Mobile Privacy and Security

With the iPhone

James Wernicke

April 28, 2007

Goal and Objectives

Demonstrate weaknesses in accepted mobile

security and privacy practices.

Evaluate the security and privacy features of the

iPhone.

Perform a security audit on an iPhone.

Develop a security application for the iPhone for

general users.

Objectives – Background – Specifications – Security Audit - Conclusion

Background

Mobile devices are ubiquitous in today‟s society.

3G networks and unlimited data plans continue to

rise in popularity.

Objectives – Background – Specifications – Security Audit - Conclusion

Background

Mobile malware is becoming more prevalent.

Stolen information includes emails, text messages,

contact lists, and browser history.

Objectives – Background – Specifications – Security Audit - Conclusion

Background

No operating system is completely safe.

Platforms are more familiar and easier to hack.

Objectives – Background – Specifications – Security Audit - Conclusion

Background

The iPhone is no exception.

Source: http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf

Objectives – Background – Specifications – Security Audit - Conclusion

New Technologies, New Problems

Limited resources

Interface

Touch displays

Small displays

Gestures

Location tracking

Always-on, high-speed connections

Desktop-based operating systems

Native web-based hybrid applications

Accelerometers

Objectives – Background – Specifications – Security Audit - Conclusion

iPhone Specifications

Communications GSM/EDGE, UMTS/HSDPA, Wi-Fi (802.11 b/g), Bluetooth

2.1 + EDR, and USB 2.0

Display

3.5-inch widescreen Multi-Touch display

Recording

3-megapixel camera, auto-focus, VGA recording up to 30 fps, geotagging

Storage

8, 16, or 32 GB

Power

Up to 300 hours standby, 12 hours talk, 9 hours Wi-Fi, 10 hours video, 30 hours audio

Support for most common file formats.

Objectives – Background – Specifications – Security Audit - Conclusion

Software

iPhone OS File system is “sandboxed” to protect critical system files

from third-party software.

Key pieces of information stored in SQLite databases.

Apps

Thousands of apps for personal information management, remote access and entertainment.

No (official) firewall or anti-virus software.

App development is open, but App Store checks apps for malicious code before release.

Jailbreaking

Unlocks restrictions on the iPhone to allow full UNIX functionality.

As a negative consequence, it also removes safeguards.

Objectives – Background – Specifications – Security Audit - Conclusion

Test Subject

The iPhone was heavily used containing

information including:

Email

Contacts

Calendar

Web browsing history

Stored Wi-Fi networks

Pictures and videos

Maps

Apps

Jailbroken iPhone OS version 2.3.2

Objectives – Background – Specifications – Security Audit - Conclusion

iPhone Security Audit

1. Scan for transmissions.

2. Probe for information and possible

vulnerabilities.

3. Attempt to exploit vulnerabilities to gain

control.

4. If successful, attempt to find and retrieve

valuable information.

Objectives – Background – Specifications – Security Audit - Conclusion

Scanning and Probing Tools

Ethereal Captures and analyzes data packets transmitted over the

air.

Useful for determining what type of traffic a user is

transmitting (HTTP, FTP, SFTP)

Nmap Probes an interface for details about its operating system

and ports.

Objectives – Background – Specifications – Security Audit - Conclusion

Exploiting Vulnerabilities

192.168.0.73 found to be iPhone OS.

Port 22 (OpenSSH) found open on it.

OpenSSH installs with „alpine‟ as default password.

Successfully penetrated device using default

password.

Time to look for some information…

bash-4.0$ ssh root@192.168.0.73

root@192.168.0.73’s password:

iPhone:~ root# _

Objectives – Background – Specifications – Security Audit - Conclusion

Property Lists

Property lists are often used to store a user's

settings, and information about applications.

<dict>

<key>Name</key>

<string>James Wernicke</string>

<key>Age</key>

<integer>29</integer>

</dict>

The iPhone uses these files to store virtually all

personal information.

Passcode is stored encrypted in the Keychain.

