iphone privacy
play

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, - PowerPoint PPT Presentation

Sep 16, 2022 •292 likes •978 views

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch Twitter @nst021 Who am I? Nicolas Seriot , Switzerland HES Software Engineer Cocoa developer and iPhone programming trainer at Sen:te

  1. iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch Twitter @nst021

  2. Who am I? • Nicolas Seriot , Switzerland • HES Software Engineer • Cocoa developer and iPhone programming trainer at Sen:te • Data-mining research assistant at Swiss University of Applied Sciences (HEIG-VD) since 2009 • MAS in Economic crime investigation

  3. You said... Switzerland?

  4. Outline 1. Privacy issues overview 2. What can iPhone spyware do? 1. Access personal data 2. Fool App Store’s reviewers 3. Attack scenarios 4. Recommendations and conclusion

  5. iPhone Catch Up • iPhone • 34 millions devices worldwide • Apple’s App Store • 140,000 applications, 3 billion downloads • Jailbreak • non-official firmwares, will also run unsigned code, often installed with sshd

  6. 1. Privacy Issues Overview

  7. Privacy Issues Timeline …2007 …2007 …2007 …2007 2008 2008 2008 2008 2009 2009 2009 2009 2009 libti libtiff Root Root exploits exploits SM SMS fuzzing fuzzing Pulled out Aurora Faint Aur from from MogoRo goRoa Road Road AppStore Lawsuits Storm8 Storm8 Storm8 Sto rm8 Analytics PinchM PinchM inchMed nchMedia edia concerns ncerns Worms Ikee Ikee & co. (ja . (jailbr jailbrea ilbreak) break) eak) OS 1.0 1.0 1.0 1. 1.1 2.0 2.0 2.1 2. 2.2 3.0 3.0 3.0 3. 3.1 3.1 3.1

  8. Root Exploits • libtiff – July 2007 • Multiple buffer overflows by Tavis Ormandy, exploited by Rik Farrow • Patched in iPhone OS 1.1.2 • SMS fuzzing – July 2009 • Demonstrated at Black Hat USA 2009 by Charlie Miller and Collin Mulliner • Patched in iPhone OS 3.0.1

  9. Root Exploits http://tk-blog.blogspot.com/2010/02/iphone-os-and-mac-os-x-stack-buffer.html

  10. Analytics Frameworks • PinchMedia • Think Google Analytics for your app • July 2009 – bloggers raise privacy concerns • Users are not informed and can’t opt-out

  11. Create your own Trusted Certificate! http://threatpost.com/en_us/blogs/iphones-vulnerable-new-remote-attack-020210

  12. Storm8 Lawsuit http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/ http://www.boingboing.net/lawsuits/Complaint_Storm_8_Nov_04_2009.pdf

  13. Pulled out from AppStore* • Aurora Feint – July 2008 • Sent contact emails in clear • 20 million downloads • MogoRoad – September 2009 • Sent phone number in clear • Customers got commercial calls * Both applications are back on AppStore after updating their privacy policy.

  14. 2009-11 Worms / Jailbreak • Exploiting default root password on SSH 1. Ikee – changes wallpaper to Rick Astley 2. Dutch 5 € ransom – locks iPhone against a ransom (not refunded) 3. IPhone/Privacy.A – steals iPhone content, invisible, no replication 4. Duh / Ikee.B – steals iPhone content, changes root password, Lithuanian botnet (analysis)

  15. This is what it looks like Ikee Dutch 5 € ransom

  16. Apple Gets Bad Press This further demonstrates that iPhones are not ready for the business environment. http://www.sophos.com/blogs/chetw/g/2009/11/21/malicious-iphone-worm-loose/ IMHO, this is not more clever as claiming that Linux is not ready for business since you can exploit a weak default root password on SSH…

  17. 2. What can iPhone Spyware do?

  18. Technical Context • Imagine a rogue breakout on AppStore • iPhone OS version 3.1.3 • No jailbreak (no root access, 6-8 % iPhones) • No hardware attacks (don’t lose your iPhone) • Not calls to private APIs (there’s no need to) • No Facebook or Twitter profile data… • No root shells exploits • Look for entry points, look for personal data

  19. Methodology – Step A Access personal data

  20. 2.1. Access Personal Data

  21. Cell Numbers NSDictionary *d = [NSUserDefaults standardUserDefaults]; NSString *phone = [d valueForKey:@"SBFormattedPhoneNumber"]; • Entered in iTunes • Optional, you can safely change it

