SlideShare a Scribd company logo

Mobile Privacy and Security Audit on the iPhone

James Wernicke
James Wernicke

The document summarizes a security audit performed on an iPhone. The researcher was able to gain root access to the iPhone using a default password for OpenSSH. They then analyzed over 2000 property list files, converting them to XML and searching for personal information like names, phone numbers, emails and call logs. The researcher extracted a significant amount of private data and notes that with malicious intent, data could also have been deleted or erased without a trace. Recommendations include changing default passwords, limiting app access to data, and not leaving wireless connections active when not in use.

1 of 31
Download to read offline
Mobile Privacy and Security With the iPhone James Wernicke April 28, 2007
Goal and Objectives  Demonstrate weaknesses in accepted mobile security and privacy practices.  Evaluate the security and privacy features of the iPhone.  Perform a security audit on an iPhone.  Develop a security application for the iPhone for general users. Objectives – Background – Specifications – Security Audit - Conclusion
Background  Mobile devices are ubiquitous in today‟s society.  3G networks and unlimited data plans continue to rise in popularity. Objectives – Background – Specifications – Security Audit - Conclusion
Background  Mobile malware is becoming more prevalent.  Stolen information includes emails, text messages, contact lists, and browser history. Objectives – Background – Specifications – Security Audit - Conclusion
Background  No operating system is completely safe.  Platforms are more familiar and easier to hack. Objectives – Background – Specifications – Security Audit - Conclusion
Background  The iPhone is no exception. Source: http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf Objectives – Background – Specifications – Security Audit - Conclusion
New Technologies, New Problems  Limited resources  Interface  Touch displays  Small displays  Gestures  Location tracking  Always-on, high-speed connections  Desktop-based operating systems  Native web-based hybrid applications  Accelerometers Objectives – Background – Specifications – Security Audit - Conclusion
iPhone Specifications  Communications  GSM/EDGE, UMTS/HSDPA, Wi-Fi (802.11 b/g), Bluetooth 2.1 + EDR, and USB 2.0  Display  3.5-inch widescreen Multi-Touch display  Recording  3-megapixel camera, auto-focus, VGA recording up to 30 fps, geotagging  Storage  8, 16, or 32 GB  Power  Up to 300 hours standby, 12 hours talk, 9 hours Wi-Fi, 10 hours video, 30 hours audio  Support for most common file formats. Objectives – Background – Specifications – Security Audit - Conclusion
Software  iPhone OS  File system is “sandboxed” to protect critical system files from third-party software.  Key pieces of information stored in SQLite databases.  Apps  Thousands of apps for personal information management, remote access and entertainment.  No (official) firewall or anti-virus software.  App development is open, but App Store checks apps for malicious code before release.  Jailbreaking  Unlocks restrictions on the iPhone to allow full UNIX functionality.  As a negative consequence, it also removes safeguards. Objectives – Background – Specifications – Security Audit - Conclusion
Test Subject  The iPhone was heavily used containing information including:  Email  Contacts  Calendar  Web browsing history  Stored Wi-Fi networks  Pictures and videos  Maps  Apps  Jailbroken iPhone OS version 2.3.2 Objectives – Background – Specifications – Security Audit - Conclusion
iPhone Security Audit 1. Scan for transmissions. 2. Probe for information and possible vulnerabilities. 3. Attempt to exploit vulnerabilities to gain control. 4. If successful, attempt to find and retrieve valuable information. Objectives – Background – Specifications – Security Audit - Conclusion
Scanning and Probing Tools  Ethereal  Captures and analyzes data packets transmitted over the air.  Useful for determining what type of traffic a user is transmitting (HTTP, FTP, SFTP)  Nmap  Probes an interface for details about its operating system and ports. Objectives – Background – Specifications – Security Audit - Conclusion
Exploiting Vulnerabilities  192.168.0.73 found to be iPhone OS.  Port 22 (OpenSSH) found open on it.  OpenSSH installs with „alpine‟ as default password.  Successfully penetrated device using default password. bash-4.0$ ssh root@192.168.0.73 root@192.168.0.73’s password: iPhone:~ root# _  Time to look for some information… Objectives – Background – Specifications – Security Audit - Conclusion
