Security Vulnerabilities in 3rd-Party ios Applications

Transcription

1 Security Vulnerabilities in 3rd-Party ios Applications Wentworth Institute of Technology Boston, MA Sonny Fazio Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 1

2 Table of Contents: Researcher s Note Scope of This Document Tools Used Vulnerabilities Vulnerabilities in Data Storage Vulnerabilities in Data Transport Vulnerabilities in Modified Systems (Jailbreaking) Conclusion Research Data References Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 2

3 Researcher s Note I want to give this document context, as I believe we need to give things a time and place for them to be meaningful. I am not a security researcher. I am a Software Engineer whose years of development experience and frequent mistakes has helped me in finding common practices by which vulnerabilities can be exploited. Scope of This Document This document discusses the security implications of installing 3rdparty ios applications, both from Apple s App Store and from other potential sources. Smartphone users place an enormous amount of trust in applications, which become gatekeepers to our personal lives. They chat, tweet, game, share, bank, read, write, and much more using mobile applications. A user might be fearful of using a shady ATM, but would be happy to store their credit card information in a free app. This document brings forward several common practices that lead to exploits and compromise user data. Tools Used Charles Proxy Class-dump-z Clutch Cocoa Packet Analyzer Cycript Cydia Hex Fiend Jailbroken ios Device w/ssh installed Transmit (SFTP) Xcode Vulnerabilities The research conducted focused on two main sources of vulnerabilities. The first type of vulnerability is a developer created one, a bug that allows an attacker to expose user data. This could as simple as an application storing the passcode to the encrypted user s data in a location that an attacker would have access to view. During the research, several applications were found doing this exact thing. Despite marketing material claiming to be the most secure service, a bug like this could easily allow an attacker to obtain the user s sensitive information. Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 3

4 The second vulnerability type involves the end-user modifying their operating system, such as jailbreaking it. When a user jailbreaks their device, they break many of the security features that Apple has developed to protect the user. Whereas any application available in the App Store is limited in access to the system, an application installed from a 3rd-party app store on a jailbroken device can do just about anything. During the research, several example applications were developed using similar tools that developers of jailbroken applications have access to. The developed applications were able to take advantage of several system resources. One application was able to modify the hosts file, which controls DNS lookups. It was able to redirect a query to google.com and connect the device to a different server. Another application used a technique known as method hooking to hook into instances of several popular open source classes for storing passwords. By hooking into these classes, any application using these open source classes would be vulnerable. This application was able to intercept the method calls to an open source class, record the credentials being stored, and then return the method back to the original class. To an average user, the application was successful in storing their password. However, the application that hooked into the method could have silently recored and sent the user s password up to a remote server. Vulnerabilities in Data Storage Proper data security is extremely important to users. They want to download applications with the confidence that they can trust it with their personal information. If a device is lost or stolen, users shouldn t have to worry that their private information could be accessed by someone else. Users should be wary of application that don t specifically state the type of encryption they offer. One of the biggest weaknesses found regarding data storage is the lack of encryption among many of the applications tested. Often companies would market their application as secure or password protected which conveys a sense of trustworthiness to the user. The average user would trust an application that is stated as secure and would assume that their information is protected. While these applications do protect against the average user (the most common defense is displaying a passcode/ password prompt before allowing access), it can easily be defeated by even a novice attacker. The data collected in the research showed a large number of password manager applications would store this information unencrypted and easily accessible in backups and with several filesystem browsers (available to both stock and jailbroken users). Some password Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 4

5 managers store the user s credit card numbers, social security number, and much more using no form of encryption. An attacker could easily extract the database and gain access to a user s entire identity. Any application dealing with this form of data should be at least using AES (Advanced Encryption Standard) to protect the user. An application displaying a simple passcode screen and providing no encryption shouldn't be able to call itself secure. Another common practice is using an SDK framework class NSUserDefaults for storing the user s password. The research discovered several instances where applications using either encrypted or unencrypted databases had used the class NSUserDefaults to store the user s password. A quick glance at Apple s documentation will show that Apple highly disapproves of using this class for sensitive information. Apple s documentation states that Apple s keychain, an encrypted system database, should be used for any type of sensitive password or token. Apple s keychain provides developers with several security benefits, including code-free AES256 encryption and limiting access to data stored to the application that stored it. Data stored using NSUserDefaults is available unencrypted and visible in device backups, and through several filesystem viewing utilities (available to both stock and jailbroken users). The last type of data security practice discovered involves the internal workings of an application. During the study, two applications were found that used AES encryption, which could be tricked into either decrypting the data or exposing the user s password. Both of these involves flaws in the internal structures of how they were built. The first application Photo Safe encrypted users photographs and required entry of a password to decrypt them and gain access. At first glance, the application seems secure; the data stored on the file system isn t recognized as image data. Using a software known as class-dump-z and a tool for decrypting the application binary, the internal structure (header files) of the application was viewable. By using the header files, a method was discovered to bypass this encryption. When the application launches, it presents the user with a password prompt, which is used to authenticate before displaying the information. Using a method discovered in the password prompt class, the password prompt can be bypassed and a user s private photos can be viewed. Another application, My Eyes Only, can be exploited in a similar method to reveal the user s password. My Eyes Only stores users credit card numbers and other sensitive information in AES encryption. However, by analyzing the decrypted binary using class-dump-z, a class is discovered that both holds the user s password, and provides a shared Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 5

