According to Google Play, the version 2.0 of Apple Music for Android has between 10 and 50 million installs.
The flaw CVE-2017-2387 was discovered by David Coomber of Info-Sec.CA in August 2016. The vulnerability was affecting Apple Music 1.2.1 and earlier versions of the Android app.
“The Apple Music Android application (version 1.2.1 and below), does not validate the SSL certificates it receives when connecting to the mobile application login and payment servers.” reads the security advisory published by Coomber.
“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently. Sensitive information could be captured by an attacker without the user’s knowledge.”
According to the expert, the app did not validate the SSL certificates presented while connecting to the login and payment servers. The attacker can present a forged SSL certificate that will be accepted by the application without raising any alert.
“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user’s knowledge.”
Unfortunately, such kind of issues is quite common for mobile applications and represent a serious threat to the user privacy.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.