Apple Knowingly Left iOS Users' Data Insecure - The UpStream

Apple Knowingly Left iOS Users' Data Insecure

posted Saturday Mar 9, 2013 by Scott Ertz

Apple Knowingly Left iOS Users' Data Insecure

This is not the first time Apple has knowingly left its users unprotected, but this is certainly the most ridiculous I have ever encountered. If you know anything about the Internet, you know about HTTPS. It is the color-changed address bar at the top of your browser when you sign-in to your bank account or email account. It is the technology that encrypts data between two computers, and it is used anywhere secure data, like credit cards, are involved.

Well, almost everywhere. Apple had, apparently, decided when developing the App Store that protecting your data wasn't all that important. Subsequently, they developed the entire App Store to run on standard, non-encrypted protocols. This, of course, leaves every transaction open to be discovered, especially if you are connected to an open or public WiFi network.

For example, say you are at a park and your phone automatically connects to a WiFi connection it discovers around you. That WiFi could be setup by a hacker hoping you will do something stupid like enter a password or transfer data that connects to your banking information. Then, someone tells you about a new app you have to have, so you go download it. What could go wrong, right? Well, you have just given your information to that hacker, allowing them to potentially connect to your Apple account OR transfer infected files to your phone. They could even prompt for a fake upgrade, passing bad data to your phone. Good call, Apple.

The problem was discovered by a Google employee, of all possibilities. Elie Bursztein, a researcher for Google, discovered the flaw in his spare time and informed Apple of the issue more than 6 months ago. Believe it or not, it took them until this week to fix it. For those interested in knowing the process for fixing it, it is as simple as enabling SSL on the server and enabling a redirect for non-SSL connections. If you are new at it, it might take an hour; if you are an expert it probably takes 5 minutes. It took Apple 8 months.

That is a disgrace no matter how you look at it. To me, it shows a complete lack of respect for the customers from Apple. Do you agree that this should have been a top priority at Apple or does it make sense that Apple took 8 months to solve the problem? Let us know in the comments below.


Login to CommentWhat You're Saying

Be the first to comment!

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats