The technology supporting mobile devices moves pretty quickly. To keep you up to date with developments in the mobile security field, we have developed this interim update to accompany your SANS SEC575 course materials. Joshua Wright [email protected] @joswr1ght 1/31/2018 New in iOS 11 With iOS 11 we have several new security features and support for new hardware. Specifically, iOS 11 is the major software release to support the iPhone 8, 8+, and X (pronounced "ten"). iOS 11 supports several new features as well: • Native Screen Recording: iOS 11 supports native screen recording functionality, accessible from a control center option, and as a programmatic API in the ReplayKit library (RPScreenRecorder.startCapture()). When a screen recording is active, iOS places a red banner at the top of the screen that the user can tap on to stop the recording. When the recording is finished, it is saved to the Camera Roll. This feature could be used to record visible screen contents outside of the standard application functionality, but would only be accessible to the malicious application if it also has the Camera Roll privilege. • Offload Unused Apps: iOS 11 can also automatically remove applications that are not used from the device as a storage-saving measure. When the application is invoked again, the device downloads it on-demand from the iTunes app store. When an app is removed automatically, the data itself is retained on the device until the app is reinstalled and uninstalled manually. • App Password Autofill: Mobile Safari has had iCloud synchronization for login credentials since iOS 9, but this password autofill functionality has been limited to Mobile Safari. With iOS 11, password autofill is also extended to any application that designed to use this functionality (as shown on this page for the Twitter application, having obtained the password from iCloud storage following a visit to Twitter with Mobile Safari). When the user chooses to populate a password with autofill, they must authenticate to the device using Touch ID or Face ID. App password autofill is not limited to iCloud synchronization; password managers such as OnePass or 1Password can also be extended to take advantage of this functionality as a credential provider instead of only getting password from iCloud storage. Face ID Bypass With the loss of a home button on the iPhone X, Apple introduced Face ID as a new biometric authentication option. Face ID uses infrared light to illuminate a subject's face, comparing observed subdermal facial geometry with movement to stored biometric information. Apple indicates that Face ID is also motion aware, requiring the user blink or produce other facial movements that would not be available in a still subject (https://www.forbes.com/sites/quora/2017/09/13/how-does-apples-new-face-id-technology-work). Shortly after the release of the iPhone X, several YouTube videos started gaining popularity where identical twins could unlock each other's iPhone X devices, as well as close relatives (a mother and son pair demonstrate an unlock event at https://www.youtube.com/watch?v=dUMH6DVYskc). However, the iPhone X Face ID feature "learns" with each subsequent unlock (to allow for changes in a face over time, such as growing a beard) so it is not clear if these unlock events are shortcomings in Face ID or intended functionality with trained devices. In November 2017, Ngo Tuan Anh, Vice President of Bkav a computer security firm in Vietnam demonstrated to reporters that he was able to produce a mask capable of evading Face ID. Anh built the mask from paper tape, a silicon node, and paper eyes along with a framework designed on a 3D printer for $150. Anh indicated that the mask took a week to build such that it would bypass Face ID recognition and unlock a device (Image source: https://www.reuters.com/article/us-apple-vietnam-hack/vietnamese-researcher-shows-iphone-x-face-id- hack-idUSKBN1DE1TH). In practice, it is unlikely that Face ID bypass will be a practical attack technique for an adversary. Apple limits attempts to unlock an iPhone X with Face ID to 5; after 5 failed attempts, the device will require the user to enter the secondary authentication credential (a password or a PIN). While media reports indicate that Face ID bypass is possible, a targeted attack (where you intend to unlock a specific device) is unlikely to be successful with this 5 attempt limitation. Emergency SOS iOS 11 introduces a new feature called Emergency SOS where the user can disable biometric authentication and get a shortcut to place an emergency call (or immediately place an emergency call if configured to do so) by pressing the power button 5 times rapidly on the iPhone 7/7+ and earlier or by pressing and holding the side button while holding volume up or down on the iPhone 8, 8+, or X. When the user activates emergency SOS, even if an emergency