Attacks on ios with Approved Third-Party Applications. Jianying Zhou Institute for Infocomm Research Singapore

Transcription

1 Attacks on ios with Approved Third-Party Applications Jianying Zhou Institute for Infocomm Research Singapore 9 th ETSI Security Workshop, Sophia Antipolis, France, January 15, 2014

2 Mobile platforms become pervasive Smartphones: Tablets: iphone Android BlackBerry ipad Google Tablet MS Surface

3 Two most popular platforms ios From 2007, 400 million sold Android From 2008, 750 million activated Google Tablet

4 ios Security Effectiveness Though both app vetting and ios sandbox mechanisms are black box: generally regarded as highly effective, no harmful malware on non-jailbroken devices has been reported on itunes App Store [1], only graywares, which stealthily collect sensitive user data, were found and then removed [2, 3]. No official documents for ios app permissions. [1] Safe and Savvy: How secure is your iphone. June [2] Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. the ACM workshop on Security and privacy in smartphones and mobile devices. ACM Workshop on Security and Privacy in Mobile Devices [3] TrendLabs: Malware for ios? Not Really (June 2012)

5 Access Sensitive Data on ios What can third-party apps get? Such apps should also pass Apple s vetting process We develop 10+ apps, which are able to collect: Carrier Info, AddressBook, Calendar events Photos, Location information Keyboard cache Last call number Google Map info, WiFi network history More seriously, background running app Keep collecting user info at background

6 Launch Serious Attacks on ios? Any vulnerabilities in the vetting / ios sandbox, which allow app to gain much more privileges? Non-jailbroken devices Apps must be downloaded from official App Store Two conditions for launching such attacks: Malicious apps need to pass Apple s vetting process Attack codes need to bypass ios sandbox

7 Generic Attack Vector Coding steps: Load the needed framework(s) dynamically Locate the needed classes dynamically Invoke needed private APIs dynamically Obfuscate all strings used in the code (framework name, class name, method name ) String obfuscation: char* s = abcdefghijklmnopqrstuvwxyz char* method_name = s[1] + s[0] + s[3] = bad

8 Generic Attack Vector (PIN Example) PIN-Cracking attack void *b = dlopen("/system/library/privateframeworks/ MobileKeyBag.framework/MobileKeyBag", 1); int (*f)(id, id, id) = dlsym(b, "MKBKeyBagChangeSystemSecret");... int r = f(oldpwd, newpwd, pubdict);... Utilizing C, instead of Objective-C: Use dlopen() to load the library binary Use dlsym() to locate the needed (private) C method, and convert it to a function pointer

9 Attacks Implemented We implement 7 attacks, which allow apps to: Crack and retrieve device PIN 40 secs, if the PIN is in birthday format (ddmm/mmdd) 18.2 mins to check the whole PIN space (10 4 ) Continuously taking screen snapshots at background Only works on ipad, very serious Block incoming calls Take photos/videos without user s awareness Post tweets without user s interactions Send SMS/ without user s interactions (ios 5)

10 We have developed 10+ apps

11 App Snapshots Most apps are games; two apps are utility apps.

12 Attack Mitigation Improving Application Vetting Process Utilizing Entitlements Dynamic Analysis Enhancement on ios Sandbox Dynamic Parameter Inspection Privileged IPC Verification Service Delegation Enhancement System Notifiers for Sensitive Functionalities

13 Results and Impacts All our apps embedded with the attack codes appeared on the official App Store all attacks work on non-jailbroken ios devices Reported to Apple s product security team & held conference call with Apple in Oct Most of the attacks have been fixed in ios 7 (released in Sep 2013). Demo: Snapshot-taking attack Available at YouTube (

14 In Media

15 Conclusion Original goal is to answer a simple (but not easy) research question Is there a generic attack vector which enables thirdparty apps to launch attacks on non-jailbroken ios devices? Constructed effective mechanisms which allow any third-party app to invoke private APIs without being detected by the vetting process. By utilizing such mechanisms and exploiting the vulnerabilities in the app sandbox, we implemented seven PoC attacks which can cause serious damages to ios users. Suggested mitigation mechanisms to enhance the current vetting process and ios sandbox. Most of the attacks have been fixed in ios 7 (Sep 2013).

16 Thank You! Jianying Zhou Web: icsd.i2r.a-star.edu.sg/staff/jianying/ References: Jin Han, Su-Mon Kywe, Qiang Yan, Feng Bao, Robert Deng, Debin Gao, Yingjiu Li, and Jianying Zhou. "Launching Generic Attacks on ios with Approved Third- Party Applications". (ACNS 13)