update for the vulnerability found by Oksman, you need to make sure that your Apple device is updated to iOS version 14.5. It’s available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Background: What are certificate validations, and why we need them
Every website and application needs to prove that they are what they claim to be. Every time an application is connecting to a server, it also asks: “Is this the server that it claims to be?” The server needs to show a certificate. This is how a secure connection using SSL (Security Sockets Layer) and TLS (Transport Layer Security) is formed.
Cybercriminals create fake servers and certificates to get people to enter their site to get around this. This way, they can go around the secured connections. What cybersecurity expert Aapo Oksman does is that he steps in between the server and the application and claims to be the server. If security measures are reasonable, the hoax shouldn’t go through.
But sometimes they do. That is when Oksman has discovered a new vulnerability and reports it to the application owner.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.