call is not placed, the iOS device will disable biometric authentication access, requiring the user to enter the secondary authentication credential to unlock the device. This could be seen as a tiny snub to US law enforcement agencies and courts that say that biometric data is not protected by the US Constitution 5th amendment (the 5th amendment of the US Constitution is part of the Bill of Rights that protects individuals from being compelled to be witnesses against themselves in criminal cases). Essentially, lower courts in the US have ruled that biometric information is not protected, and a suspect can be forced to unlock an iOS device using a fingerprint or face scan. An individual about to be apprehended could trigger the emergency SOS feature, preventing the device from unlocking using biometric information. Intelligent Tracking Prevention (ITP) iOS 11 also takes steps to defend against cookie tracking using Intelligent Tracking Prevention (ITP). To understand ITP, we have to first differentiate the concept of first-party and third-party cookies. A first-party cookie is set when a user visits a website (either through a browser or app with a WebView) and the server returns a Set-Cookie response header. A third-party cookie is set when a user visits a website (browser or WebView), and the linked content generates additional requests to new websites (such as when you browse to cnn.com, and cnn.com links to an image on facebook.com). If the subsequent requests are returned with Set-Cookie headers, the cookies are known as third-party. With ITP, iOS applies different policies to cookies whether they are first-party or third-party. A third-party cookie is disabled after 24 hours if it is intended for user tracking purposes (the nature of the intent is not clear in the Apple documentation). First-party cookies are purged if the website that issued the cookie has not been visited within 30 days. Following this feature announcement from Apple, advertisers expressed discontent with the change, indicating that the change would hamper their ability to deliver a positive user experience that supplies desirable advertising to users (https://www.pmxagency.com/blog/2017/09/ios-11-intelligent-tracking-prevention-means- marketers). Many advertisers quickly responded to the change by refactoring how cookies are delivered. For example, Google Analytics' __gac cookie was formerly delivered by googleadservices.com (a third-party for most users), but has been changed such that it is delivered from the first-party site instead to "accurately understand attribution and campaign performance" (https://www.pmxagency.com/blog/2017/09/ios-11- intelligent-tracking-prevention-means-marketers/). iOS 11 Location Services Permission Change Prior to iOS 11, an app could dictate how the location privilege prompt is displayed to users, limiting the choice for users to allow or deny access to location services (shown on the left of the image on this page). iOS has supported a third option for privilege services, "only while using the app", but that option was not always accessible depending on how the developer write the app. With iOS 11, Apple will display the three location services options when the app attempts to access location services without the developer's ability to suppress the "while using" option. This change provides the user with more flexibility is how they grant location access to applications. Files App Also new in iOS 11 is a native file management app. Though long eschewed by Apple, Android feature parity warranted the introduction of a file manager that replaces the former iCloud Drive app, allowing the user to manage files from native and third-party cloud storage providers, as well as limited local storage (primarily the photo reel and deleted items folders). Third-party apps can leverage the Files app API set to read files from other cloud storage providers through the Files app. This creates the possibility for the Google Drive app to read files belonging to another third-party app stored in Dropbox or any other cloud storage provider. Instead of using a permission restriction to indicate which apps can read what files, the iOS 11 platform requires that all access to files is user-gated (that is, the user must choose the files they wish to share after initiating a Browse action as shown on this page). Apps are not allows to silently access data stored in cloud providers accessible to the Files app. iOS 11 SSL/TLS Changes iOS 11 also introduces new SSL/TLS changes that will affect developers and hosting providers while improving network transport security for end-users. With iOS 11, TLSv1.2 is the default preferred crypto capability negotiated in all secure HTTP requests (when the URLSession, URL, URLRequest, and NSURLConnection libraries are used; other third-party libraries may not also enforce this same crypto requirement).