Sunday, 24 October 2010

iOS 4 - as insecure as ever

Nicolas Seriot, Security Analyst,  created a proof-of-concept
"SpyPhone" app to show how easy it is to snoop on iPhone users.
     Lax security screening at Apple's App Store and a design flaw are putting iPhone users at risk of downloading malicious applications that could steal data and spy on them, a Swiss researcher warns.
     Apple's iPhone app review process is inadequate to stop malicious apps from getting distributed to millions of users, according to Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences (HEIG-VD). Once they are downloaded, iPhone apps have unfettered access to a wide range of privacy-invasive information about the user's device, location, activities, interests, and friends, he said in an interview Tuesday.
     In a talk scheduled at the Black Hat DC security conference, Seriot will explain how an innocent-looking app could be designed to harvest personal data and send it to a remote server without the user knowing it.
      The rogue app could be hidden within an innocent-looking app, such as a game. Low-hanging fruit for rogue apps includes the mobile-phone number, address book data, and a notes section of the address book, where some people store bank account and other sensitive information, he said.
"It turns out that the full Address Book is readable without the user's knowledge or consent," Seriot wrote in a white paper (PDF) on the subject.

      In addition, a sandboxing technique limits access to other applications' data but leaves exposed data in the iPhone file system, including some personal information, he said.
      To make his point, Seriot has created open-source proof-of-concept spyware dubbed "SpyPhone" that can access the 20 most recent Safari searches, YouTube history, and e-mail account parameters like username, e-mail address, host, and login, as well as detailed information on the phone itself that can be used to track users, even when they change devices.
      SpyPhone can be used to track the user's whereabouts and activities. It offers access to the keyboard cache, which contains all the words ever typed on the keyboard, except for words entered in password fields, effectively acting as a keylogger, he said. It accesses photos, which can be tagged with the date and location via the GPS coordinates. And a log showing the device's Wi-Fi connections also is accessible.
     "Safari recent searches, YouTube history, and your keyboard cache give clues about your current interests," he writes. "These interests are linked with your name and your e-mail addresses, your phone number, and your area. Harvested from large numbers of users, such data have a huge value in the underground market of personal data, and it must be assumed that Trojans are exploiting this on the App Store."

The screen shots show a list of the date and location of geotagged photos (left) and the coordinates displayed on a map (right), types of information that his SpyPhone proof-of-concept spyware was able to access from an iPhone.
     It's not difficult to get iPhone apps approved, Seriot said. To get an app distributed through Apple's App Store, developers need to be enrolled in the iPhone Developer Program and provide an executable file, but not the source code, to Apple for vetting. The approval process mainly looks for user interface inconsistencies because iPhone apps always have to look their best, for objectionable content, because the iStore is all about censorship and less for undocumented functions that could give malware apps away.
       But with Apple having to scrutinize hundreds of binaries that are submitted each week, some malware is bound to sneak in. Seriot acknowledged that he doesn't know exactly what process Apple uses to review apps but said it likely uses common static and dynamic analysis, both of which can be circumvented with the right programming tricks, he said.

      The threat is not theoretical. Several iPhone apps have been pulled from the App Store after being found to be harvesting user data, intentionally or unintentionally. A game called Aurora Feint was uploading all the user contacts to the developer's server, and salespeople from Swiss road traffic information app MogoRoad were calling customers who downloaded the app. Game app Storm8 was sued last fall for allegedly harvesting customer phone numbers without permission, but it later stopped that practice. And users also complained that Pinch Media, an analytics framework used by developers, was collecting data about customer phones.
      The most unpleasant result Apple's own policies was the hacking that took place two months ago. Thuat Nguyen, a Vietnamese hacker (company "mycompany",  website "") had 42 of his books (Vietnamese only, although the description claimed English and Japanese) topping the sales charts. This of course coincided with people reporting up to hundreds of dollars being spent unwillingly from their account to these specific books.
Apple's only mention about the issue was a ranking error and nothing concerning the hacked accounts.
So how did those accounts get hacked? Well, directly from the iPhone is the most likely explanation, through a malicious app or simply via iTunes that is like all Apple software, a fairly insecure product.

      "Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful," Seriot wrote. "As a basic precaution, users should regularly clean the browser's recent searches and the keyboard cache in Settings. They should also change or delete the declared phone number, also in Settings."
      Meanwhile, professional users should avoid running untrusted applications, especially if they are required by law to protect data confidentiality," he wrote. This includes groups such as bankers, attorneys, medical staffers, law enforcement officers, and so on. Also, legal departments should be aware that confidential data may already have leaked."
     Seriot said he thought Apple might address the issue in its latest security update, released on Tuesday, but that it didn't.
     "This is one more piece of evidence that the issues are more like a design flaw than simple bugs which could be fixed in a minor security update," he said.
Seriot said he contacted Apple about the issues more than a year ago, and it subsequently issued a partial fix.

Apple representatives did neither respond to e-mails nor comment the security related issues.
Will you?