Security Vulnerabilities in 3rd-Party ios Applications



Similar documents
ABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications

Penetration Testing for iphone Applications Part 1

Mobile Application Security and Penetration Testing Syllabus

Pentesting Mobile Applications

Pentesting iphone Applications. Satishb3

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

Enterprise Apps: Bypassing the Gatekeeper

Why you need. McAfee. Multi Acess PARTNER SERVICES

BYPASSING THE ios GATEKEEPER

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application

Penetration Test JSPLC. Contact: James, APS (CCNA, CEH) mail.biz

Smartphone Hacks and Attacks: A Demonstration of Current Threats to Mobile Devices

Manual for Android 1.5

The smartphone revolution

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Salesforce1 Mobile Security Guide

Topics in Network Security

Enterprise Mobile Threat Report

Tutorial on Smartphone Security

VMware Horizon Workspace Security Features WHITE PAPER

BYOD Guidance: BlackBerry Secure Work Space

Getting to know your ipad For Beginners

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

The Incident Response Playbook for Android and ios

ios Keychain Weakness FAQ Further Information on ios Password Protection

Basic Security Considerations for and Web Browsing

When enterprise mobility strategies are discussed, security is usually one of the first topics

SENSE Security overview 2014

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION. Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny

Administering Jive Mobile Apps

Spring Hill State Bank Mobile Banking FAQs

Access Your Cisco Smart Storage Remotely Via WebDAV

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

CONNECT-TO-CHOP USER GUIDE

Adobe Flash Player and Adobe AIR security

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Frequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Securing Secure Browsers

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

App Distribution Guide

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Device Management AirWatch Enrolment ios Devices (ipad, iphone, ipod) Documentation - End User

User Guide FOR TOSHIBA STORAGE PLACE

MC3WAVES Wireless Connection Wizard

National Cyber Security Month 2015: Daily Security Awareness Tips

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Centrify Mobile Authentication Services

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really? Andrey Belenko and Dmitry Sklyarov Elcomsoft Co. Ltd.

How To Protect Your Mobile Device From Attack

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Security Testing Guidelines for mobile Apps

Novell Filr. Mobile Client

Apple Deployment Programs Apple ID for Students: Parent Guide

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Kaspersky Security for Mobile

Using the Jive for ios App

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

Deploying iphone and ipad Security Overview

Copyright 2013, 3CX Ltd.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Kaspersky Lab Mobile Device Management Deployment Guide

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Mobile Device Management Version 8. Last updated:

ios Testing Tools David Lindner Director of Mobile and IoT Security

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Securing Office 365 with MobileIron

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Instructions on accessing your journal s content on your new app

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Novell Filr 1.0.x Mobile App Quick Start

10 Quick Tips to Mobile Security

Enterprise Application Security Workshop Series

Cloud Services MDM. ios User Guide

Lockup: A software tool to harden ios by disabling default Lockdown services

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Why Encryption is Essential to the Safety of Your Business

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

The Top Web Application Attacks: Are you vulnerable?

Technology Services Group Procedures. IH Anywhere guide. 0 P a g e

Transcription:

Security Vulnerabilities in 3rd-Party ios Applications Wentworth Institute of Technology Boston, MA Sonny Fazio Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 1

Table of Contents: Researcher s Note Scope of This Document Tools Used Vulnerabilities Vulnerabilities in Data Storage Vulnerabilities in Data Transport Vulnerabilities in Modified Systems (Jailbreaking) Conclusion Research Data References Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 2

Researcher s Note I want to give this document context, as I believe we need to give things a time and place for them to be meaningful. I am not a security researcher. I am a Software Engineer whose years of development experience and frequent mistakes has helped me in finding common practices by which vulnerabilities can be exploited. Scope of This Document This document discusses the security implications of installing 3rdparty ios applications, both from Apple s App Store and from other potential sources. Smartphone users place an enormous amount of trust in applications, which become gatekeepers to our personal lives. They chat, tweet, game, share, bank, read, write, and much more using mobile applications. A user might be fearful of using a shady ATM, but would be happy to store their credit card information in a free app. This document brings forward several common practices that lead to exploits and compromise user data. Tools Used Charles Proxy Class-dump-z Clutch Cocoa Packet Analyzer Cycript Cydia Hex Fiend Jailbroken ios Device w/ssh installed Transmit (SFTP) Xcode Vulnerabilities The research conducted focused on two main sources of vulnerabilities. The first type of vulnerability is a developer created one, a bug that allows an attacker to expose user data. This could as simple as an application storing the passcode to the encrypted user s data in a location that an attacker would have access to view. During the research, several applications were found doing this exact thing. Despite marketing material claiming to be the most secure service, a bug like this could easily allow an attacker to obtain the user s sensitive information. Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 3