Property Lists  Property lists are often used to store a user's settings, and information about applications. <dict> <key>Name</key> <string>James Wernicke</string> <key>Age</key> <integer>29</integer> </dict>  The iPhone uses these files to store virtually all personal information.  Passcode is stored encrypted in the Keychain. Objectives – Background – Specifications – Security Audit - Conclusion
Analyzing Property Lists  Property lists cannot be read in their native binary format. private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist bplist00Ö *[TVOutStatus[AppleLocale^AppleKeyboards_AppleKeyboardsExpanded^AppleLanguages_SBFor mattedPhoneNumberÿÿÿÿÿÿÿÿUen_US¡¯!"#$%&'()RenResRjaRfrRdeRnlRitRptUpt- PTRdaRfiRnbRsvRkoWzh-HansWzh-HantRruRplRtrRukRarRhrRcsRelRheRroRskRthRidRms_1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
Analyzing Property Lists  Converted to XML format using plutil. private/var/mobile/Library/Preferences/mobile$ plutil -convert xml1 .GlobalPreferences.plist Converted 1 files to XML format private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AppleKeyboards</key> <array> <string>en_US</string> </array> <key>AppleKeyboardsExpanded</key> <integer>1</integer> <key>AppleLanguages</key> <key>SBFormattedPhoneNumber</key> <string>1 (858) 603-5873</string> <key>TVOutStatus</key> <integer>-1</integer> </dict> </plist> Objectives – Background – Specifications – Security Audit - Conclusion
Analyzing Property Lists  Personal information can then be found and extracted. private/var/mobile/Library/Preferences/mobile$ grep PhoneNumber .* .GlobalPreferences.plist: <key>SBFormattedPhoneNumber</key> /private/var/mobile/Library/Preferences/mobile$ plutil - key SBFormattedPhoneNumber .GlobalPreferences.plist 1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
Analyzing Property Lists  Personal information can then be found and extracted. private/var/mobile/Library/Preferences/mobile$ grep PhoneNumber .* .GlobalPreferences.plist: <key>SBFormattedPhoneNumber</key> /private/var/mobile/Library/Preferences/mobile$ plutil - key SBFormattedPhoneNumber .GlobalPreferences.plist 1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
Analyzing Property Lists  Over 2000 property lists were found on the test iPhone.  Analyzing each by hand would be very expensive.  Program developed to find property lists, convert them to XML, search for common keywords, and retrieve their values.  plister.sh  plbackup.sh  plist2xml.sh  keyfinder.sh  Future development to lead to security app. Objectives – Background – Specifications – Security Audit - Conclusion
Results  Found identifying information about the device passively by monitoring air traffic.  Found open ports through probes.  Gained root access to system through SSH exploit.  Collected personal information.  Name, phone number, and birthday  Contact list and calendar  Emails, text messages, and call logs  Browsing history and bookmarks  Pictures, songs and videos  Could have also destroyed data including erasing my tracks. Objectives – Background – Specifications – Security Audit - Conclusion
Recommendations & Lessons Learned  Open up the iPhone OS to security vendors.  Use discretion when allowing apps to access personal information.  NEVER leave the default password active on your OpenSSH server.  Do not leave connections (3G, Wi-Fi, Bluetooth) active when not in use.  Do not use unprotected wireless networks.
References & Secondary Research Pew Research Center. Internet & American Life Project. 2009. Survey. http://www.pewinternet.org/. CTIA. A Generation Unplugged. s.l. : Harris Interactive, 2008. Research Study. http://files.ctia.org/pdf/HI_TeenMobileStudy_ResearchReport.pdf. Radwanick, Sarah. The 2009 U.S. Digital Year in Review. s.l. : comScore, 2010. p. 13, Whitepaper. http://www.comscore.com/Press_Events/Presentations_Whitepapers/2010/The_2009_U.S._Digital_Year_in_Review. Gostev, Alexander. Mobile Malware Evolution: An Overview, Part 3. SECURELIST. [Online] September 29, 2009. [Cited: April 1, 2010.] http://www.viruslist.com/analysis/?pubid=204792080. Weiss, Gregg. Staggering iPhone App Development Statistics Unveiled at Macworld 2010. prMac.com. [Online] February 3, 2010. [Cited: April 1, 2010.] http://prmac.com/release-id-10499.htm. Hughes, Neil. Piper: 15.8M US iPhone sales in 2010, even without Verizon. AppleInsider. [Online] January 6, 2010. [Cited: April 1, 2010.] http://www.appleinsider.com/articles/10/01/06/piper_15_8m_us_iphone_sales_in_2010_even_without_verizon.html. Cheng, Jacqui. The truth about the iPhone's sales numbers. Ars Technica. [Online] January 23, 2008. [Cited: April 1, 2010.] http://arstechnica.com/apple/news/2008/01/the-truth-about-the-iphones-sales-numbers.ars. Rubicon Consulting. The Apple iPhone: Successes and Challenges for the Mobile Industry. 