Public wi-fi networks are notoriously insecure, and now there’s this: Mobile security researchers have discovered a new way for attackers to access mobile phone apps from wi-fi networks.
On Tuesday, mobile security researchers will demonstrate a simple attack that exploits a vulnerability in the code within iOS apps. The vulnerability allows attackers to persistently alter the server URL from which a mobile app loads its data, so that instead of loading data from realserver.com, for instance, the attack makes the app load data from attacker.com, without the victim knowing. Attackers could use that data to load malicious links, or insert fake, market-moving news into a news app.
The researchers from Skycure, a mobile security company, said that in the past they had alerted vulnerable app makers to a vulnerability before making it public. In this case, however, they said such responsible disclosure was all but impossible because the vulnerability was present in hundreds of apps they tested, including stock management apps to news apps. […]
The same researchers uncovered a separate vulnerability last year in which LinkedIn was pulling members’ calendar entries on iPhones and iPads — including details about meeting locations, participants, dial-in information, passwords and sensitive meeting notes– back to its servers.
Read Skycure’s full posting to learn more.