iphone privacy
play

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, - PowerPoint PPT Presentation

Sep 16, 2022 •292 likes •978 views

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch Twitter @nst021 Who am I? Nicolas Seriot , Switzerland HES Software Engineer Cocoa developer and iPhone programming trainer at Sen:te

  1. iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch Twitter @nst021

  2. Who am I? • Nicolas Seriot , Switzerland • HES Software Engineer • Cocoa developer and iPhone programming trainer at Sen:te • Data-mining research assistant at Swiss University of Applied Sciences (HEIG-VD) since 2009 • MAS in Economic crime investigation

  3. You said... Switzerland?

  4. Outline 1. Privacy issues overview 2. What can iPhone spyware do? 1. Access personal data 2. Fool App Store’s reviewers 3. Attack scenarios 4. Recommendations and conclusion

  5. iPhone Catch Up • iPhone • 34 millions devices worldwide • Apple’s App Store • 140,000 applications, 3 billion downloads • Jailbreak • non-official firmwares, will also run unsigned code, often installed with sshd

  6. 1. Privacy Issues Overview

  7. Privacy Issues Timeline …2007 …2007 …2007 …2007 2008 2008 2008 2008 2009 2009 2009 2009 2009 libti libtiff Root Root exploits exploits SM SMS fuzzing fuzzing Pulled out Aurora Faint Aur from from MogoRo goRoa Road Road AppStore Lawsuits Storm8 Storm8 Storm8 Sto rm8 Analytics PinchM PinchM inchMed nchMedia edia concerns ncerns Worms Ikee Ikee & co. (ja . (jailbr jailbrea ilbreak) break) eak) OS 1.0 1.0 1.0 1. 1.1 2.0 2.0 2.1 2. 2.2 3.0 3.0 3.0 3. 3.1 3.1 3.1

  8. Root Exploits • libtiff – July 2007 • Multiple buffer overflows by Tavis Ormandy, exploited by Rik Farrow • Patched in iPhone OS 1.1.2 • SMS fuzzing – July 2009 • Demonstrated at Black Hat USA 2009 by Charlie Miller and Collin Mulliner • Patched in iPhone OS 3.0.1

  9. Root Exploits http://tk-blog.blogspot.com/2010/02/iphone-os-and-mac-os-x-stack-buffer.html

  10. Analytics Frameworks • PinchMedia • Think Google Analytics for your app • July 2009 – bloggers raise privacy concerns • Users are not informed and can’t opt-out

  11. Create your own Trusted Certificate! http://threatpost.com/en_us/blogs/iphones-vulnerable-new-remote-attack-020210

  12. Storm8 Lawsuit http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/ http://www.boingboing.net/lawsuits/Complaint_Storm_8_Nov_04_2009.pdf

  13. Pulled out from AppStore* • Aurora Feint – July 2008 • Sent contact emails in clear • 20 million downloads • MogoRoad – September 2009 • Sent phone number in clear • Customers got commercial calls * Both applications are back on AppStore after updating their privacy policy.

  14. 2009-11 Worms / Jailbreak • Exploiting default root password on SSH 1. Ikee – changes wallpaper to Rick Astley 2. Dutch 5 € ransom – locks iPhone against a ransom (not refunded) 3. IPhone/Privacy.A – steals iPhone content, invisible, no replication 4. Duh / Ikee.B – steals iPhone content, changes root password, Lithuanian botnet (analysis)

  15. This is what it looks like Ikee Dutch 5 € ransom

  16. Apple Gets Bad Press This further demonstrates that iPhones are not ready for the business environment. http://www.sophos.com/blogs/chetw/g/2009/11/21/malicious-iphone-worm-loose/ IMHO, this is not more clever as claiming that Linux is not ready for business since you can exploit a weak default root password on SSH…

  17. 2. What can iPhone Spyware do?

  18. Technical Context • Imagine a rogue breakout on AppStore • iPhone OS version 3.1.3 • No jailbreak (no root access, 6-8 % iPhones) • No hardware attacks (don’t lose your iPhone) • Not calls to private APIs (there’s no need to) • No Facebook or Twitter profile data… • No root shells exploits • Look for entry points, look for personal data

  19. Methodology – Step A Access personal data

  20. 2.1. Access Personal Data

  21. Cell Numbers NSDictionary *d = [NSUserDefaults standardUserDefaults]; NSString *phone = [d valueForKey:@"SBFormattedPhoneNumber"]; • Entered in iTunes • Optional, you can safely change it

  22. Address Book API • No “Me” record • Unrestricted read/write access • Tampering with data • change *@ubs.com into pirate123@gmail.com

  23. File System Access http://fswalker.googlecode.com

  24. iPhone Sandboxing • Restricts applications access to OS resources • A list of deny/allow rules at kernel level • /usr/share/sandbox/SandboxTemplate.sb (version 1) ; System is read only (deny default) (allow file-read*) (deny file-write*) ; Sandbox violations get logged to syslog via kernel logging. ; Private areas (debug deny) (deny � file-write* � (regex "^/private/var/mobile/ (allow sysctl-read) Applications/.*$")) (deny � file-read* ; Mount / umount commands � (regex "^/private/var/mobile/ (deny file-write-mount file-write-umount) Applications/.*$"))

  25. Sandboxing for the Win? Applications on the device are " sandboxed " so they cannot access data stored by other applications . In addition, system files, resources , and the kernel are shielded from the user's application space . Apple – iPhone in Business – Security Overview http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf This is not true , because rules are too loose. Demo!