The second vulnerability type involves the end-user modifying their operating system, such as jailbreaking it. When a user jailbreaks their device, they break many of the security features that Apple has developed to protect the user. Whereas any application available in the App Store is limited in access to the system, an application installed from a 3rd-party app store on a jailbroken device can do just about anything. During the research, several example applications were developed using similar tools that developers of jailbroken applications have access to. The developed applications were able to take advantage of several system resources. One application was able to modify the hosts file, which controls DNS lookups. It was able to redirect a query to google.com and connect the device to a different server. Another application used a technique known as method hooking to hook into instances of several popular open source classes for storing passwords. By hooking into these classes, any application using these open source classes would be vulnerable. This application was able to intercept the method calls to an open source class, record the credentials being stored, and then return the method back to the original class. To an average user, the application was successful in storing their password. However, the application that hooked into the method could have silently recored and sent the user s password up to a remote server. Vulnerabilities in Data Storage Proper data security is extremely important to users. They want to download applications with the confidence that they can trust it with their personal information. If a device is lost or stolen, users shouldn t have to worry that their private information could be accessed by someone else. Users should be wary of application that don t specifically state the type of encryption they offer. One of the biggest weaknesses found regarding data storage is the lack of encryption among many of the applications tested. Often companies would market their application as secure or password protected which conveys a sense of trustworthiness to the user. The average user would trust an application that is stated as secure and would assume that their information is protected. While these applications do protect against the average user (the most common defense is displaying a passcode/ password prompt before allowing access), it can easily be defeated by even a novice attacker. The data collected in the research showed a large number of password manager applications would store this information unencrypted and easily accessible in backups and with several filesystem browsers (available to both stock and jailbroken users). Some password Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 4

managers store the user s credit card numbers, social security number, and much more using no form of encryption. An attacker could easily extract the database and gain access to a user s entire identity. Any application dealing with this form of data should be at least using AES (Advanced Encryption Standard) to protect the user. An application displaying a simple passcode screen and providing no encryption shouldn't be able to call itself secure. Another common practice is using an SDK framework class NSUserDefaults for storing the user s password. The research discovered several instances where applications using either encrypted or unencrypted databases had used the class NSUserDefaults to store the user s password. A quick glance at Apple s documentation will show that Apple highly disapproves of using this class for sensitive information. Apple s documentation states that Apple s keychain, an encrypted system database, should be used for any type of sensitive password or token. Apple s keychain provides developers with several security benefits, including code-free AES256 encryption and limiting access to data stored to the application that stored it. Data stored using NSUserDefaults is available unencrypted and visible in device backups, and through several filesystem viewing utilities (available to both stock and jailbroken users). The last type of data security practice discovered involves the internal workings of an application. During the study, two applications were found that used AES encryption, which could be tricked into either decrypting the data or exposing the user s password. Both of these involves flaws in the internal structures of how they were built. The first application Photo Safe encrypted users photographs and required entry of a password to decrypt them and gain access. At first glance, the application seems secure; the data stored on the file system isn t recognized as image data. Using a software known as class-dump-z and a tool for decrypting the application binary, the internal structure (header files) of the application was viewable. By using the header files, a method was discovered to bypass this encryption. When the application launches, it presents the user with a password prompt, which is used to authenticate before displaying the information. Using a method discovered in the password prompt class, the password prompt can be bypassed and a user s private photos can be viewed. Another application, My Eyes Only, can be exploited in a similar method to reveal the user s password. My Eyes Only stores users credit card numbers and other sensitive information in AES encryption. However, by analyzing the decrypted binary using class-dump-z, a class is discovered that both holds the user s password, and provides a shared Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 5

