A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday.

Researchers from Israel-based Skycure stumbled on the problem when they observed their own app redirecting to a wrong address. The team soon discovered that they could make many other apps exhibit the same behavior. As a result, apps that display news, stock quotes, social media content, or even some online banking details can be manipulated to display fraudulent information and intercept data sent by the end user. After an app has been tampered with once, it will continue to connect to the hacker-controlled server for an extended period of time, with no outward indication it is doing so. The weakness, dubbed HTTP request hijacking (HRH), is estimated to affect at least 10,000 titles in Apple's App Store.

"Since Apple does not approve automatic download and scanning of iOS applications, we decided to do manual tests of a bunch of high-profile applications," Yair Amit, CTO and co-founder of Skycure, wrote in an e-mail. "Due to the fact [that] almost half of them were susceptible to HRH, we estimate that the number of vulnerable apps is very large, probably tens of thousands."

The hack abuses a simple HTTP response known as the 301 Moved Permanently status code, which websites issue when a URL address has changed. Browsers and apps typically store the redirection instruction in a cache so they will automatically use the updated address if the end user attempts to visit the old address again. The address-forwarding mechanism is easy to notice when working with browsers, since the new URL is displayed in the upper bar. But there is no such display with most iOS apps, so there's generally no way for people to know that their devices are being forwarded to an impostor site rather than the intended one.

For the redirection behavior to happen, a hacker must first perform a man-in-the-middle attack over an unsecured Wi-Fi connection or other network. When the end user opens a vulnerable app, the attacker will intercept the HTTP connection it requests and provide a fraudulent 301 status response. From then on, the app will redirect to an impostor site of the hacker's choosing, even when the iPhone or iPad is connected to a more trustworthy network. Skycure has a much more detailed explanation of the technique here.

Fortunately, apps that implement HTTPS cryptographic protections correctly aren't susceptible to the hack unless a victim is first socially engineered to install a malicious profile that includes fraudulent digital certificates. Still, a large number of apps use HTTPS sparingly or not at all, and those remain susceptible to the HRH. Apps that run on Google's Android and Microsoft's Windows Phone operating systems may also be vulnerable, but the Skycure researchers haven't performed enough testing to be sure.

Tuesday's blog post from Skycure provides several simple steps developers can follow to ensure their apps don't fall prey to request hijacking. The remediation involves creating a new subclass object in NSURLCache that avoids redirection caching. End users who are concerned that one of their connections may have been hijacked should remove the app and reinstall it.