  22. Address Book API • No “Me” record • Unrestricted read/write access • Tampering with data • change *@ubs.com into pirate123@gmail.com

  23. File System Access http://fswalker.googlecode.com

  24. iPhone Sandboxing • Restricts applications access to OS resources • A list of deny/allow rules at kernel level • /usr/share/sandbox/SandboxTemplate.sb (version 1) ; System is read only (deny default) (allow file-read*) (deny file-write*) ; Sandbox violations get logged to syslog via kernel logging. ; Private areas (debug deny) (deny � file-write* � (regex "^/private/var/mobile/ (allow sysctl-read) Applications/.*$")) (deny � file-read* ; Mount / umount commands � (regex "^/private/var/mobile/ (deny file-write-mount file-write-umount) Applications/.*$"))

  25. Sandboxing for the Win? Applications on the device are " sandboxed " so they cannot access data stored by other applications . In addition, system files, resources , and the kernel are shielded from the user's application space . Apple – iPhone in Business – Security Overview http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf This is not true , because rules are too loose. Demo!

  26. Introducing SpyPhone

  27. Safari / YouTube Searches

  28. Phone and Email Accounts

  29. Contacts, Keyboard Cache

  30. Geotagged Photos Location

  31. GPS and Wifi Location

  32. SpyPhone • Contributions welcome! • 2000 lines + EXIF library • GPL License • http://github.com/nst/spyphone

  33. Methodology – Step B Put the application on the App Store.

  34. 2.2. Fool App Store Reviewers

  35. App Store and Malware We've built a store for the most part that people can trust . There have been applications submitted for approval that will steal personal data . - Phil Schiller, Apple senior VP http://www.businessweek.com/technology/content/nov2009/tc20091120_354597.htm 10,000 submissions per week 10% of rejections related to malware

  36. iPhone SDK Standard Agreement • 5.4 – You may not make any public statements regarding this Agreement • Applications must not collect users’ personal information and must comply with local laws • Base for spyware rejection • Published by WikiLeaks and Wired…

  37. AppStore Reviews • Reviewers can be fooled • Spyware activation can be delayed • Payloads can be encrypted • Many things can change at runtime

  38. Hiding the Beast • Guesswork about AppStore review process • Static analysis with $ strings • Dynamic analysis with I/O Instruments • Monitor file openings • Check against black lists

  39. Strings Obfuscation - (NSString *)stringMinus1:(NSString *)s { NSMutableString *s2 = [NSMutableString string]; for(int i = 0; i < [s length]; i++) { unichar c = [s characterAtIndex:i]; [s2 appendFormat:@"%C", c-1]; } return s2; } - (void)viewDidAppear:(BOOL)animated { NSString *pathPlus1 = @"0wbs0npcjmf0Mjcsbsz0Qsfgfsfodft0dpn/bqqmf/bddpvoutfuujoht/qmjtu"; // @"/var/mobile/Library/Preferences/com.apple.accountsettings.plist" NSString *path = [self stringMinus1:pathPlus1]; NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:path]; // ... } This code would probably pass a static analysis

  40. Apple’s GPS Kill Switch $ curl https://iphone-services.apple.com/clbl/unauthorizedApps { � "Date Generated" = "2010-01-03 05:02:36 Etc/GMT"; � "BlackListedApps" = {}; } • Discovered by Jonathan Zdziarski in August 2008 • clbl stands for “Core Location Black List” • Prevent applications from using Core Location • Apple never acknowledged its existence publicly • Apple never used it – SpyPhone doesn’t care

  41. Methodology – Step C Database

  42. 4. Attack Scenarios

  43. This is Real World http://xkcd.com/538/

  44. The Spammer • Write a little breakout game • Make it available for free on AppStore • Collect user email addresses + weather cities + user’s interests from Safari searches and keyboard cache • Collect Address Book emails • Send them with high scores

  45. The Luxury Products Thief • Write an app for sports car or luxury watches collectors • Report the name, phone, area and geotagged photos of healthy people • When you can determine that someone is away from home, just rob him

  46. The Jealous Husband • Could also be named evil competitor or law enforcement officer • Requirements: 5 minute physical access to the device, an Apple $99 developer license, a USB cable • Install SpyPhone, send the report • Delete the report from sent emails, delete SpyPhone http://www.flickr.com/photos/11213613@N05/4147756184/

  47. VIPs François Fillon, French Prime Minister, and Rachida Dati, former Justice French Minister < insert your attack scenario here >

  48. Methodology Database So what?

  49. 4. Recommendations and Conclusion

  50. Security Through Obscurity • Apple should not rely on security through obscurity • It shouldn’t claim that an application cannot access data from other applications • It may have to review the iPhone S-SDLC

Recommend

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l.