2008. http://rubiconconsulting.com/downloads/whitepapers/Rubicon-iPhone_User_Survey.pdf. Seriot, Nicolas. iPhone Privacy. 2010. Technical Report. http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf. Pwn2Own 2010: iPhone hacked, SMS database hijacked. ZDNet. [Online] March 24, 2010. [Cited: April 1, 2010.] http://blogs.zdnet.com/security/?p=5836. A look back at the iTunes App Store - Part I: Explosive Growth. Edible Apple. [Online] July 8, 2009. [Cited: April 1, 2010.] http://www.edibleapple.com/a-look-back-at-the-itunes-app-store-part-i-explosive-growth/.
Questions?
Sandboxing Rules (version 1) (allow file-write* (deny default) (regex "^/private/var/tmp/UpdatedSnapshots/$")) ; Sandbox violations get logged to syslog via kernel logging. ; Permit reading and writing in the App container (debug deny) (allow file-read* (allow sysctl-read) (regex "^/private/var/mobile/Applications/ ; Mount / umount commands XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)")) (deny file-write-mount file-write-umount) (allow file-write* ; System is read only (regex "^/private/var/mobile/Applications/ (allow file-read*) XXXXXXXX-XXXX-XXXX-XXXX- (deny file-write*) XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)")) ; NOTE: Later rules override earlier rules. (allow process-exec ; Private areas (regex #"^/private/var/mobile/Applications/ (deny file-write* XXXXXXXX-XXXX-XXXX-XXXX- (regex "^/private/var/mobile/Applications/.*$")) XXXXXXXXXXXX/.*.app(/|$)")) (deny file-read* ; Allow Address book access via filesystem (regex "^/private/var/mobile/Applications/.*$")) ; This is an SQLite3 database - there is room to make the rules ; SQLite uses /private/var/tmp tighter ; TBR: <rdar://problem/5805879> SQLite doesn’t honor (allow file-write* ; the TMPDIR environment variable (regex "^/private/var/mobile/Library/AddressBook(/|$)")) (allow file-write* (allow file-read* (regex "^/private/var/tmp(/|$)")) (regex "^/private/var/mobile/Library/AddressBook(/|$)")) (allow file-read* ; Allow keyboard db access via filesystem (regex "^/private/var/tmp(/|$)")) ; This is a custom file format. There is room to make the rules ; TBR: <rdar://problem/5806524> tighter (allow process-exec (allow file-write* (regex "^/private/var/tmp$")) (regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) ; TBR: <rdar://problem/5830139> (allow file-read*
Sandboxing Rules (regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) ; (allow network-outbound) ; Pictures, but not other media ; (to unix-socket "/private/var/run/asl_input")) ; Allow photo access via filesystem. There is room to make the rules (allow network*) tighter ; To allow crash reporter / exceptions to kill the process (deny file-write* (allow signal (target self)) (regex "^/private/var/mobile/Media(/|$)")) (deny file-read* (regex "^/private/var/mobile/Media/")) (allow file-write* (regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) (allow file-read* (regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) (allow file-write* (regex "^/private/var/mobile/Media/DCIM(/|$)")) (allow file-read* (regex "^/private/var/mobile/Media/DCIM(/|$)")) (allow file-read* (regex "^/private/var/mobile/Media/Photos(/|$)")) ; Mach lookups. There is room to make the rule tighter. (allow mach-lookup) ;; (global-name "PurpleSystemEventPort") ;; (global-name "com.apple.CARenderServer") ;; (global-name "com.apple.eventpump") ;; (global-name "com.apple.springboard.migserver") ;; (global-name "com.apple.system.notification_center")) (deny process-fork) ; For ASL logs - /var/run/asl_input (XXX: socket can now be named)
More Results Type Results Google Maps Yes Call logs 100 Voicemail 0 SMS 120 Password No Contacts 1511 Plists/XML Yes Email 512 Phone Info Yes Calendar 3188 Video 0 Notes 1 Podcasts 0 Pictures 27 Speed Dials Found Songs 2359 VPN List of trusted networks found Web History Yes Bluetooth Enabled Bookmarks Some GPS No Cookies Bank of America File hashes Yes App Info Yes YouTube Found recently viewed videos Recent weather page plus HTML Facebook
Mobile Privacy and Security Audit on the iPhone

