Shein is chic. The iphone shopping app, specializing in women's fashion, is auchüberwiegend well rated and is one of most popular context German App store. But shopping through app is not entirely riskless. Thomas Jansen, a Hamburg-based IT security specialist, discovered a vulnerability that allows attackers to intercept dieLog-in data from users.
To be more precise: he has found se and quite similar gaps in more than half der200 in Germany's most popular free iOS apps (stand: EndeSeptember). In 111, to be exact.
Jansen Istpromovierter computer scientist, has worked for eight years at Apple in USAgearbeitet and is today managing director of software engineering and information security SpezialisiertenFirma Crissy field. He shows as first, but on basis of many recent examples, that even unofficial app stores are by no means only harmless Anwendungenangeboten. And that Apple's mandatory check front release of an application is not a guarantee of security.
Exemplary ZeigtJansen at Shein, downloaded from App Store on October 26th, 2017. The following video shows that he can see on his laptop what user name and password are entered in app:
How "Shein" Users can be hackedThe basic problem in all affected apps same. Your developers do not dieÜbertragung sensitive data such as user name and password, or are insufficiently secured by an encrypted transmission. Wasauf websites now should be self-evident, inmobile applications is anything but normal case.
Shein is not even most example, after all, log-in data derNutzer be transmitted via an encrypted channel. Nurüberprüft The app does not know if encryption NötigeZertifikat is coming from correct server. The auntication Findetschlicht does not take place. Therefore, an attacker can beliebigesZertifikat app with a cheering, decrypting transferred data undspäter itself with it. Or try to sign in with DenZugangsdaten in or popular services – people will use your passwords several times.
Susceptible to man-in--middle attacksUsers of Sheinoder or affected apps, however, are not without Weitereshackbar. Each attack would be targeted and associated with a certain amount of effort. A perpetrator must communicate between app and IhremAnbieter, or its server, at least Beobachtenkönnen. Or, as in video above, he has to make a part of network and redirect DenDatenverkehr over his own device. The simplest yes if it is connected to same WLAN as iphone OderiPad, for example in a café. For both variants Diesessogenannten man-in--middle attack re are free and cheap hardware. But even employers who control ir corporate network would be technically able to carry out such monitoring actions. As well as Internet service providers, who may be forced to do so, depending on legal situation of prosecutors.
Apple actually wanted to prevent genaudiese scenarios when it announced 2016 on SeinerEntwicklerkonferenz that apps must use HTTPS for transfer vonNutzerdaten from end of year. ATS calls Apple already 2015eingeführte feature – app transport security. Cleanly implemented, it would make attacks like that of Jansen Demonstriertenunmöglich. Users should be able to trust it with ATS, Apple writes in its official developer documentation, and apps do not inadvertently betray m when sending data.
However, in December of last year, company published a cancelling developer, in which it granted a reprieve for Implementierungvon ATS: "To give you more time to prepare, we have extended deadline and we will update ourselves with an Report as soon as re is a new one. " This has not happened until today, almost a year later.
Date Of Update: 02 November 2017, 12:03