6 instance that can be called at anytime. A tool called Cycript could be used to call upon this shared instance and view the user s password. Vulnerabilities in Data Transport Tools such as Firesheep, a software extension that sniffed unencrypted network traffic for common cookies and credentials, have changed the way many sites handle security. Companies such as Facebook and Google have expanded their security offerings by adding the option for using SSL while browsing their site, a process which encrypts the data being sent between their servers and your web browser. Facebook began offering an SSL mode 1, which will ensure that all data sent between Facebook s server and your computer will be encrypted. Google also began offering a similar feature to their search product, protecting the data sent between your computer and Google when you make a web search. A valid SSL certification insures trust in your users, allowing them to verify that the web site does in fact belong to the right business. During a time when SSL certificates are cheap and becoming more and more common among smaller web services, there are still many companies that do not offer these types of services. Several applications were found that send the users passwords unencrypted over the network. These credentials could be captured using a Packet Capture application such as Wireshark. The danger of not properly securing these credentials could be huge if a user reuses their password in multiple locations. A user on a social media site could be using the same password on their online banking account, allowing an attacker to gain access to multiple accounts based on data breached in one area. A user should avoid connecting to public WiFi networks when using applications that deal with transferring data unencrypted. Vulnerabilities in Modified Systems (Jailbreaking) When an end-user modifies the stock operating system to allow installation of non-signed software, they are removing one of the major security systems that keeps ios secure. The process known as Jailbreaking involves a software application taking advantage of several levels of exploits to enable unsigned software to run on the device. In a stock (unmodified) ios device, the system requires all software applications that attempt to run be signed from Apple, which requires the developer to be a registered ios Developer and have a code-signing 1 Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 6

7 certificate that is signed by Apple. By removing this feature, any type of software could be run on the device. This opens the end-user up to the possibility of malicious software being installed. Using available development tools for developing a tweak, a utility that modifies an existing feature of a software application, for jailbroken devices, malware software could be developed to target users who have jailbroken their device and download software through a package manager such as Cydia. Using method hooking, a software application could tap into an instance of a particular class and execute additional code. Method hooking is used by some developers to hook into Apple s private APIs and perform tasks that normally wouldn t be available in Apple s SDK. For example, an application that changed the incoming caller ID would have to hook into the method that handles the caller ID functionality, and change the data being sent to the class responsible for creating the on-screen caller ID. By applying this same principal, a malicious application could hook into another application s process and intercept method calls. Using a popular open source class such as SSKeychain, a malicious application could hook into the method passwordforservice:account: and record passwords from any applications using this class. During the testing portion of the research, Square s credit card processing application was examined for exploits. Using the internal header files generated using class-dump-z, a method was discovered for accessing a credit card number as it was swiped. This same method of accessing information could be applied to almost any application. The end user has no way of knowing whether the information they submitted at a login screen is going to a trusted company, or if it is being sent elsewhere. When an end-user modifies their device and removes the security features set in place, they may be opening themselves up to these types of vulnerabilities. By downloading software from trusted sources and using existing security features on the device, these types of vulnerabilities can be avoided. Conclusion During the testing portion of the research, several applications were found that contained vulnerabilities ranging from minor issues, to major exploits. While these application were found, that doesn t mean that every application has a security problem. A majority of applications in Apple s App Store are secure; in fact, the applications found with vulnerabilities required weeks of searching and testing to find. Many of the vulnerabilities found were common issues that could be easily fixed. Developers dealing with Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 7