Recommended

iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Reality Net System Solutions
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011shawn_merdinger
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5Satish b
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Digital security
Digital securityDigital security
Digital securityFred Danowski
 
Week12 final
Week12 finalWeek12 final
Week12 finalIrfan Ali Memon
 

Recommended

iPhone forensics, without the iPhone
iPhone forensics, without the iPhoneiPhone forensics, without the iPhone
iPhone forensics, without the iPhonehrgeeks
 
Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Forensic Analysis of the Raspberry PI 400
Forensic Analysis of the Raspberry PI 400Reality Net System Solutions
 
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011
Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011shawn_merdinger
 
iPhone forensics on iOS5
iPhone forensics on iOS5iPhone forensics on iOS5
iPhone forensics on iOS5Satish b
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
Digital security
Digital securityDigital security
Digital securityFred Danowski
 
Week12 final
Week12 finalWeek12 final
Week12 finalIrfan Ali Memon
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVSeungjoo Kim
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingRishabha Garg
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)Dan York
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING Sweta Leena Panda
 
Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0wendyking63
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityCloudCheckr
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityKevin Lee
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveRaj Pratim Bhattacharya
 
Iphone vs android
Iphone vs androidIphone vs android
Iphone vs androidxomo
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overviewPrivateWave Italia SpA
 
Mobile security
Mobile securityMobile security
Mobile securityBasant Kumar
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?IBM Security
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 

More Related Content

What's hot

APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVSeungjoo Kim
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)Dan York
 

What's hot (6)

APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
Developing a Protection Profile for Smart TV
Developing a Protection Profile for Smart TVDeveloping a Protection Profile for Smart TV
Developing a Protection Profile for Smart TV
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)ETel2007: The Black Bag Security Review (VoIP Security)
ETel2007: The Black Bag Security Review (VoIP Security)
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 

Viewers also liked

Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0wendyking63
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityCloudCheckr
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityKevin Lee
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveRaj Pratim Bhattacharya
 
Iphone vs android
Iphone vs androidIphone vs android
Iphone vs androidxomo
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?IBM Security
 

Viewers also liked (14)

Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0Ibm Mobile Device Security Datasheet V2.0
Ibm Mobile Device Security Datasheet V2.0
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Android vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspectiveAndroid vs ios System Architecture in OS perspective
Android vs ios System Architecture in OS perspective
 
Iphone vs android
Iphone vs androidIphone vs android
Iphone vs android
 
Mobile security
Mobile securityMobile security
Mobile security
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Mobile security
Mobile securityMobile security
Mobile security
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
 

Similar to Mobile Privacy and Security Audit on the iPhone

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Penetration testing of i phone-ipad applications
Penetration testing of i phone-ipad applicationsPenetration testing of i phone-ipad applications
Penetration testing of i phone-ipad applicationsshehab najjar
 
Contextual Voice/Communications as an App or App Feature (on Android)
Contextual Voice/Communications as an App or App Feature (on Android)Contextual Voice/Communications as an App or App Feature (on Android)
Contextual Voice/Communications as an App or App Feature (on Android)Carlos Enrique Ortiz
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-bBbAOC
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
iPhone and iPad Security
iPhone and iPad SecurityiPhone and iPad Security
iPhone and iPad SecuritySimon Guest
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 

Similar to Mobile Privacy and Security Audit on the iPhone (20)

Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Penetration testing of i phone-ipad applications
Penetration testing of i phone-ipad applicationsPenetration testing of i phone-ipad applications
Penetration testing of i phone-ipad applications
 
Contextual Voice/Communications as an App or App Feature (on Android)
Contextual Voice/Communications as an App or App Feature (on Android)Contextual Voice/Communications as an App or App Feature (on Android)
Contextual Voice/Communications as an App or App Feature (on Android)
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-b
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
iPhone and iPad Security
iPhone and iPad SecurityiPhone and iPad Security
iPhone and iPad Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM Datasheet
 

