Blocking a specific app in Apple's App Store

Thursday, October 24, 2013 at 9:55 AM | Posted by Jared Valentine
I received a question in reference to yesterday's blog about rate-limiting Apple's App Store.  This individual was interested in blocking a specific application within the App Store, specifically OS X Mavericks.  (They hadn't finished testing their enterprise applications with Mavericks).

Yes, it is possible to block a specific application within the Apple App Store.  Based on what I found, there are a few considerations & multiple ways to do this:

The Apple App Store application itself is a mix of unencrypted traffic running over TCP/80, along with SSL over TCP/443.  Luckily for us, the App Store transports the actual file over tcp/80, which makes it easy to detect and block!

The Apple App Store application calls the following URL when you click on the Download link for OS X Mavericks:

a545.phobos.apple.com/us/r1000/049/Purple4/v4/83/ab/68/83ab6813-eddc-e4c5-70a5-bc1ef921030b/mzps3704126155036248224.pkg

From here, it's a simple matter of disrupting traffic that matches that URL.

I found the URL by doing a quick search in my URL Filtering logs:



Now that we know the specific package name of this download, we can create a custom vulnerability (IPS) signature that matches this string.  I'm sure that apple has hundreds or thousands of servers/IP addresses out there - so matching on the hostname and/or URI path isn't recommended.  The best way to control this will be to focus on the package filename itself.   

My vulnerability signature is very simplistic.  It performs a pattern match for "mzps3704126155036248224\.pkg" in the http-req-uri-path context.  (We have to escape the period "." in the filename as it can also be used as a regex function)

You can download the custom signature in Palo Alto Networks IPS format here: vulnerability_41022-osx-mavericks-dl-2.xml

Import that signature under Objects / Custom Objects / Vulnerability (assuming you don't have a signature # 41022...  if you do, change the entry name in the XML file before importing).  This signature is configured with Severity=Informational and Default Action=Alert.

Import this into your firewall and test.  It should fire off an alert each time you download OS X Mavericks.  Once you've had a chance to test it, you can change the action of that signature to Reset-Both and re-test.


And here's the user experience when a user clicks "Download" in the App Store:


This seems pretty straight-forward and I'm guessing you can do this in a URL filter, secure web gateway, IPS system, etc.

3/9/2014 - added a 2nd pattern to the XML for the 10.9.2 package filename:  mzps4135638417199433253.pkg

| |

0 comments

Post a Comment

Subscribe to: Post Comments (Atom)

Line Rate | Powered by Blogger | Entries (RSS) | Comments (RSS) | Designed by MB Web Design | XML Coded By Cahayabiru.com