The fact Apple (NASDAQ:AAPL) took at least six months to plug what many see as a major security hole in its App Store both shocked and appalled developers who took to social media to suggest consumers should expect more from the company.
A blog post from Google researcher Elie Bursztein set up a wave of online comments after he reported that Apple had decided to use HTTPS encryption in the App Store earlier this month. Without it, Bursztein said anyone trying to purchase apps through the store using public Wi-Fi networks easily could have his password or sensitive information stolen.
Though HTTPS is well known as a security mechanism across the IT industry, many developers seemed to assume that Apple was already using it to protect those downloading their apps.
iOS App Store using unencrypted connections, not leaking credentials; but open to MiTM attacks: arstechnica.com/security/2013/…
— Chris Herborth (@taffer) March 11, 2013
.@beryllium9 Those "hot spot login" pages are why I don't use public wifi (assuming they're not using WEP or nothing)… :-P
— Chris Herborth (@taffer) March 11, 2013
Wait wait wait wait wait. The App Store on iOS sent passwords over http plaintext?! arstechnica.com/security/2013/…
— Keith Bolland (@kb) March 9, 2013
wtf??? Apple wasn't using https for the appstore from the beginning? elie.im/blog/web/apple…
— SaraMG (@SaraMG) March 9, 2013
On the security site CyberCrimesUnit, blogger Paul Ducklin captured much of the popular sentiment by framing the issue around Apple's dominance in the app ecosystem and its role as gatekeeper to much of what's used on smartphones.
Since there's no other place to shop when you're buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher," wrote Ducklin. "You might also have expected Apple to react a bit more quickly after Dr. Bursztein's fairly detailed explanations of why the bar really needed to be higher."
Indeed, many developers and industry observers who were aware of the issue were less than impressed by Apple's decision to take action.
How does apple get away with this. It makes me worry at night on the potential damage that could happen one day arstechnica.com/security/2013/…)
— Mike Walker (@mikewalker74) March 10, 2013
Hey, nice. Apple finally updated its iOS app for the App Store so customers aren't open to HTTPS attacks. Finally. elpt.ms/cV
— Elephant Mouse (@elephantmouse) March 11, 2013
And unfortunately, though the App Store may be more secure, the company may have to work harder to rebuild relationships, both among consumers and iOS developers.
This explains the rampant stories of App Store fraud and theft. Trust no one, Scully. news.cnet.com/8301-13579_3-5…
— wurrgames (@wurrgames) March 8, 2013