Mobile Privacy and Security Audit on the iPhone

  • 1. Mobile Privacy and Security With the iPhone James Wernicke April 28, 2007
  • 2. Goal and Objectives  Demonstrate weaknesses in accepted mobile security and privacy practices.  Evaluate the security and privacy features of the iPhone.  Perform a security audit on an iPhone.  Develop a security application for the iPhone for general users. Objectives – Background – Specifications – Security Audit - Conclusion
  • 3. Background  Mobile devices are ubiquitous in today‟s society.  3G networks and unlimited data plans continue to rise in popularity. Objectives – Background – Specifications – Security Audit - Conclusion
  • 4. Background  Mobile malware is becoming more prevalent.  Stolen information includes emails, text messages, contact lists, and browser history. Objectives – Background – Specifications – Security Audit - Conclusion
  • 5. Background  No operating system is completely safe.  Platforms are more familiar and easier to hack. Objectives – Background – Specifications – Security Audit - Conclusion
  • 6. Background  The iPhone is no exception. Source: http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf Objectives – Background – Specifications – Security Audit - Conclusion
  • 7. New Technologies, New Problems  Limited resources  Interface  Touch displays  Small displays  Gestures  Location tracking  Always-on, high-speed connections  Desktop-based operating systems  Native web-based hybrid applications  Accelerometers Objectives – Background – Specifications – Security Audit - Conclusion
  • 8. iPhone Specifications  Communications  GSM/EDGE, UMTS/HSDPA, Wi-Fi (802.11 b/g), Bluetooth 2.1 + EDR, and USB 2.0  Display  3.5-inch widescreen Multi-Touch display  Recording  3-megapixel camera, auto-focus, VGA recording up to 30 fps, geotagging  Storage  8, 16, or 32 GB  Power  Up to 300 hours standby, 12 hours talk, 9 hours Wi-Fi, 10 hours video, 30 hours audio  Support for most common file formats. Objectives – Background – Specifications – Security Audit - Conclusion
  • 9. Software  iPhone OS  File system is “sandboxed” to protect critical system files from third-party software.  Key pieces of information stored in SQLite databases.  Apps  Thousands of apps for personal information management, remote access and entertainment.  No (official) firewall or anti-virus software.  App development is open, but App Store checks apps for malicious code before release.  Jailbreaking  Unlocks restrictions on the iPhone to allow full UNIX functionality.  As a negative consequence, it also removes safeguards. Objectives – Background – Specifications – Security Audit - Conclusion
  • 10. Test Subject  The iPhone was heavily used containing information including:  Email  Contacts  Calendar  Web browsing history  Stored Wi-Fi networks  Pictures and videos  Maps  Apps  Jailbroken iPhone OS version 2.3.2 Objectives – Background – Specifications – Security Audit - Conclusion
  • 11. iPhone Security Audit 1. Scan for transmissions. 2. Probe for information and possible vulnerabilities. 3. Attempt to exploit vulnerabilities to gain control. 4. If successful, attempt to find and retrieve valuable information. Objectives – Background – Specifications – Security Audit - Conclusion
  • 12. Scanning and Probing Tools  Ethereal  Captures and analyzes data packets transmitted over the air.  Useful for determining what type of traffic a user is transmitting (HTTP, FTP, SFTP)  Nmap  Probes an interface for details about its operating system and ports. Objectives – Background – Specifications – Security Audit - Conclusion
  • 13. Exploiting Vulnerabilities  192.168.0.73 found to be iPhone OS.  Port 22 (OpenSSH) found open on it.  OpenSSH installs with „alpine‟ as default password.  Successfully penetrated device using default password. bash-4.0$ ssh root@192.168.0.73 root@192.168.0.73’s password: iPhone:~ root# _  Time to look for some information… Objectives – Background – Specifications – Security Audit - Conclusion
  • 14. Property Lists  Property lists are often used to store a user's settings, and information about applications. <dict> <key>Name</key> <string>James Wernicke</string> <key>Age</key> <integer>29</integer> </dict>  The iPhone uses these files to store virtually all personal information.  Passcode is stored encrypted in the Keychain. Objectives – Background – Specifications – Security Audit - Conclusion