  26. Introducing SpyPhone

  27. Safari / YouTube Searches

  28. Phone and Email Accounts

  29. Contacts, Keyboard Cache

  30. Geotagged Photos Location

  31. GPS and Wifi Location

  32. SpyPhone • Contributions welcome! • 2000 lines + EXIF library • GPL License • http://github.com/nst/spyphone

  33. Methodology – Step B Put the application on the App Store.

  34. 2.2. Fool App Store Reviewers

  35. App Store and Malware We've built a store for the most part that people can trust . There have been applications submitted for approval that will steal personal data . - Phil Schiller, Apple senior VP http://www.businessweek.com/technology/content/nov2009/tc20091120_354597.htm 10,000 submissions per week 10% of rejections related to malware

  36. iPhone SDK Standard Agreement • 5.4 – You may not make any public statements regarding this Agreement • Applications must not collect users’ personal information and must comply with local laws • Base for spyware rejection • Published by WikiLeaks and Wired…

  37. AppStore Reviews • Reviewers can be fooled • Spyware activation can be delayed • Payloads can be encrypted • Many things can change at runtime

  38. Hiding the Beast • Guesswork about AppStore review process • Static analysis with $ strings • Dynamic analysis with I/O Instruments • Monitor file openings • Check against black lists

  39. Strings Obfuscation - (NSString *)stringMinus1:(NSString *)s { NSMutableString *s2 = [NSMutableString string]; for(int i = 0; i < [s length]; i++) { unichar c = [s characterAtIndex:i]; [s2 appendFormat:@"%C", c-1]; } return s2; } - (void)viewDidAppear:(BOOL)animated { NSString *pathPlus1 = @"0wbs0npcjmf0Mjcsbsz0Qsfgfsfodft0dpn/bqqmf/bddpvoutfuujoht/qmjtu"; // @"/var/mobile/Library/Preferences/com.apple.accountsettings.plist" NSString *path = [self stringMinus1:pathPlus1]; NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:path]; // ... } This code would probably pass a static analysis

  40. Apple’s GPS Kill Switch $ curl https://iphone-services.apple.com/clbl/unauthorizedApps { � "Date Generated" = "2010-01-03 05:02:36 Etc/GMT"; � "BlackListedApps" = {}; } • Discovered by Jonathan Zdziarski in August 2008 • clbl stands for “Core Location Black List” • Prevent applications from using Core Location • Apple never acknowledged its existence publicly • Apple never used it – SpyPhone doesn’t care

  41. Methodology – Step C Database

  42. 4. Attack Scenarios

  43. This is Real World http://xkcd.com/538/

  44. The Spammer • Write a little breakout game • Make it available for free on AppStore • Collect user email addresses + weather cities + user’s interests from Safari searches and keyboard cache • Collect Address Book emails • Send them with high scores

  45. The Luxury Products Thief • Write an app for sports car or luxury watches collectors • Report the name, phone, area and geotagged photos of healthy people • When you can determine that someone is away from home, just rob him

  46. The Jealous Husband • Could also be named evil competitor or law enforcement officer • Requirements: 5 minute physical access to the device, an Apple $99 developer license, a USB cable • Install SpyPhone, send the report • Delete the report from sent emails, delete SpyPhone http://www.flickr.com/photos/11213613@N05/4147756184/

  47. VIPs François Fillon, French Prime Minister, and Rachida Dati, former Justice French Minister < insert your attack scenario here >

  48. Methodology Database So what?

  49. 4. Recommendations and Conclusion

  50. Security Through Obscurity • Apple should not rely on security through obscurity • It shouldn’t claim that an application cannot access data from other applications • It may have to review the iPhone S-SDLC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l.

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l.