Objectives – Background – Specifications – Security Audit - Conclusion

Analyzing Property Lists

Property lists cannot be read in their native binary

format.

private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist

bplist00Ö

*[TVOutStatus[AppleLocale^AppleKeyboards_AppleKeyboardsExpanded^AppleLanguages_SBFor

mattedPhoneNumberÿÿÿÿÿÿÿÿUen_US¡¯!"#$%&'()RenResRjaRfrRdeRnlRitRptUpt-

PTRdaRfiRnbRsvRkoWzh-HansWzh-HantRruRplRtrRukRarRhrRcsRelRheRroRskRthRidRms_1

(858) 603-5873

Objectives – Background – Specifications – Security Audit - Conclusion

Analyzing Property Lists

Converted to XML format using plutil.

private/var/mobile/Library/Preferences/mobile$ plutil -convert xml1

.GlobalPreferences.plist

Converted 1 files to XML format

private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>AppleKeyboards</key>

<array>

<string>en_US</string>

</array>

<key>AppleKeyboardsExpanded</key>

<integer>1</integer>

<key>AppleLanguages</key>

<key>SBFormattedPhoneNumber</key>

<string>1 (858) 603-5873</string>

<key>TVOutStatus</key>

<integer>-1</integer>

</dict>

</plist>

Objectives – Background – Specifications – Security Audit - Conclusion

Analyzing Property Lists

Personal information can then be found and

extracted.

private/var/mobile/Library/Preferences/mobile$ grep

PhoneNumber .*

.GlobalPreferences.plist:

<key>SBFormattedPhoneNumber</key>

/private/var/mobile/Library/Preferences/mobile$ plutil -

key SBFormattedPhoneNumber .GlobalPreferences.plist

1 (858) 603-5873

Objectives – Background – Specifications – Security Audit - Conclusion

Analyzing Property Lists

Personal information can then be found and

extracted.

private/var/mobile/Library/Preferences/mobile$ grep

PhoneNumber .*

.GlobalPreferences.plist:

<key>SBFormattedPhoneNumber</key>

/private/var/mobile/Library/Preferences/mobile$ plutil -

key SBFormattedPhoneNumber .GlobalPreferences.plist

1 (858) 603-5873

Objectives – Background – Specifications – Security Audit - Conclusion

Analyzing Property Lists

Over 2000 property lists were found on the test

iPhone.

Analyzing each by hand would be very expensive.

Program developed to find property lists,

convert them to XML, search for common

keywords, and retrieve their values.

plister.sh

plbackup.sh

plist2xml.sh

keyfinder.sh

Future development to lead to security app.

Objectives – Background – Specifications – Security Audit - Conclusion

Results

Found identifying information about the device

passively by monitoring air traffic.

Found open ports through probes.

Gained root access to system through SSH exploit.

Collected personal information.

Name, phone number, and birthday

Contact list and calendar

Emails, text messages, and call logs

Browsing history and bookmarks

Pictures, songs and videos

Could have also destroyed data including erasing

my tracks.

Objectives – Background – Specifications – Security Audit - Conclusion

Recommendations & Lessons Learned

Open up the iPhone OS to security vendors.

Use discretion when allowing apps to access

personal information.

NEVER leave the default password active on your

OpenSSH server.

Do not leave connections (3G, Wi-Fi, Bluetooth)

active when not in use.

Do not use unprotected wireless networks.

References & Secondary Research

Pew Research Center. Internet & American Life Project. 2009. Survey. http://www.pewinternet.org/.

CTIA. A Generation Unplugged. s.l. : Harris Interactive, 2008. Research Study. http://files.ctia.org/pdf/HI_TeenMobileStudy_ResearchReport.pdf.

Radwanick, Sarah. The 2009 U.S. Digital Year in Review. s.l. : comScore, 2010. p. 13, Whitepaper. http://www.comscore.com/Press_Events/Presentations_Whitepapers/2010/The_2009_U.S._Digital_Year_in_Review.

Gostev, Alexander. Mobile Malware Evolution: An Overview, Part 3. SECURELIST. [Online] September 29, 2009. [Cited: April 1, 2010.] http://www.viruslist.com/analysis/?pubid=204792080.

Weiss, Gregg. Staggering iPhone App Development Statistics Unveiled at Macworld 2010. prMac.com. [Online] February 3, 2010. [Cited: April 1, 2010.] http://prmac.com/release-id-10499.htm.

Hughes, Neil. Piper: 15.8M US iPhone sales in 2010, even without Verizon. AppleInsider. [Online] January 6, 2010. [Cited: April 1, 2010.] http://www.appleinsider.com/articles/10/01/06/piper_15_8m_us_iphone_sales_in_2010_even_without_verizon.html.

Cheng, Jacqui. The truth about the iPhone's sales numbers. Ars Technica. [Online] January 23, 2008. [Cited: April 1, 2010.] http://arstechnica.com/apple/news/2008/01/the-truth-about-the-iphones-sales-numbers.ars.