  • 15. Analyzing Property Lists  Property lists cannot be read in their native binary format. private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist bplist00Ö *[TVOutStatus[AppleLocale^AppleKeyboards_AppleKeyboardsExpanded^AppleLanguages_SBFor mattedPhoneNumberÿÿÿÿÿÿÿÿUen_US¡¯!"#$%&'()RenResRjaRfrRdeRnlRitRptUpt- PTRdaRfiRnbRsvRkoWzh-HansWzh-HantRruRplRtrRukRarRhrRcsRelRheRroRskRthRidRms_1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
  • 16. Analyzing Property Lists  Converted to XML format using plutil. private/var/mobile/Library/Preferences/mobile$ plutil -convert xml1 .GlobalPreferences.plist Converted 1 files to XML format private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AppleKeyboards</key> <array> <string>en_US</string> </array> <key>AppleKeyboardsExpanded</key> <integer>1</integer> <key>AppleLanguages</key> <key>SBFormattedPhoneNumber</key> <string>1 (858) 603-5873</string> <key>TVOutStatus</key> <integer>-1</integer> </dict> </plist> Objectives – Background – Specifications – Security Audit - Conclusion
  • 17. Analyzing Property Lists  Personal information can then be found and extracted. private/var/mobile/Library/Preferences/mobile$ grep PhoneNumber .* .GlobalPreferences.plist: <key>SBFormattedPhoneNumber</key> /private/var/mobile/Library/Preferences/mobile$ plutil - key SBFormattedPhoneNumber .GlobalPreferences.plist 1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
  • 18. Analyzing Property Lists  Personal information can then be found and extracted. private/var/mobile/Library/Preferences/mobile$ grep PhoneNumber .* .GlobalPreferences.plist: <key>SBFormattedPhoneNumber</key> /private/var/mobile/Library/Preferences/mobile$ plutil - key SBFormattedPhoneNumber .GlobalPreferences.plist 1 (858) 603-5873 Objectives – Background – Specifications – Security Audit - Conclusion
  • 19. Analyzing Property Lists  Over 2000 property lists were found on the test iPhone.  Analyzing each by hand would be very expensive.  Program developed to find property lists, convert them to XML, search for common keywords, and retrieve their values.  plister.sh  plbackup.sh  plist2xml.sh  keyfinder.sh  Future development to lead to security app. Objectives – Background – Specifications – Security Audit - Conclusion
  • 20. Results  Found identifying information about the device passively by monitoring air traffic.  Found open ports through probes.  Gained root access to system through SSH exploit.  Collected personal information.  Name, phone number, and birthday  Contact list and calendar  Emails, text messages, and call logs  Browsing history and bookmarks  Pictures, songs and videos  Could have also destroyed data including erasing my tracks. Objectives – Background – Specifications – Security Audit - Conclusion
  • 21. Recommendations & Lessons Learned  Open up the iPhone OS to security vendors.  Use discretion when allowing apps to access personal information.  NEVER leave the default password active on your OpenSSH server.  Do not leave connections (3G, Wi-Fi, Bluetooth) active when not in use.  Do not use unprotected wireless networks.
  • 22. References & Secondary Research Pew Research Center. Internet & American Life Project. 2009. Survey. http://www.pewinternet.org/. CTIA. A Generation Unplugged. s.l. : Harris Interactive, 2008. Research Study. http://files.ctia.org/pdf/HI_TeenMobileStudy_ResearchReport.pdf. Radwanick, Sarah. The 2009 U.S. Digital Year in Review. s.l. : comScore, 2010. p. 13, Whitepaper. http://www.comscore.com/Press_Events/Presentations_Whitepapers/2010/The_2009_U.S._Digital_Year_in_Review. Gostev, Alexander. Mobile Malware Evolution: An Overview, Part 3. SECURELIST. [Online] September 29, 2009. [Cited: April 1, 2010.] http://www.viruslist.com/analysis/?pubid=204792080. Weiss, Gregg. Staggering iPhone App Development Statistics Unveiled at Macworld 2010. prMac.com. [Online] February 3, 2010. [Cited: April 1, 2010.] http://prmac.com/release-id-10499.htm. Hughes, Neil. Piper: 15.8M US iPhone sales in 2010, even without Verizon. AppleInsider. [Online] January 6, 2010. [Cited: April 1, 2010.] http://www.appleinsider.com/articles/10/01/06/piper_15_8m_us_iphone_sales_in_2010_even_without_verizon.html. Cheng, Jacqui. The truth about the iPhone's sales numbers. Ars Technica. [Online] January 23, 2008. [Cited: April 1, 2010.] http://arstechnica.com/apple/news/2008/01/the-truth-about-the-iphones-sales-numbers.ars. Rubicon Consulting. The Apple iPhone: Successes and Challenges for the Mobile Industry. 