Apple iOS vulnerabilities

August 2, 2012, by | Start Discussion

Introduction

Apple iOS has successfully emerged as one of the most widely used Operating System today. It runs on Apple devices such as iPhone, iPad, iPod touch and Apple TV.

Apple AppStore has the highest number of applications (500,000) with 25 billion apps downloaded till date. However, the iOS developers aren’t bothered about the secure aspect of the applications before they launch it on the AppStore. This huge number of apps and carelessness of developers has lured the hackers to steal data from the applications.

There has been numerous exploits exposed on the iOS platform. In this article, three such exploits will be discussed.Please note that these vulnerabilities can be only be exploited if the iPhone is jail broken and apps are installed out of Apple Store.

Cut & Paste Feature

Copy and Paste feature was introduced in iOS 3.0 which involves having a common buffer for all the applications in iOS. This feature can be exploited to steal sensitive data from an application into a malicious application.

As shown in the above figure, at the top image, the credit card number is copied from the application, and it is stored in the common buffer within the iOS. Below, the malicious application is silently stealing data from the buffer and this applicationcan also remotely send the data to a remote server.

This issue can be remediated by the developer by either clearing the copy paste buffer every time the application exits, or disable the copy paste feature for applications which deal with sensitive data.

iOS Backgrounding

The Apple wanted to provide iOS device users an aesthetically pleasing effect when the application is entered or exited. Hence they introduced the concept of saving the last screenshot when the application goes into the background.

This feature can be exploited as the screenshot which is saved on the device may contain sensitive data like credit card details, Password recovery information etc. 

The Fig. shows the user’s password reset information stored in the screenshot. This screenshot is stored inside the iOS at the following location.

/private/var/mobile/Library/Caches/Snapshots

This issue can be remediated by the developer by writing a code snippet to clear the contents of the page on application exit.

Auto Correct Feature

Inside the iOS, there exist a file called dynamic-text.data , which is a binary keyboard cache containing ordered phrases of text entered by the user. This text is cached as part of the operating system’s autocorrect feature, and may appear from entering text within an application on the device. Think of this as keyboard logger. Hence to avoid writing data to this cache, turn autocorrect off in text fields whose input should remain private, orconsider writing your own keyboard class for your application.

This file can be found on the device at the following location.
/private/var/mobile/Library/Keyboard/dynamic-text.dat


Sensitive data can appear in the autocorrect feature as a suggestion
 

As shown in the Fig-3, the username and passwords which are stored in dynamic text can appear on the screen asking for the user to choose that. The username and passwords will also be saved in the dynamic text file as it is being stored in a dictionary.

References:
1)    OWASP Mobile Top 10 Risks.
2)    Hacking & Securing iOS applications by Jonathan Zdziarski.
 

Author bio not avialable

Leave a Reply