iOS Security News

It’s hard enough keeping current on just the Windows security ecosystem. Now that we are iOS mobile device users as well, there is a whole second ecosystem to keep a security eye on. Of course, those devices have software and need to communicate so there are those layers as well to monitor for security awareness.

So here are a round of articles and tools involving iOS security findings of late.

• 1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device? - Ars Technica
• Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks - Ars Technica

Per that second Ars Technica article by Dan Goodin, each are different bugs but both involve components of AFNetworking,

“an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that's trivial for hackers to monitor or modify, even when it's protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).”

• SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production! - Minded Security Blog - a more technical breakdown of the security issues. According to the post, the issue has been fixed in a newer 2.5.2 version of their library code. However it still requires developers to update their apps and get them on user’s devices where installed.
• iOS Code Report - SourceDNA’s searchable database to see if your iTunes Developer has released app(s) that remain vulnerable to the weaker code.
• SSL Analysis: Now With More Pinning - SourceDNA | Code Transparency for iOS & Android Apps, SDKs - SourceDNA Blog

This database reminded me of the ZAP - Zscaler Application Profiler that I had previously come across. It remains a great tool to look up the security of an iOS (or Android) application before -- or after -- you install it on your device.

From the “About” page link:

About ZAP

Zscaler Application Profiler (ZAP) is web based tool designed to streamline the capture and analysis of HTTP(S) traffic from mobile applications. ZAP is capable of analyzing traffic from both iOS and Android applications and includes the following functionality:

• Search: View summarized historical results for past scans.
• Scan: Proxy traffic from a mobile device through the ZAP proxy and the mobile app traffic will be automatically captured and analyzed
• iPCU: Upload your iOS device configuration file(.deviceinfo) to check risk score of installed application. It will give you overall risk score of your device. The information provided is based on out knowledge base.

ZAP classifies traffic into the following buckets and calculates an overall risk score for the application:

• Authentication: Username/password sent in clear text or using weak encoding methods.
• Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
• Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
• Exposed content: Communication with third parties such as advertising or analytics sites.

Zscaler also has a detailed video on this service on their blog: Zscaler Research: Introducing ZAP.

1. Check their historical report data on apps already researched, or
2. Connect your device to their proxy to do a scan on a new app/version not already captured historically, or
3. Upload your own iOS device config file.

Meanwhile on the far side of the globe, web security/developer Troy Hunt has been hard at work finding issues with additional iOS apps down under. His reviews provide great learning material to extend across other iOS application reviews closer to home.

• Troy Hunt: Mobile app privacy insanity – we’re still failing massively at this - Troy’s latest post examines some extreme data tracking methods used in iOS applications that should be cause for concern.
• Unearthing the hidden shortcomings in Aussie mobile app security - an earlier (but still related) post by Troy Hunt.
• Troy Hunt: Secret iOS business; what you don’t know about your apps - an earlier (but still related) post by Troy Hunt.

Troy offers a free Pluralsight course to help get into the issues around mobile app security, Hack Your API First – Pluralsight Training

Finally, here is a guide from the Telerik crew on how to use Fiddler to Capture Traffic from iOS Device

Constant Vigilance!

Claus Valca