iOS 9 Security News fresh from WWDC: Get off http!
Apple’s WWDC Developer Conference has kicked off this week. This is not only the event where Apple announces new services like Apple Music, but also introduces new desktop and mobile operating system versions.
Frederic Jacobs has blogged about his initial impressions, and there is one thing that caught my eye:
You see, one of the ongoing threats to mobile applications are badly secured connections. This threat category comes in many flavours:
- Plain http connections:
- all data can be read in transport by any network it passes through
- the server you’re talking to may not be the one you want to talk to (IP spoofing, DNS attacks – google “Pineapple WiFi”)
- anyone can intercept the connection and inject data into your stream, attacking the server code (or the client)
- Badly implemented SSL connections
Implementing SSL is not trivial, and I’ve witnessed many insecure implementations. Here are some of the more common issues:
- #1 – not validating the SSL Server certificate. You may be talking encrypted, but not necessarily to the right server. This also makes man in the middle attacks (MITM) just as easy as on plain http connections.
- validating the certificate, but not handling the different errors (certificate expired, mismatched host name etc.). That would also allow you to be misdirected.
- you get a valid certificate, but it’s a rogue server. Yes, attackers buy valid certificates, too. The mitigation against this is called Certificate Pinning, which basically hard codes the expected server data (certificate, key) into your code for verification.
- accepting connections to a misconfigured server, i.e. a server with low grade security (vulnerable hash algorithms or small key sizes)
There are many more such issues. Apple is now taking a stand and effectively deprecating http connections, and giving your code a mechanism to do so in an automated way. This is a message that will be heard loud and clear in the market, and I wouldn’t be surprised to see them reject apps from the store that don’t implement this properly.
What is your experience with mobile applications? Were you aware of these issues? If you’re a developer, is this a change you welcome?
UPDATE: Gizmodo also has a detailed list of security changes from WWDC