Apple Support iOS Application - Unencrypted Third Party Analytics (CVE-2017-7147)

Overview

"Need help? Apple Support app is your personalized guide to the best options from Apple. Find answers with articles tailored to your products and questions. Call, chat or email with an expert right away, or schedule a callback when itas convenient. Get a repair at an Apple Store or a nearby Apple Authorized Service Provider. Apple Support is here to help."

(https://itunes.apple.com/us/app/apple-support/id1130498044)

Issue

The Apple Support iOS application (version 1.1.1 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, iOS version and screen resolution, unencrypted to a third party site (Adobe Marketing Cloud).

Impact

An attacker who can monitor network traffic could capture potentially sensitive information about the iOS device without the user's knowledge.

Timeline

June 16, 2017 - Notified Apple via product-security@apple.com
June 16, 2017 - Apple sent an auto acknowledgment
June 16, 2017 - Apple responded stating that they are investigating
July 10, 2017 - Asked for a status update
July 10, 2017 - Apple responded stating that they are still investigating
August 21, 2017 - Asked for a status update
August 21, 2017 - Apple responded stating that they are still investigating
August 30, 2017 - Apple released version 1.2 which sends the analytics data over an encrypted connection
October 17, 2017 - Apple published a security advisory to document the issue

Solution

Upgrade to version 1.2 or later

https://support.apple.com/en-ca/HT208201
https://support.apple.com/en-us/HT201222

CVE-ID: CVE-2017-7147