> They allow advertisers to run JS on your device, and ads are a trendy way to deliver malware.
I wonder if the ad industry is onboard with HTTPS yet? In 2013 when I was last looking at ads as an attack vector, none did, and many executed JS, or gave privileged access to system APIs on device via JS, which meant that it was fairly trivial to intercept ad delivery, return malicious JS, open a "reverse JS shell" and poke about the filesystem in the app, open new screens, etc, all remotely.
I reported this as a vulnerability in several apps, telling them that HTTPS was an important aspect of preventing this, and was told that ad networks were against HTTPS and therefore they had to find alternative mitigations.
iOS/MacOS block HTTP requests by default unless you request (and for apps on the App Store, are granted) an exception. So, Iād think that in-app advertisers on iOS would want to support HTTPS.
I wonder if the ad industry is onboard with HTTPS yet? In 2013 when I was last looking at ads as an attack vector, none did, and many executed JS, or gave privileged access to system APIs on device via JS, which meant that it was fairly trivial to intercept ad delivery, return malicious JS, open a "reverse JS shell" and poke about the filesystem in the app, open new screens, etc, all remotely.
I reported this as a vulnerability in several apps, telling them that HTTPS was an important aspect of preventing this, and was told that ad networks were against HTTPS and therefore they had to find alternative mitigations.