8 sensitive user information should strongly considering using either use Apple s Keychain API s or build their database around a strong encryption technology such as AES. As more awareness for security on a mobile device develop, easier solutions for securing data will also develop. Developers building web services should be using SSL if their service handles user credentials. As time progresses and technology advances, SSL certificates will become a standard for every business. Apple s App Store is a new marketplace for companies to transform ideas into sellable products: a marketplace which is constantly evolving. There are many companies that take security extremely seriously, and continue to lead the way in innovations. The intensions of publishing this research is to create a dialog about security between companies, to get people talking more about mobile security. Research Data During the research, several applications were found with some form of security vulnerability. The applications tested were all available for free on the App Store, and many were featured on the top charts for either free apps or in their specific category. Vulnerabilities found which might put a user data at higher risk have been reported and disclosed to the respective developers of the application. Based on the specific focus of the research, the exact number of applications tested is not available. Many applications that were tested weren t recorded because they didn t handle any form of user credentials or sensitive user data. Some applications were found using specific searches such as Password, Password Manager, Secure and several other keywords. Below is a collection of applications found with some form of security exploit: Developer: Zynga Exploit Type: Data Transport This exploit relates to the authentication of users in Zynga s With Friends platform. Using an application that forges the device s UUID number, an attacker could gain access to another account by knowing the account holder s UUID and address, even if the account holder enabled a password on their account. Words With Friends Hanging With Friends Scramble With Friends Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 8

9 Developer: My Eyes Only This exploit relates to the storage of user credentials and reliability of authentication systems. A malicious attacker could copy the encrypted data from backups to their own device with cycript installed. In Photo Safe, a malicious attacker could use cycript to invoke the method passwordgood, which will dismiss the authentication window and allow access to the protected data. In My Eyes Only, an attacker could use cycript to invoke the password manager singleton and gain access to the user s password. Photo Safe My Eyes Only - Secure Password Manager Developer: Sort It! Apps Exploit Type: Data Transport & Data Storage This exploit relates to the transportation and storage of user credentials. A malicious attacker could record network packet transmissions and collect the user credentials that are sent. The attacker could also discover the user credentials in a device backup, using a file system browser, or using an SFTP client (if the device is Jailbroken with SSH installed). Collectors Music Collectors Developer: Apps2Be This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Dot Lock Protection Developer: Matsvei Tsimashenka This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 9

10 data from previous backups. Information stored unencrypted and Security Suite Developer: i-app Creation Co., Ltd. This exploit relates to the storage of user credentials. A malicious attacker could extract the user s passcode from previous backups and use it to access the media in the applications. Pic Lock Developer: chen kaiqian This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Secret Folder Lite Developer: Needletrack This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and iphotovault Developer: LoveSoft This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 10

11 Encryption Album Encrypt Contacts Developer: HUANG YAOHAO This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Safe Password free for iphone Developer: Team Union This exploit relates to the storage of user credentials. A malicious attacker could extract the user s passcode from previous backups and use it to access the media in the applications. Password Memory Developer: Zero Cool This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Don't Touch My Pics FREE Developer: ibear LLC This exploit relates to the storage of the user s passcode and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 11

12 Checkbook HD Developer: Intersog This exploit relates to the storage of the user s passcode and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Secure Photo Storage with Dropbox Developer: Forum Runner Exploit Type: Data Transport This exploit relates to the transportation of user credentials using a nonencrypted network connection. A malicious attacker could record to network packet transmissions and collect the user credentials that are sent. Exploit Level: Moderate AVSForum Cathe Friedrich's Workout Forums Truckers Forum Developer: Comsome.Inc. Exploit Type: Data Transport This exploit relates to the transportation of user credentials using a nonencrypted network connection. A malicious attacker could record to network packet transmissions and collect the user credentials that are sent. Exploit Level: Moderate Keep Reader Developer: PayPal Exploit Type: Data Transport This exploit relates to the validation of the SSL certificate and the ability for it to be spoofed. A malicious attacker could install a self-signed root certificate and a self-created certificate authority certificate on the device and redirect network traffic to their own server. PayPal s application only validates that the certificate is valid, but not if the certificate is the PayPal Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 12

13 official SSL certificate. A rogue system could be set up to record user credentials. Exploit Level: Minor PayPal Here Developer: GeekUtils Exploit Type: Data Transport This exploit relates to the ability for in-app data to be spoofed, tricking the user into installing either malicious applications or redirecting them to malicious web-services. This type of network communication could be easily spoofed to provide false information. A malicious application could modified the device s hosts file on a jailbroken device that would redirect traffic to a different server. This would allow them to disable ads and spoof the developer s information. Exploit Level: Minor Internet Killed TV (CTFxC) PhillyD Official We The Kings Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 13

14 References "Security Overview: About Software Security." Mac OS X Developer Library. Apple. Web. "Secure Coding Guide." Mac OS X Developer Library. Apple. Web. "Document Transfer Strategies." Mac OS X Developer Library. Apple. Web. "Keychain Services Programming Guide." Mac OS X Developer Library. Apple. Web. Lee, Graham J. Professional Cocoa Application Security. Indianapolis, IN: Wiley, Print. Zdziarski, Jonathan. Hacking and Securing IOS Applications. Beijing, China: O'Reilly, Print. Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 14