undefined | Better HN

0 pointsdanpalmer7y ago0 comments

> They allow advertisers to run JS on your device, and ads are a trendy way to deliver malware.

I wonder if the ad industry is onboard with HTTPS yet? In 2013 when I was last looking at ads as an attack vector, none did, and many executed JS, or gave privileged access to system APIs on device via JS, which meant that it was fairly trivial to intercept ad delivery, return malicious JS, open a "reverse JS shell" and poke about the filesystem in the app, open new screens, etc, all remotely.

I reported this as a vulnerability in several apps, telling them that HTTPS was an important aspect of preventing this, and was told that ad networks were against HTTPS and therefore they had to find alternative mitigations.

0 comments

1 comments · 1 top-level

fiddlerwoaroof7y ago

iOS/MacOS block HTTP requests by default unless you request (and for apps on the App Store, are granted) an exception. So, I’d think that in-app advertisers on iOS would want to support HTTPS.

1 more reply

j / k navigate · click thread line to collapse