RSS
 

Sqlite data leakage in iOS applications

24 Jan

Most of the iOS applications store sensitive information like usernames, passwords & transaction details, etc.. either permanently or temporarily on the iPhone to provide offline access for the user. In general, to store large and complex data, iOS applications use the Sqlite database as it offers good memory usage and speed access. For example, to provide offline access Gmail iOS application stores all the emails in a Sqlite database file in plain text format. Facebook iOS application stores all the friends details in Sqlite files.

Unencrypted sensitive information stored in a Sqlite file can be stolen easily upon gaining physical access to the device or from the iTunes backup. Also, if an entry is deleted, Sqlite tags the record as deleted but not purge them. So in case if an application temporarily stores and removes the sensitive data from a Sqlite file, deleted data can be recovered easily by reading the Sqlite Write Ahead Log.

The below article explains on how to view Sqlite files and how to recover the deleted data from Sqlite files on the iPhone. For this exercise, I have created a demo application called CardInfo. CardInfo is a self signed application, so it can only be installed on a Jailbroken iPhone. The CardInfo demo application accepts any username & password, then collects the credit card details from the user and stores it in a Sqlite database. Database entries are deleted upon logout from the app.

Steps to install the CardInfo application:

1. Jailbreak the iPhone.
2. Download CardInfoDemo,ipa file –  Download link.
3. On the Windows, download the iPhone configuration utility – Download link.
4. Open the iPhone configuration utility and drag the CardInfoDemo.ipa file on to it.

iPhone configuration utility

5. Connect the iPhone to the windows machine using USB cable. Notice that the connected device is listed in the iPhone configuration utility. Select the device and navigate to Applications tab. It lists already installed applications along with our CardInfo demo app.

Cardinfo demo iOS app install

6. Click on Install button corresponding to the CardInfo application.
7. It installs the CardInfo application on to the iPhone.

cardinfo ios demo app

When an application is installed on the iPhone, it creates a directory with an unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory and it is known as bundle directory.

Steps to view  CardInfo Sqlite files:

1. On the Jailbroken iPhone, install OpenSSH and Sqlite3 from Cydia.
2. On windows workstation, download Putty.
3. Connect the iPhone and the workstation to the same Wi-Fi network.
Note: Wi-Fi is required to connect the iPhone over SSH. If the Wi-Fi connection is not available SSH into the iPhone over USB.
4. 
Run Putty and SSH into the iPhone by typing the iPhone IP address, root as username and alpine as password.
5. Navigate to /var/mobile/Applications/ folder and identify the CardInfo application directory using ‘find . –name CardInfo’ command. On my iPhone CardInfo application is installed on the – /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ directory.

cardinfo directory

6. Navigate to the /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/CardInfo.app directory and notice CARDDATABASE.sqlite3 database file.

cardinfo sqlite file

7. Sqlite database files on a Jailbroken iPhone can be viewed directly using Sqlite3 command line client. View CARDDATABASE.sqlite3 and notice that CARDINFO table is empty.

cardinfo sqlite before login

8. On the iPhone, open CardInfo application and login (works for any username and password). 

cardinfo login

9.Enter credit card details and click on Save button. In the background, it saves the card details in the Sqlite database.

cardinfo - card details                    cardinfo - saved details

10. View CARDDATABASE.sqlite3 and notice that CARDINFO table contains the credit card details data.

cardinfo sqlite after save

11. Logout from the application on the iPhone. In the background, it deletes the data from the Sqlite database. 

cardinfo logout

12. Now view CARDDATABASE.sqlite3 and notice that CARDINFO table is empty. 

cardinfo sqlite after logout

Steps to recover the deleted data from CardInfo Sqlite file:

Sqlite database engine writes the data into Write Ahead Log before storing it in the actual database file, to recover from system failures. Upon every checkpoint or commit, the data in the WAL is written into the database file. So if an entry is deleted from the Sqlite database and there is no immediate commit query, we can easily recover the deleted data by reading the WAL. In case of iOS, strings command can be used  to print the deleted data from a Sqlite file. In our case, running ‘strings CARDDATABASE.sqlite3’ command prints the deleted card details.

cardinfo sqlite recovered

In iOS, if an application uses the Sqlite database for temporary storage, there is always a possibility to recover the deleted temporary data from the database file.

For better security, use custom encryption while storing the sensitive data in Sqlite database. Also, before deleting a Sqlite record, overwrite that entry with junk data. So even if someone tries to recover the deleted data from Sqlite, they will not get the actual data.

 
4 Comments

Posted in iPhone

 

Tags: , , ,

Leave a Reply

 

 
  1. R@hul

    February 19, 2013 at 7:48 pm

    Thank you for sharing nice piece of information.

    Is it possible to sniff traffic on IOS device by installing the certificate and not jailbreaking it.

     
    • satishb3

      February 19, 2013 at 8:28 pm

      yes. It is possible. Take a look at penetration testing of iphone application part 1 in my blog.

       
  2. polkonois

    February 26, 2013 at 1:46 am

    Would like o ask you where I can find the file, where GMail app stores emails? Can’t find aby db file in GMail folder.

     
    • satishb3

      February 26, 2013 at 7:58 am

      Gmail db can be found in documents & library/caches folder. File extension is .db & .localstorage.