App Store’s Late HTTPS Fix Underscores Ongoing Mobility Vulnerability

March 19, 2013

Apple released a fix in the latest version of its iOS mobile operating system, well-known as system that powers the company’s iPhones and iPads. Used by almost every site that is serious about encrypted traffic for the transmission of authentication or payment information, Hypertext Transfer Protocol Secure (HTTPS), was only partially implemented in Apple’s App Store. A Google researcher has documented a variety of different attacks an attacker could use to take advantage of non-HTTPS protected App Store transactions, including password stealing, app swapping, fake app upgrades, app upgrade/installation prevention and installed app list leak. These App Store vulnerabilities and exploits have been possible since at least July 2012, when they were first reported. While Apple has since patched the issue, the lack of HTTPS usage is largely unprecedented and the company’s delay in incorporating it is equally shocking.

While 46% of companies use mobile devices management (MDM) today, and more than 80% expect to have deployed a solution by the end of 2014, issues such as these demonstrate that MDM alone is not enough to secure iOS or Android devices.

ETA Bottom Line:

Mobile OS’ continue to show vulnerabilities and oversights in security that requires manufacturer intervention to fix. To truly safeguard mobile devices and the infrastructure they use, companies should evaluate network-based MDM (NMDM) and app control solutions.