Security researchers have found a flaw in the Apple iOS apps, which could allow hackers to force apps to transfer data from the hackers’ own servers rather than the legitimate ones.
Skycure researchers estimated that at least 10,000 iOS apps in the App Store are vulnerable to the hacking.
Skycure CTO and co-founder Yair Amit said that almost all mobile applications communicate with a server to send or get back data.
"While the problem is generic and can occur in any application that interacts with a server, the implications of HRH for news and stock-exchange apps are particularly interesting," Amit said.
"It is commonplace for people to read the news through their smartphones and tablets, and trust what they read.
"If a victim’s app is successfully attacked, s/he is no longer reading the news from a genuine news provider, but instead phony news supplied by the attacker’s server. Upon testing a variety of high profile apps, we found many of them vulnerable."
According to the firm, the issue spins around the blow of HTTP redirections caching in mobile applications.
The process starts when the susceptible app sends a request to its selected server, then the hacker captures it and returns a 301 HTTP redirection to a server controlled by attacker.
"Many iOS applications cache HTTP status code 301 when received over the network as a response," Amit said.
"While the 301 Moved Permanently HTTP response has valuable uses, it also has severe security ramifications on mobile apps, as it could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know about it."