2008. http://rubiconconsulting.com/downloads/whitepapers/Rubicon-iPhone_User_Survey.pdf. Seriot, Nicolas. iPhone Privacy. 2010. Technical Report. http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf. Pwn2Own 2010: iPhone hacked, SMS database hijacked. ZDNet. [Online] March 24, 2010. [Cited: April 1, 2010.] http://blogs.zdnet.com/security/?p=5836. A look back at the iTunes App Store - Part I: Explosive Growth. Edible Apple. [Online] July 8, 2009. [Cited: April 1, 2010.] http://www.edibleapple.com/a-look-back-at-the-itunes-app-store-part-i-explosive-growth/.
  • 24. Sandboxing Rules (version 1) (allow file-write* (deny default) (regex "^/private/var/tmp/UpdatedSnapshots/$")) ; Sandbox violations get logged to syslog via kernel logging. ; Permit reading and writing in the App container (debug deny) (allow file-read* (allow sysctl-read) (regex "^/private/var/mobile/Applications/ ; Mount / umount commands XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)")) (deny file-write-mount file-write-umount) (allow file-write* ; System is read only (regex "^/private/var/mobile/Applications/ (allow file-read*) XXXXXXXX-XXXX-XXXX-XXXX- (deny file-write*) XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)")) ; NOTE: Later rules override earlier rules. (allow process-exec ; Private areas (regex #"^/private/var/mobile/Applications/ (deny file-write* XXXXXXXX-XXXX-XXXX-XXXX- (regex "^/private/var/mobile/Applications/.*$")) XXXXXXXXXXXX/.*.app(/|$)")) (deny file-read* ; Allow Address book access via filesystem (regex "^/private/var/mobile/Applications/.*$")) ; This is an SQLite3 database - there is room to make the rules ; SQLite uses /private/var/tmp tighter ; TBR: <rdar://problem/5805879> SQLite doesn’t honor (allow file-write* ; the TMPDIR environment variable (regex "^/private/var/mobile/Library/AddressBook(/|$)")) (allow file-write* (allow file-read* (regex "^/private/var/tmp(/|$)")) (regex "^/private/var/mobile/Library/AddressBook(/|$)")) (allow file-read* ; Allow keyboard db access via filesystem (regex "^/private/var/tmp(/|$)")) ; This is a custom file format. There is room to make the rules ; TBR: <rdar://problem/5806524> tighter (allow process-exec (allow file-write* (regex "^/private/var/tmp$")) (regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) ; TBR: <rdar://problem/5830139> (allow file-read*
  • 25. Sandboxing Rules (regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) ; (allow network-outbound) ; Pictures, but not other media ; (to unix-socket "/private/var/run/asl_input")) ; Allow photo access via filesystem. There is room to make the rules (allow network*) tighter ; To allow crash reporter / exceptions to kill the process (deny file-write* (allow signal (target self)) (regex "^/private/var/mobile/Media(/|$)")) (deny file-read* (regex "^/private/var/mobile/Media/")) (allow file-write* (regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) (allow file-read* (regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$")) (allow file-write* (regex "^/private/var/mobile/Media/DCIM(/|$)")) (allow file-read* (regex "^/private/var/mobile/Media/DCIM(/|$)")) (allow file-read* (regex "^/private/var/mobile/Media/Photos(/|$)")) ; Mach lookups. There is room to make the rule tighter. (allow mach-lookup) ;; (global-name "PurpleSystemEventPort") ;; (global-name "com.apple.CARenderServer") ;; (global-name "com.apple.eventpump") ;; (global-name "com.apple.springboard.migserver") ;; (global-name "com.apple.system.notification_center")) (deny process-fork) ; For ASL logs - /var/run/asl_input (XXX: socket can now be named)
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. More Results Type Results Google Maps Yes Call logs 100 Voicemail 0 SMS 120 Password No Contacts 1511 Plists/XML Yes Email 512 Phone Info Yes Calendar 3188 Video 0 Notes 1 Podcasts 0 Pictures 27 Speed Dials Found Songs 2359 VPN List of trusted networks found Web History Yes Bluetooth Enabled Bookmarks Some GPS No Cookies Bank of America File hashes Yes App Info Yes YouTube Found recently viewed videos Recent weather page plus HTML Facebook