We are at a time when internet users rest a little easier knowing that the HTTPS protocol has almost taken over the web. iTunes, however, doesn’t seem to be on board with this new security development. According to researchers from the privacy products firm Disconnect, iTunes and the App Store still offer unencrypted iTunes and App store downloads and upgrades. Read on for the full story.
Unencrypted iTunes Downloads – The Full Story
With the internet moving towards an almost total acceptance of HTTPS encryptions, internet users feel safer than ever online. However, not all web portals opted to use the Transport Layer Security HTTPS provides. For example, Privacy firm Disconnect tested out the data encryption process iTunes and Apple’s App Store use in their downloads. To their surprise, they found unencrypted downloads on both Apple platforms.
According to Disconnect, an app, update, movie, TV show, or song off of iTunes or the App store will use HTTP without TLS while downloading. In theory, this makes it easier for an ISP or a third-party to see what it is you’re downloading. Disconnect did report that all unencrypted iTunes downloads, and App store downloads too, include something called a Destination Signaling Identifier.
A Destination Signaling Identifier is a unique device ID generated by the iCloud. The DSID does change periodically. However, it may still pose a security risk, especially since attackers can use these IDs to track someone’s habits or apps used.
Patrick Jackson, Disconnect CTO and former NSA researcher, points to the wealth of data users offer up on a regular basis. He states that “there’s so much you can learn about someone based on when they’re downloading an app, what media they’re into. With these habits, they’ve already given up a lot about who they are.”
After unearthing this lack of encrypted downloads, Disconnect researches submitted a bug report to Apple regarding the situation. However, Apple responded by stating that this isn’t a bug, but a purposeful choice made by the Apple team.
Why HTTP Might Not Be So Bad for Apple
Apple’s response to Disconnect did shed a light on the tech giant’s approach to downloads and updates. Apple made it clear that while the downloads themselves were not encrypted, other aspects of the interaction are. This includes the metadata transfer of all downloads. Apples also use cryptography to confirm both the integrity and the validity of all downloaded files.
iOS researcher Will Strafach also commented on Apple’s unencrypted iTunes downloads. However, he noted that Apple may have a valid reason for not encrypting its downloads.
“It seems non-standard and odd at first, but I don’t think there is a security threat here since integrity checks still occur,” said Strafach. He also noted that, while unencrypted data may have potential downsides, a TLS encryption won’t always stop a potential attack. Strafach suggested that unencrypted downloads can benefit from a cached approach to large downloads. In other words, Apple’s download process may simply be a way to maintain fast downloads without eating up users’ bandwidth.
Unencrypted iTunes Downloads – Final Thoughts
Despite Apple’s grasp on its download process, users should be given a choice when using non-encrypted connections. While the expanded use of HTTPS has made the internet a lot safer to use, not all platforms have made the shift. The truth is that these platforms may opt never to do so, and it should be common practice to offer users the choice to continue using these services or not.