According to the New York Times, a security vulnerability which affects hundreds of iOS apps has been identified by Skycure, a leading mobile security firm. If attacked, apps can be tricked into looking for the wrong server when accessing data. This is just another reason to avoid unsecured public Wi-Fi without taking proper precautions.
Skycure described the essence of the issue on their blog:
“While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting. It is commonplace for people to read the news through their smartphones and tablets, and trust what they read. If a victim’s app is successfully attacked, she is no longer reading the news from a genuine news provider, but instead phoney news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable.
This brings us to a philosophical question: When someone gets up in the morning and reads news via her iPhone, how sure can she be that the reports she reads are genuine and not fake ones planted by a hacker?”
It sounds like the problem continues on after the initial attack and will persist until a solution is found. At first I was surprised that this information was presented so publicly before a fix is in the works, but since the problem is widespread, it seems Skycure wanted to get the news to as many developers as possible. In the past they have reached out to individual developers before releasing the news. In this case, the risk of letting additional hackers know is less important than letting people know about the issue.
“The vulnerability affects so many apps that it’s virtually impossible to alert app makers,” said Yair Amit, Skycure’s chief technology officer.
Here is a video created by Skycure explaining the situation: