Iphone Privacy

Iphone Privacy

Security & Risk Conference November 3th - 6th 2010 Lucerne, Switzerland Apple iOS Privacy Nicolas Seriot Twitter @nst021 Malware on Mobile Phones • Was a fantasy two years ago • Is now something common • Many fantasy among consumers • “Can my iPhone spy on me?” Reach Consumer Phones • Unix permissions + sandbox • Autoregulated market • Spywares, fake banking applications, … • see Jesse Burns session on Android app security App Store Malware • Hackers have been working on the jailbroken side • 100 million devices, 250’000 apps, 4 billion downloads • February 2010 BlackHat DC USA • iPhone / App Store is not immune from malware http://www.blackhat.com/presentations/bh-dc-10/Seriot_Nicolas/ BlackHat-DC-2010-Seriot-iPhone-Privacy-wp.pdf Agenda 1. Privacy issues overview 2. What can iPhone spyware do? 1. Access personal data 2. Fool App Store’s reviewers 3. Attack scenarios 4. Recommendations and conclusion 1. Privacy Issues Overview Security Issues Timeline …2007 2008 2009 2010… Root libtiff CoreAudio exploits SMS fuzzing FreeType Pulled Aurora Faint from Store MogoRoad SSL Trust you own Lawsuit Storm8 s Analytic PinchMedia concerns s Worms Ikee & co. (jailbreak) OS 1.0 1.1 2 2 2.2 3.0 3.1 3.2 4 4.1 Jailbreak SSH Worms Ikee Dutch 5 € ransom Root Exploit through PDF Handling ArsTechnica, August 2010 http://arstechnica.com/apple/news/2010/08/web-based-jailbreak-relies-on-unpatched- mobile-safari-flaw.ars Analytics Frameworks • PinchMedia • Think Google Analytics for your app • July 2009 – bloggers raise privacy concerns • Users are not informed and can’t opt-out Storm8 Lawsuit http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/ http://www.boingboing.net/lawsuits/Complaint_Storm_8_Nov_04_2009.pdf Pulled out from AppStore* • Aurora Feint – July 2008 • Sent contact emails in clear • 20 million downloads • MogoRoad – September 2009 • Sent phone number in clear • Customers got commercial calls * Both applications are back on AppStore after updating their privacy policy. 2. What can iPhone Spyware do? iPhone is Widely Supposed to be Insecure http://www.google.com/hostednews/afp/article/ALeqM5gw3h9CaSr41wcnCsPda4CD5mqnyw Swiss civil servants are banned from using iPhones http://www.lematin.ch/actu/suisse/iphone-berne-299557 Technical Context • Imagine a rogue breakout on AppStore • iPhone OS version 4.1 • No jailbreak (no root access, 6-8 % iPhones) • No hardware attacks (don’t lose your iPhone) • Not calls to private APIs (there’s no need to) • No Facebook or Twitter profile data… • No root shells exploits • Look for entry points, look for personal data Methodology – Step A Access personal data 2.1. Access Personal Data Cell Numbers NSDictionary *d = [NSUserDefaults standardUserDefaults]; NSString *phone = [d valueForKey:@"SBFormattedPhoneNumber"]; • Entered in iTunes • Optional, you can safely change it Address Book API • Unrestricted read/write access • Tampering with data • change *@ubs.com into [email protected] File System Access http://fswalker.googlecode.com Enumerate Readable Files - (void)showAllReadableFilesFromPath:(NSString *)rootPath { ! NSFileManager *fm = [NSFileManager defaultManager]; ! NSDirectoryEnumerator *e = [fm enumeratorAtPath:rootPath]; ! NSString *s = nil; ! while(s = [e nextObject]) { !! if([fm isReadableFileAtPath:s]) { !!!NSLog(@"-- /%@", s); !!}!!! !} } iPhone Sandboxing • Restricts applications access to OS resources • A list of deny/allow rules at kernel level • /usr/share/sandbox/SandboxTemplate.sb (version 1) ; System is read only (deny default) (allow file-read*) (deny file-write*) ; Sandbox violations get logged to syslog via kernel logging. ; Private areas (debug deny) (deny!file-write* !(regex "^/private/var/mobile/ (allow sysctl-read) Applications/.*$")) (deny!file-read* ; Mount / umount commands !(regex "^/private/var/mobile/ (deny file-write-mount file-write-umount) Applications/.*$")) Sandboxing for the Win? Applications on the device are "sandboxed" so they cannot access data stored by other applications. In addition, system files, resources, and the kernel are shielded from the user's application space. Apple – iPhone in Business – Security Overview http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf False. Sandboxing rules are way too loose! Demo Introducing SpyPhone Email Addresses Phone Data and History Photos – iPhone OS 3.2 iOS 4.0 Bug Fixs http://support.apple.com/kb/ht4225 Photos – iOS 4 • photos geotags are not accessible anymore • photos still give a clue about user’s activity Location Keyboard and Wifi Caches Mapping Wifi BSSID BSSID Location Service HTTP POST { "wifi_towers": [ { "mac_address": "00:23:6c:80:cb:73" } http://66.249.92.104/loc/json ], "version": "1.1.0", "host": "www.google.com" } { "location": { "latitude": 46.5153829, "longitude": 6.6287134, "accuracy": 150.0 }, "access_token": "2:AEBX2wEULGBpyy9n:mnEZeUQogbCv7DUv" } SpyPhone • Contributions welcome! • 2000 lines of Objective-C • GPL License • http://github.com/nst/spyphone also runs on iPad! Apple on iOS 4 Security We're taking privacy several steps further – in iPhone OS 4. - Scott Forstall, Apple senior VP of iOS Software iPhone OS 3 / iOS 4 iPhone OS 3.2 iOS 4.1 Safari searches YouTube history Phone data Email settings AddressBook Keyboard cache Photos + coord. EXIF missing GPS recent loc. Wifi recent loc. Methodology – Step B Put the application on the App Store. 