Flaw in Apple Music for Android Was Exposing User Data – If Android Didn’t Have Enough Troubles of Its Own…

Author Photo
Apr 7, 2017
20Shares
Submit

Apple released a security bulletin earlier this week that focuses on Apple Music for Android. The app, available for Android since 2015, was apparently open to man in the middle (MitM) attacks, exposing user data to an attacker in a privileged network position.

Apple Music for Android exposed sensitive user data to attackers

Along with bringing a new design, Apple Music for Android version 2.0 also fixes this security issue. Apple has addressed a certificate validation issue that could be exploited to intercept potentially sensitive user data. The updated version of Apple Music for Android is now available. Tracked as CVE-2017-2387, the vulnerability was reported to Apple by security researcher David Coomber of Info-Sec.Ca.

windows-10-security-2RelatedGoogle Discloses Critical WiFi Bug That Allows Attackers to Hijack Apple’s iPhone 7

Coomber said he had reported the issue to Apple back in August 2016 and has only been resolved now. He added that he had asked Apple for a status update in January earlier this year and Apple responded that it was still working on addressing the security vulnerability.

The researcher discovered the flaw in Apple Music 1.2.1 and earlier versions of the Android app. Apple’s security bulletin – first ever for Apple Music – says the following of this now-addressed security hole.

Apple Music 2.0 for Android

Available for: Android version 4.3 and later

dirty-cow-androidRelatedDecade-Old “Dirty COW” Security Bug Makes a Comeback to Bite Android Users

Impact: An attacker in a privileged network position may be able to leak sensitive user information

Description: A certificate validation issue existed in Apple Music for Android. This issue was addressed through improved certificate validation.

CVE-2017-2387: David Coomber of Info-Sec.CA

The researcher said the app did not validate the SSL certificates it received when connecting to the mobile application login and payment servers. “An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained. “Sensitive information could be captured by an attacker without the user’s knowledge.”

As we reported earlier in the week, Apple gave a design makeover to Apple Music for Android making it similar to the app’s iOS 10 interface. The app also brings new features, including lyrics and enhanced library. Jumping from version 1.2.1 to 2.0, Apple Music for Android is now available through Play Store.

Submit