Apple Turns on App Store Encryption to Address Security Flaw


Apple has fixed a flaw in its App Store application by turning on encryption to protect its users from privacy and security attacks over public Wi-Fi networks (via CNET).

The flaw was reported last July by Elie Bursztein, who works at Google as a security researcher. The timing of his blog post reporting the Apple fix is interesting, though: it comes just a day after Apple’s head of worldwide marketing, Phil Schiller, tweeted “be safe out there,” and pointed to the F-Secure report that highlights the rise in malware for Android. In this context, Bursztein’s post can be taken as a public response to Schiller’s tweet.

Apple fixed the security flaw in a January update, saying that “active content is now served over HTTPS by default” and thanked Bursztein, Bernhard Brehm of Recurity Labs, and Rahul Iyer of Bejoi LLC for reporting this issue.

The security flaw arose because Apple opted not to use encryption when the iOS user connects to the App Store using their iOS device. Bursztein’s blog post highlights that the flaw made iOS users vulnerable to privacy and security attacks, and he even made the effort to demonstrate each one of them.

Bursztein’s blog post highlights the risk of public networks, including airport and coffee-shop networks, as hackers only have to be on the same network with their victims to launch an attack.

And the lack of encryption Bursztein highlights has made iOS users vulnerable to App Store password theft, app swapping, fake app upgrades, prevention of application installation, and privacy leaks.

By publicizing this flaw, Bursztein highlighted the necessity for encrypted connections and their importance for mobile apps as well.


  • Adele

    Thanks for posting the video – its one thing to know that its possible for someone to access your data on a “free” internet cafe site, but another to see it in action. Time to get that VPN…

  • Tired8281

    What are the odds of someone going to a coffee shop, with someone there who knows enough to set up an exploit for this kind of flaw, who has the time to sit and wait for someone to connect that they can exploit? I understand that it’s a theoretical danger, but it doesn’t seem that likely to happen super-often in the wild.