A new opportunity for attackers to gain access to smartphone apps from these networks has been discovered.
This week, mobile security experts demonstrated an example of the discovery that was recently made that allows a very simple attack to be made which exploits a code vulnerability in Apple iOS applications.
This vulnerability gives attackers the ability to persistently alter server URLs from which the data is loaded to the apps.
This means that the attacker will be able to change the URL from which the iOS application is loading its data, presenting a massive mobile security threat. This is particularly unpleasant as the victim will not know when it is happening nor that it has occurred. It means that the attacker could invisibly use the data to be able to load malicious links or to insert false news regarding market movements into a news application.
The makers of the applications were not notified of the mobile security threat ahead of the announcement to the public.
The mobile security threat was identified by Skycure and it has, in the past, already notified app makers of this type of threat’s existence. Typically, the developers are provided with this knowledge ahead of the public announcement. However, in this circumstance, they stated that it was not possible for them to wait to notify developers before making this information public. They felt that because the vulnerability was present in hundreds of different apps – including stock management applications – it was important for people to be notified as soon as possible, without waiting to tell the app makers, first.
Skycure, a mobile security expert firm, declined to provide the names of the specific apps that were tested positive for the threat. The reason was that they didn’t want to provide this information to potential attackers who could exploit this knowledge before a solution to the issue could be found. The company’s chief technology officer, Yair Amit, said that “The vulnerability affects so many apps that it’s virtually impossible to alert app makers.” The researchers from the company also assembled a short video to demonstrate how an app could be manipulated by an attacker.