A security researcher at Google, of all people, urged Apple last summer to implement HTTPS encryption on its iOS App Store after he stumbled on a number of alarming vulnerabilities.
The Googler, Elie Bursztein, had cause for celebration on Friday, when Apple finally heeded his warnings and enabled HTTPS - 6 months later.
Bursztein released his findings this week, and iOS users should breathe a collective sigh of relief that the gaping security holes he describes never became widely utilized.
According to his research, the only thing a hacker needed to do to exploit the vulnerability was be on the same Wi-Fi network as a person logged into the App Store. The hacker could then send commands directly to the iPhone, causing it, for example, to prompt the user for their Apple ID password. They would enter it, believing the prompt to be legitimate, and the information would get sent back directly to the hacker.
Aside from obtaining your login information, the exploit could also be used to trick an iPhone into downloaded different apps than what the owner intended. Paid apps could be substituted for free ones and the user wouldn't know it until they got their bill. A hacker could have also prevented an app from being installed altogether, or even upgraded.
Alternately, a hacker could create a malicious app and cause the user's iPhone to believe it is a legitimate upgrade to some other program. The exploit also could be used to obtain a full list of apps installed on an iOS device.
Apple has remained characteristically mum so far and Bursztein didn't offer why the Cupertino developer choose now to patch the vulnerabilities instead of, say, half a year ago.
Fortunately, the security hole, which - make no mistake - could have been epic, was closed before any serious damage was done. And for that we should all thank our lucky stars for the white hat guardian angels looking over our secure data.