instance that can be called at anytime. A tool called Cycript could be used to call upon this shared instance and view the user s password. Vulnerabilities in Data Transport Tools such as Firesheep, a software extension that sniffed unencrypted network traffic for common cookies and credentials, have changed the way many sites handle security. Companies such as Facebook and Google have expanded their security offerings by adding the option for using SSL while browsing their site, a process which encrypts the data being sent between their servers and your web browser. Facebook began offering an SSL mode 1, which will ensure that all data sent between Facebook s server and your computer will be encrypted. Google also began offering a similar feature to their search product, protecting the data sent between your computer and Google when you make a web search. A valid SSL certification insures trust in your users, allowing them to verify that the web site does in fact belong to the right business. During a time when SSL certificates are cheap and becoming more and more common among smaller web services, there are still many companies that do not offer these types of services. Several applications were found that send the users passwords unencrypted over the network. These credentials could be captured using a Packet Capture application such as Wireshark. The danger of not properly securing these credentials could be huge if a user reuses their password in multiple locations. A user on a social media site could be using the same password on their online banking account, allowing an attacker to gain access to multiple accounts based on data breached in one area. A user should avoid connecting to public WiFi networks when using applications that deal with transferring data unencrypted. Vulnerabilities in Modified Systems (Jailbreaking) When an end-user modifies the stock operating system to allow installation of non-signed software, they are removing one of the major security systems that keeps ios secure. The process known as Jailbreaking involves a software application taking advantage of several levels of exploits to enable unsigned software to run on the device. In a stock (unmodified) ios device, the system requires all software applications that attempt to run be signed from Apple, which requires the developer to be a registered ios Developer and have a code-signing 1 http://nakedsecurity.sophos.com/2011/01/28/how-to-enable-httpsssl-encryption-to-secure-yourfacebook-account/ Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 6

certificate that is signed by Apple. By removing this feature, any type of software could be run on the device. This opens the end-user up to the possibility of malicious software being installed. Using available development tools for developing a tweak, a utility that modifies an existing feature of a software application, for jailbroken devices, malware software could be developed to target users who have jailbroken their device and download software through a package manager such as Cydia. Using method hooking, a software application could tap into an instance of a particular class and execute additional code. Method hooking is used by some developers to hook into Apple s private APIs and perform tasks that normally wouldn t be available in Apple s SDK. For example, an application that changed the incoming caller ID would have to hook into the method that handles the caller ID functionality, and change the data being sent to the class responsible for creating the on-screen caller ID. By applying this same principal, a malicious application could hook into another application s process and intercept method calls. Using a popular open source class such as SSKeychain, a malicious application could hook into the method passwordforservice:account: and record passwords from any applications using this class. During the testing portion of the research, Square s credit card processing application was examined for exploits. Using the internal header files generated using class-dump-z, a method was discovered for accessing a credit card number as it was swiped. This same method of accessing information could be applied to almost any application. The end user has no way of knowing whether the information they submitted at a login screen is going to a trusted company, or if it is being sent elsewhere. When an end-user modifies their device and removes the security features set in place, they may be opening themselves up to these types of vulnerabilities. By downloading software from trusted sources and using existing security features on the device, these types of vulnerabilities can be avoided. Conclusion During the testing portion of the research, several applications were found that contained vulnerabilities ranging from minor issues, to major exploits. While these application were found, that doesn t mean that every application has a security problem. A majority of applications in Apple s App Store are secure; in fact, the applications found with vulnerabilities required weeks of searching and testing to find. Many of the vulnerabilities found were common issues that could be easily fixed. Developers dealing with Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 7

sensitive user information should strongly considering using either use Apple s Keychain API s or build their database around a strong encryption technology such as AES. As more awareness for security on a mobile device develop, easier solutions for securing data will also develop. Developers building web services should be using SSL if their service handles user credentials. As time progresses and technology advances, SSL certificates will become a standard for every business. Apple s App Store is a new marketplace for companies to transform ideas into sellable products: a marketplace which is constantly evolving. There are many companies that take security extremely seriously, and continue to lead the way in innovations. The intensions of publishing this research is to create a dialog about security between companies, to get people talking more about mobile security. Research Data During the research, several applications were found with some form of security vulnerability. The applications tested were all available for free on the App Store, and many were featured on the top charts for either free apps or in their specific category. Vulnerabilities found which might put a user data at higher risk have been reported and disclosed to the respective developers of the application. Based on the specific focus of the research, the exact number of applications tested is not available. Many applications that were tested weren t recorded because they didn t handle any form of user credentials or sensitive user data. Some applications were found using specific searches such as Password, Password Manager, Secure and several other keywords. Below is a collection of applications found with some form of security exploit: Developer: Zynga Exploit Type: Data Transport This exploit relates to the authentication of users in Zynga s With Friends platform. Using an application that forges the device s UUID number, an attacker could gain access to another account by knowing the account holder s UUID and email address, even if the account holder enabled a password on their account. Words With Friends Hanging With Friends Scramble With Friends Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 8