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l.

Mobile Privacy: Tor On The iPhone And Other Unusual Devices Marco Bonetti - CutAway s.r.l. whoami Marco Bonetti Security Consultant @ CutAway s.r.l. mbonetti@cutaway.it http://www.cutaway.it/ Tor user &amp; researcher @ SLP-IT

943 views • 53 slides
MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 30 Applications on my Iphone listed here (I will go over as many as possible in 1 hour of presentation time) Additional

1.1k views • 72 slides
MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 20 Applications on my Iphone Additional assorted applications you may find useful Format: Combination of screen

859 views • 56 slides
Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support: Photography Apple: How To Shoot on iPhone iPhone: The Missing Manual by David Pogue Lynda.com (iPhone and iPad Photography with iOS 12) The Plan

560 views • 27 slides
iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010 Platform strategy User experience Design Product development Marketing raven.me iOS Agency Everything but the The Idea

1.26k views • 105 slides
2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the resulting shots -

218 views • 21 slides
Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone 6 (500/500/500 per month) 2 mobile hotspots (900MB each per month) Total cost per month?? ~$18.25 per month iPhone SE (~$2.00 per

322 views • 18 slides
Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the

414 views • 24 slides
One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android

One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android

One Time Set-up On your iPhone/iPad Download iClicker Reef iPhone App OR On your Android Phone/Tablet Download iClicker Reef Android App OR On a Laptop/Other Device Go to iclicker.com and choose Sign in &gt; Student Fill in your

363 views • 10 slides
iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your

iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your

iPhone Development A Web Devs Perspective Ben Sandofsky - ben@sandofsky.com Im Your Straight Man Im a Ruby guy Put on ad-hoc Yellowpages.com iPhone App Team Worked with the SDK since Beta 1 The Platform You must use

526 views • 14 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to

the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to

Getting Started with the iPhone Lawrence Yates The New York Society Library Welcome! This seminar is meant to serve as an introduction to the iPhone. We will go over all of its basic functions, from creating contacts to taking and

861 views • 27 slides
Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders

Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders

Graphics on the iPhone The Fast Learners Accelerated (Survival) Guide aptocore Five co-founders all previously worked at Deadline Games on Watchmen: The End is Nigh (PS3, Xbox 360, PC) and other titles. Now the iPhone for game

440 views • 27 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
Face detection on the iPhone The current generation of Alasdair Allan, Babilim Light Industries

Face detection on the iPhone The current generation of Alasdair Allan, Babilim Light Industries

Face detection on the iPhone The current generation of Alasdair Allan, Babilim Light Industries high-end mobile devices, such as the iPhone or iPod touch, are quite capable of performing fairly advanced feats of computer vision in real-time.

852 views • 43 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
NavLink iOS app NavLink is a low cost app designed for use with an iPhone or iPad. It transforms

NavLink iOS app NavLink is a low cost app designed for use with an iPhone or iPad. It transforms

NAVLINK IOS APP Low cost app designed for use with an iPhone or iPad. It transforms your iPhone/iPad into a full function chart plotter TEL 01179 554474 (US 978 277 1234) www.digitalyacht.co.uk NavLink iOS app NavLink is a low cost app

721 views • 32 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Architecting a complex iPhone application Alex Cone - Alpha Geek - CodeFab LLC Wednesday,

Architecting a complex iPhone application Alex Cone - Alpha Geek - CodeFab LLC Wednesday,

CodeFab LLC iPhone Development &amp; Training Architecting a complex iPhone application Alex Cone - Alpha Geek - CodeFab LLC Wednesday, October 7, 2009 1 So Whats The Problem? No Apple examples of full featured applications Books

306 views • 16 slides
IPHONE CA CAMERA PRESENTATION DON STOUDER DONSTOUDER@CA.RR.COM GRID SHOWS RULE OF THIRDS

IPHONE CA CAMERA PRESENTATION DON STOUDER DONSTOUDER@CA.RR.COM GRID SHOWS RULE OF THIRDS

IPHONE CA CAMERA PRESENTATION DON STOUDER DONSTOUDER@CA.RR.COM GRID SHOWS RULE OF THIRDS CAMERA SETTINGS The iPhone 7 Plus Screen TYPES OF PHOTOS AND VIDEOS TAKING A PHOTO STEP 3 ADJUSTING BRIGHTNESS EXAMPLE 2X PHOTO 4032x3024 pixels 35

790 views • 42 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides

More recommend