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l. whoami Marco Bonetti Security Consultant @ CutAway s.r.l. mbonetti@cutaway.it http://www.cutaway.it/ Tor user &amp; researcher @ SLP-IT

943 views • 53 slides
MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 30 Applications on my Iphone listed here (I will go over as many as possible in 1 hour of presentation time) Additional

1.1k views • 72 slides
MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 20 Applications on my Iphone Additional assorted applications you may find useful Format: Combination of screen

859 views • 56 slides
Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support: Photography Apple: How To Shoot on iPhone iPhone: The Missing Manual by David Pogue Lynda.com (iPhone and iPad Photography with iOS 12) The Plan

560 views • 27 slides
iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010 Platform strategy User experience Design Product development Marketing raven.me iOS Agency Everything but the The Idea

1.26k views • 105 slides
2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the resulting shots -

218 views • 21 slides
Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone 6 (500/500/500 per month) 2 mobile hotspots (900MB each per month) Total cost per month?? ~$18.25 per month iPhone SE (~$2.00 per

322 views • 18 slides
Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the

414 views • 24 slides
One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android

One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android

One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android Phone/Tablet Download iClicker Reef Android App OR On a Laptop/Other Device Go to iclicker.com and choose Sign in &gt; Student Fill in your

363 views • 10 slides
iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your

iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your

iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your Straight Man Im a Ruby guy Put on ad-hoc Yellowpages.com iPhone App Team Worked with the SDK since Beta 1 The Platform You must use

526 views • 14 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to

the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to

Getting Started with the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to serve as an introduction to the iPhone. We will go over all of its basic functions, from creating contacts to taking and

861 views • 27 slides
Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders

Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders

Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders all previously worked at Deadline Games on Watchmen: The End is Nigh (PS3, Xbox 360, PC) and other titles. Now the iPhone for game

440 views • 27 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
Classical Machine Learning At Scale Thomas Parnell Research Staff Member, Data and AI Systems

Classical Machine Learning At Scale Thomas Parnell Research Staff Member, Data and AI Systems

Classical Machine Learning At Scale Thomas Parnell Research Staff Member, Data and AI Systems IBM Research - Zurich Motivation 1. Why do classical machine learning models dominate in many applications? 2. Which classical machine learning

1.05k views • 30 slides
Embedded Actors Towards Distributed Programming in the IoT Raphael Hiesgen, Dominik

Embedded Actors Towards Distributed Programming in the IoT Raphael Hiesgen, Dominik

Embedded Actors Towards Distributed Programming in the IoT Raphael Hiesgen, Dominik Charousset, Thomas C. Schmidt HAW Hamburg raphael.hiesgen@haw-hamburg.de September 2014, ICCE-Berlin Agenda 1 The Internet of Things (IoT) 2 The Actor

476 views • 21 slides
Parallel computations of Grbner bases in the Weyl algebra Something to run on a machine with

Parallel computations of Grbner bases in the Weyl algebra Something to run on a machine with

Weyl algebra Grbner basis Faugres F 4 algorithm Parallel computations of Grbner bases in the Weyl algebra Something to run on a machine with 128 cores Anton Leykin Institute for Mathematics and its Applications, Minneapolis MSRI,

813 views • 62 slides
CCL/Cocoa Interfaces Paul Krueger, Ph.D. November, 2009 Interface Goals: Looks native to

CCL/Cocoa Interfaces Paul Krueger, Ph.D. November, 2009 Interface Goals: Looks native to

CCL/Cocoa Interfaces Paul Krueger, Ph.D. November, 2009 Interface Goals: Looks native to platform Development effort commensurate with interface complexity Easy blending with Lisp code Usable in either stand-alone executables or from within

452 views • 16 slides
6. Early Modern Europe 6.1. Portugal: Prince Henry &amp; Marco Polo 6.2. Columbus and the New

6. Early Modern Europe 6.1. Portugal: Prince Henry &amp; Marco Polo 6.2. Columbus and the New

6. Early Modern Europe 6.1. Portugal: Prince Henry &amp; Marco Polo 6.2. Columbus and the New World 6.3. Exploring, Settling, Exploiting the New World 6.4. Cortes &amp; Pizarro vs. de Las Casas 6.5. Imperialism, Atlantic Trade &amp;

434 views • 40 slides
Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic, Language, and Computation Winter 2012, lecture 1a Raquel Fernndez TtTv 2012 - lecture 1a 1 / 27 TTTV: Practical Matters Lecturer:

1.08k views • 89 slides
Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic,

Taaltheorie en Taalverwerking BSc Artificial Intelligence Raquel Fernndez Institute for Logic, Language, and Computation Winter 2014, lecture 1a Raquel Fernndez TTTV 2014 - lecture 1a 1 TTTV: Practical Matters Lecturer: Raquel

1.74k views • 119 slides
Large-scale Paraphrasing for Natural Language Generation Chris Callison-Burch March 26, 2015

Large-scale Paraphrasing for Natural Language Generation Chris Callison-Burch March 26, 2015

Large-scale Paraphrasing for Natural Language Generation Chris Callison-Burch March 26, 2015 with Juri Ganitkevitch, Benjamin Van Durme, Ellie Pavlick, Wei Xu, Courtney Napoles, Xuchen Yao, Peter Clark, Jonny Weese, Matt Post, Tsz Ping Chan,

1.02k views • 76 slides

More recommend