Developer: My Eyes Only This exploit relates to the storage of user credentials and reliability of authentication systems. A malicious attacker could copy the encrypted data from backups to their own device with cycript installed. In Photo Safe, a malicious attacker could use cycript to invoke the method passwordgood, which will dismiss the authentication window and allow access to the protected data. In My Eyes Only, an attacker could use cycript to invoke the password manager singleton and gain access to the user s password. Photo Safe My Eyes Only - Secure Password Manager Developer: Sort It! Apps Exploit Type: Data Transport & Data Storage This exploit relates to the transportation and storage of user credentials. A malicious attacker could record network packet transmissions and collect the user credentials that are sent. The attacker could also discover the user credentials in a device backup, using a file system browser, or using an SFTP client (if the device is Jailbroken with SSH installed). Collectors Music Collectors Developer: Apps2Be This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Dot Lock Protection Developer: Matsvei Tsimashenka This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 9

data from previous backups. Information stored unencrypted and Security Suite Developer: i-app Creation Co., Ltd. This exploit relates to the storage of user credentials. A malicious attacker could extract the user s passcode from previous backups and use it to access the media in the applications. Pic Lock Developer: chen kaiqian This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Secret Folder Lite Developer: Needletrack This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and iphotovault Developer: LoveSoft This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 10

Encryption Album Encrypt Contacts Developer: HUANG YAOHAO This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Safe Password free for iphone Developer: Team Union This exploit relates to the storage of user credentials. A malicious attacker could extract the user s passcode from previous backups and use it to access the media in the applications. Password Memory Developer: Zero Cool This exploit relates to the storage of user credentials and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Don't Touch My Pics FREE Developer: ibear LLC This exploit relates to the storage of the user s passcode and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 11

Checkbook HD Developer: Intersog This exploit relates to the storage of the user s passcode and application data. A malicious attacker could extract the user s passcode and other private data from previous backups. Information stored unencrypted and Secure Photo Storage with Dropbox Developer: Forum Runner Exploit Type: Data Transport This exploit relates to the transportation of user credentials using a nonencrypted network connection. A malicious attacker could record to network packet transmissions and collect the user credentials that are sent. Exploit Level: Moderate AVSForum Cathe Friedrich's Workout Forums Truckers Forum Developer: Comsome.Inc. Exploit Type: Data Transport This exploit relates to the transportation of user credentials using a nonencrypted network connection. A malicious attacker could record to network packet transmissions and collect the user credentials that are sent. Exploit Level: Moderate Keep Reader Developer: PayPal Exploit Type: Data Transport This exploit relates to the validation of the SSL certificate and the ability for it to be spoofed. A malicious attacker could install a self-signed root certificate and a self-created certificate authority certificate on the device and redirect network traffic to their own server. PayPal s application only validates that the certificate is valid, but not if the certificate is the PayPal Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 12

official SSL certificate. A rogue system could be set up to record user credentials. Exploit Level: Minor PayPal Here Developer: GeekUtils Exploit Type: Data Transport This exploit relates to the ability for in-app data to be spoofed, tricking the user into installing either malicious applications or redirecting them to malicious web-services. This type of network communication could be easily spoofed to provide false information. A malicious application could modified the device s hosts file on a jailbroken device that would redirect traffic to a different server. This would allow them to disable ads and spoof the developer s information. Exploit Level: Minor Internet Killed TV (CTFxC) PhillyD Official We The Kings Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 13

References "Security Overview: About Software Security." Mac OS X Developer Library. Apple. Web. "Secure Coding Guide." Mac OS X Developer Library. Apple. Web. "Document Transfer Strategies." Mac OS X Developer Library. Apple. Web. "Keychain Services Programming Guide." Mac OS X Developer Library. Apple. Web. Lee, Graham J. Professional Cocoa Application Security. Indianapolis, IN: Wiley, 2010. Print. Zdziarski, Jonathan. Hacking and Securing IOS Applications. Beijing, China: O'Reilly, 2012. Print. Sonny Fazio - Wentworth Institute of Technology - Security Vulnerabilities in 3rd-party ios Applications 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information