2.2. Fool App Store Reviewers App Store and Malware We've built a store for the most part that people can trust. There have been applications submitted for approval that will steal personal data. - Phil Schiller, Apple senior VP http://www.businessweek.com/technology/content/nov2009/tc20091120_354597.htm 10,000 submissions per week 10% of rejections related to malware App Store Reviews • iPhone SDK Standard Agreement forbids collect users’ personal information and must comply with local laws • Reviewers can be fooled • Spyware activation can be delayed • Payloads can be encrypted • Many things can change at runtime Hiding the Beast • Guesswork about AppStore review process • Static analysis with $ strings • Dynamic analysis with I/O Instruments • Monitor file openings • Check against black lists Strings Obfuscation - (NSString *)stringMinus1:(NSString *)s { NSMutableString *s2 = [NSMutableString string]; for(int i = 0; i < [s length]; i++) { unichar c = [s characterAtIndex:i]; [s2 appendFormat:@"%C", c-1]; } return s2; } - (void)viewDidAppear:(BOOL)animated { NSString *pathPlus1 = @"0wbs0npcjmf0Mjcsbsz0Qsfgfsfodft0dpn/bqqmf/bddpvoutfuujoht/qmjtu"; // @"/var/mobile/Library/Preferences/com.apple.accountsettings.plist" NSString *path = [self stringMinus1:pathPlus1]; NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:path]; // ... } This code would probably pass a static analysis Apple’s GPS Kill Switch $ curl https://iphone-services.apple.com/clbl/unauthorizedApps { !"Date Generated" = "2010-10-31 21:30:28 Etc/GMT"; !"BlackListedApps" = {}; } • Discovered by Jonathan Zdziarski in August 2008 • clbl stands for “Core Location Black List” • Prevent applications from using Core Location • Apple never acknowledged its existence publicly • Apple never used it – SpyPhone doesn’t care Methodology – Step C Database 4. Attack Scenarios This is Real World http://xkcd.com/538/ The Spammer • Write a little breakout game • Make it available for free on AppStore • Collect user email addresses + weather cities + user’s interests from keyboard cache • Collect Address Book emails • Send them with high scores The Luxury Products Thief • Write an app for sports car or luxury watches collectors • Report the name, phone, area and GPS location of healthy people • When you can determine that someone is away from home, just rob him The Real Life Snooper • Could also be named evil competitor, jealous husband or law enforcement officer • Requirements: 5 minute physical access to the device, an Apple $99 developer license, a USB cable • Install SpyPhone, send the report • Delete the report from sent emails, delete SpyPhone http://www.flickr.com/photos/11213613@N05/4147756184/ VIPs François Fillon, French Prime Minister, and Rachida Dati, former Justice French Minister < insert your attack scenario here > Methodology Database 4. Recommendations and Conclusion What’s Wrong (1) • Clearly, the Keyboard cache shouldn’t be readable, it should be a system service instead • Something like an applicative firewall should inform the user and let her prevent access • A network firewall should also be available to let the user opt-out from the various analytics frameworks Device Unique Identifiers • The user should be prompted when an application attempts to access the UUID • UUID may be used to link data gathered by different applications and frameworks • Apple should introduce an app-device identifier, unique for (device, application) Security Through Obscurity • Apple shouldn’t claim that an application cannot access data from other applications • Updates should be available OTA, you should not need iTunes • Apple actually hired several seniors early 2010 • Ivan Krstić (OPLC) • Window Snyder (FireFox) What’s Wrong (2) • Users should be required to grant read-access to the Address Book, as for the GPS location • Users should be prompted again if the application attempts to edit the Address Book • Risk: being overwhelmed with pop-ups Toward Apple approved Security Policies? • Android-like applications security policies, approved by AppStore reviewers Application Application App Security Policy Store Security Policy Developer Apple's Signature User • Move

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    71 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us