In this post I'll walk you through IOS application security issues.
iOS Application Security Issues
- Privacy Issue
- Every iPhone has a unique device identifier called UDID. Mobile Apps may collect the device UDID. With the help of UDID it is possible to observer the user browsing patterns. And also it’s become feasible to locate user’s GEO location with UDID. UDID can be finding out by observation of the network traffic transmission.
- One such application is
- Openfient: mobile social gaming network: http://corte.si/posts/security/openfeint-udid-deanonymization/
- Application Data Storage
- Applications that are installed on mobile devices will use phone memory to store the data. 76 percent of mobile Apps store user data on phone. And 10 percent Apps store passwords in clear text. Source: viaforensics.com/appwatchdog
- Applications store information on phone for mainly two purposes. One is application performance will be improved and second is user can still access some data while he/she is offline.
- Application mainly store data on the below locations
- Plist files
- Keychain
- Logs
- Screenshots
- Home directory
- Application run in sandbox (seatbelt) with ‘mobile’ privileges Each application gets a private area of the file system Example App Home directory: /var/mobile/Applications/[GUID]
Sub Directory
Description
Appname.app
Contains the application code
and static data
Documents
Data that may be shared with
desktop through iTuens
Library
Application support files
Library/Preferences/
App specific preferences
Library/Caches/
Data that should persist across
successive launches of the application but not needed to be backed up.
Tmp
Temporary files that do not
need to persist across successive launches of the application.
- Plist files
- Plist files known as Property list files which is primarily used to store user’s properties of an application. Example: /var/mobile/Applications/[appid]/Documents/Preferences
- Key value pairs are stored in binary format and can be easily extracted and modified with property list editor, plutil.
- During pen testing look for usernames, passwords, cookies. As Apps may take Authentication/Autherization decisions Example: admin=1, timeout=10
- It is recommended do not store clear text data in plist files.
- Keychain
- It uses SQLite database for sensitive data storage. There are total four tables: genp, inet, cert, keys. These tables are located at: /var/Keychains/Keychain-2.db in iOS.
- For encryption of Keychain data it uses hardware encryption key and it uses user passcode for encryption and that depends on accessibility constant of keychain entry. Idea is, developers can leverage keychains to have the OS to store information securely. This keychains is accessible to all the applications. But Application can only access its key chain items with exception that on a jailBroken device it can be bypassed. Keychain Dumper Tool is available – by github which displays keychain entries of all the installed applications.
- To keep the data secure use data protection API while storing data in Keychain.
- Error Logs
- Apps may write sensitive data in logs like debugging, trouble shooting, request & responses. Logs can be found at /private/var/log/syslog. To view iPhone logs user can download Console App (from Appstore).
- Sync to iTunes.
- Mac OS X:- ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME>
- Windows XP: C:\Doucuments and settings\<USERNAME>\Application Data\Apple computer\Logs\CrashReporter/<DEVICE_NAME>
- Keyboard Cache
- Auto Correction to populate a local keyboard cache on the device. The problem is it records everything that a user types in text fields. Keyboard cache is located at Library/Keyboard/en_GB-dynamic-text.dat file.
- During pen test to check for the whether application caching sensitive data or not clear existing cache then enter data in text field and analyze.
- File Cache
- iOS applications can store other format files like pdf, xls, txt, etc. when viewed from the application. Whenever user opens file from his/her email it gets cached.
- Applications that are storing temp files on the device should clear those files upon logout/close for better security.
- Screenshots
- Home button shrinks your application with a nice effect. iOS takes screen shots of the application to create that effect. In this scenario there is a possibility of sensitive data may get cached.
- Solution is remove sensitive data or change the screen before the applicationDidEnterBackground() function returns. And Instead of hiding or removing sensitive data you can also prevent back-grounding altogether by setting the “Application does not run in background” property in the application’s info.plist file.
- Home Directory
- Apps can store data in application home directory. Custom encryption mechanism can be used to store files. During pen testing use reverse engineering techniques to find encryption key. And write tools to break the custom encryption.