Rubicon Consulting. The Apple iPhone: Successes and Challenges for the Mobile Industry. 2008. http://rubiconconsulting.com/downloads/whitepapers/Rubicon-iPhone_User_Survey.pdf.

Seriot, Nicolas. iPhone Privacy. 2010. Technical Report. http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf.

Pwn2Own 2010: iPhone hacked, SMS database hijacked. ZDNet. [Online] March 24, 2010. [Cited: April 1, 2010.] http://blogs.zdnet.com/security/?p=5836.

A look back at the iTunes App Store - Part I: Explosive Growth. Edible Apple. [Online] July 8, 2009. [Cited: April 1, 2010.] http://www.edibleapple.com/a-look-back-at-the-itunes-app-store-part-i-explosive-growth/.

Questions?

Sandboxing Rules

(version 1)

(deny default)

; Sandbox violations get logged to syslog via kernel logging.

(debug deny)

(allow sysctl-read)

; Mount / umount commands

(deny file-write-mount file-write-umount)

; System is read only

(allow file-read*)

(deny file-write*)

; NOTE: Later rules override earlier rules.

; Private areas

(deny file-write*

(regex "^/private/var/mobile/Applications/.*$"))

(deny file-read*

(regex "^/private/var/mobile/Applications/.*$"))

; SQLite uses /private/var/tmp

; TBR: <rdar://problem/5805879> SQLite doesn’t honor

; the TMPDIR environment variable

(allow file-write*

(regex "^/private/var/tmp(/|$)"))

(allow file-read*

(regex "^/private/var/tmp(/|$)"))

; TBR: <rdar://problem/5806524>

(allow process-exec

(regex "^/private/var/tmp$"))

; TBR: <rdar://problem/5830139>

(allow file-write*

(regex "^/private/var/tmp/UpdatedSnapshots/$"))

; Permit reading and writing in the App container

(allow file-read*

(regex "^/private/var/mobile/Applications/ \

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)"))

(allow file-write*

(regex "^/private/var/mobile/Applications/ \

XXXXXXXX-XXXX-XXXX-XXXX-

XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)"))

(allow process-exec

(regex #"^/private/var/mobile/Applications/ \

XXXXXXXX-XXXX-XXXX-XXXX-

XXXXXXXXXXXX/.*\.app(/|$)"))

; Allow Address book access via filesystem

; This is an SQLite3 database - there is room to make the rules

tighter

(allow file-write*

(regex "^/private/var/mobile/Library/AddressBook(/|$)"))

(allow file-read*

(regex "^/private/var/mobile/Library/AddressBook(/|$)"))

; Allow keyboard db access via filesystem

; This is a custom file format. There is room to make the rules

tighter

(allow file-write*

(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)"))

(allow file-read*

Sandboxing Rules

(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)"))

; Pictures, but not other media

; Allow photo access via filesystem. There is room to make the rules

tighter

(deny file-write*

(regex "^/private/var/mobile/Media(/|$)"))

(deny file-read*

(regex "^/private/var/mobile/Media/"))

(allow file-write*

(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))

(allow file-read*

(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))

(allow file-write*

(regex "^/private/var/mobile/Media/DCIM(/|$)"))

(allow file-read*

(regex "^/private/var/mobile/Media/DCIM(/|$)"))

(allow file-read*

(regex "^/private/var/mobile/Media/Photos(/|$)"))

; Mach lookups. There is room to make the rule tighter.

(allow mach-lookup)

;; (global-name "PurpleSystemEventPort")

;; (global-name "com.apple.CARenderServer")

;; (global-name "com.apple.eventpump")

;; (global-name "com.apple.springboard.migserver")

;; (global-name "com.apple.system.notification_center"))

(deny process-fork)

; For ASL logs - /var/run/asl_input (XXX: socket can now be named)

; (allow network-outbound)

; (to unix-socket "/private/var/run/asl_input"))

(allow network*)

; To allow crash reporter / exceptions to kill the process

(allow signal (target self))

More Results

Type ResultsCall logs 100SMS 120Contacts 1511Email 512Calendar 3188Notes 1Pictures 27Songs 2359Web History YesBookmarks SomeCookies Bank of AmericaApp Info Yes

Google Maps YesVoicemail 0Password No

Plists/XML YesPhone Info YesVideo 0Podcasts 0Speed Dials FoundVPN List of trusted networks foundBluetooth EnabledGPS NoFile hashes YesYouTube Found recently viewed videos

HTMLRecent weather page plus

Facebook