- Every iPhone has a unique device identifier called UDID. Mobile Apps may collect the device UDID. With the help of UDID it is possible to observer the user browsing patterns. And also it’s become feasible to locate user’s GEO location with UDID. UDID can be finding out by observation of the network traffic transmission.
- One such application is
- Openfient: mobile social gaming network: http://corte.si/posts/security/openfeint-udid-deanonymization/
- Applications that are installed on mobile devices will use phone memory to store the data. 76 percent of mobile Apps store user data on phone. And 10 percent Apps store passwords in clear text. Source: viaforensics.com/appwatchdog
- Applications store information on phone for mainly two purposes. One is application performance will be improved and second is user can still access some data while he/she is offline.
- Application mainly store data on the below locations
- Plist files
- Keychain
- Logs
- Screenshots
- Home directory
- Application run in sandbox (seatbelt) with ‘mobile’ privileges Each application gets a private area of the file system Example App Home directory: /var/mobile/Applications/[GUID]Sub DirectoryDescriptionAppname.appContains the application code and static dataDocumentsData that may be shared with desktop through iTuensLibraryApplication support filesLibrary/Preferences/App specific preferencesLibrary/Caches/Data that should persist across successive launches of the application but not needed to be backed up.TmpTemporary files that do not need to persist across successive launches of the application.
- Plist files known as Property list files which is primarily used to store user’s properties of an application. Example: /var/mobile/Applications/[appid]/Documents/Preferences
- Key value pairs are stored in binary format and can be easily extracted and modified with property list editor, plutil.
- During pen testing look for usernames, passwords, cookies. As Apps may take Authentication/Autherization decisions Example: admin=1, timeout=10
- It is recommended do not store clear text data in plist files.
- It uses SQLite database for sensitive data storage. There are total four tables: genp, inet, cert, keys. These tables are located at: /var/Keychains/Keychain-2.db in iOS.
- For encryption of Keychain data it uses hardware encryption key and it uses user passcode for encryption and that depends on accessibility constant of keychain entry. Idea is, developers can leverage keychains to have the OS to store information securely. This keychains is accessible to all the applications. But Application can only access its key chain items with exception that on a jailBroken device it can be bypassed. Keychain Dumper Tool is available – by github which displays keychain entries of all the installed applications.
- To keep the data secure use data protection API while storing data in Keychain.
- Apps may write sensitive data in logs like debugging, trouble shooting, request & responses. Logs can be found at /private/var/log/syslog. To view iPhone logs user can download Console App (from Appstore).
- Sync to iTunes.
- Mac OS X:- ~/Library/Logs/CrashReporter/MobileDevice/<DEVICE_NAME>
- Windows XP: C:\Doucuments and settings\<USERNAME>\Application Data\Apple computer\Logs\CrashReporter/<DEVICE_NAME>
- Auto Correction to populate a local keyboard cache on the device. The problem is it records everything that a user types in text fields. Keyboard cache is located at Library/Keyboard/en_GB-dynamic-text.dat file.
- During pen test to check for the whether application caching sensitive data or not clear existing cache then enter data in text field and analyze.
- iOS applications can store other format files like pdf, xls, txt, etc. when viewed from the application. Whenever user opens file from his/her email it gets cached.
- Applications that are storing temp files on the device should clear those files upon logout/close for better security.
- Home button shrinks your application with a nice effect. iOS takes screen shots of the application to create that effect. In this scenario there is a possibility of sensitive data may get cached.
- Solution is remove sensitive data or change the screen before the applicationDidEnterBackground() function returns. And Instead of hiding or removing sensitive data you can also prevent back-grounding altogether by setting the “Application does not run in background” property in the application’s info.plist file.
- Apps can store data in application home directory. Custom encryption mechanism can be used to store files. During pen testing use reverse engineering techniques to find encryption key. And write tools to break the custom encryption.
No comments:
Post a Comment