Facebook + iPhone = iOwned

The latest target in our iPhone research has been the very popular Facebook application. In the space of time it took me to drink my morning coffee, I had worked out how to Session Hijack Facebook accounts through an iPhone. The attack is so simple that anyone can do it.... and the iPhone doesn’t need to be Jailbroken (but it helps).

Using any one of many methods (described later in the article) to gain access to the victim’s file system, browse to the Facebook install directory and grab a copy of the following two files:

1. /private/var/mobile/Applications/<install directory>/Library/Preferences/com.facebook.Facebook.plist
2. /private/var/mobile/Applications/<install directory>/Library/Cookies/Cookies.plist

Place these two files in to the appropriate directories on another handset, and you have full access to the stolen Facebook session – shown here in full Technicolor.

Session protection is a fundamental aspect of any web based application, so why have the developers of the Facebook app ignored it?

We believe that this is so fundamental that we have released a security advisory – after all more and more corporate users are adopting this technology. In fact, we know professional project managers who use iPhones and Facebook to help keep their projects rolling along….
  

"What could this mean?"

Accessing a teens face book account could not only cause a lot of embarrassment, but has immense privacy and safety concerns if the snooper is predatory. I don’t think we need to explain any more on that subject.

Accessing and impersonating a Facebook account belonging to a member of your company could prove devastating for an individuals reputation, and that of their employer. We know - It happens.
  

“If it ain’t broke, don’t fix it.”

Security and usability are often at odds with each other. The more secure a device, the less user-friendly it is. To gain access to advanced functionality and applications that have not been published in the official iTunes App Store, one must Jailbreak the handset. Once the phone has been Jailbroken, the sandboxing security controls are no longer effective.

As much as Apple deters people from Jailbreaking, it is not an issue that will go away. Statistics from the people who provide the Jailbreaking software are staggering. Over a million people have backed up their anti-anti-Jailbreaking data (http://www.phonenews.com/saurik-declares-over-1-million-apple-mobile-devices-in-anti-anti-jailbreaking-system-10156/). The Blackra1n Jailbreaking software is claiming that 0.17% of the world and 1.3% of the USA have viewed their site in the last 4 months alone! (http://iphonejtag.blogspot.com/2010/01/blackra1n-hits.html).

With the launch of the iPad, people are not going to be happy with its very limited capabilities. We predict that the Jailbraking of iPads is going to be just as common, if not more so.
  

“Other Methods?”

So far, most of the attack vectors on the iPhone have been through Jailbreaking. This is because it is easy to further compromise a device once it has already been compromised. What other attack vectors exist that may compromise the security on a factory install iPhone or iPad?

• Browser - The most likely source of compromise is through the Safari Web Browser. While Internet Explorer certainly takes much of the flak regarding security and privacy issues, Safari does not fair much better – and depending upon which source you listen to, often Safari is the leakiest browser for privacy. For example, the vulnerability outlined here http://scary.beasts.org/security/CESA-2009-006.html (includes demo’s) shows how Safari can be used to gain access to the underlying file system. This vulnerability has been patched in newer versions of Safari, but another one is always around the corner.
• Malware - The attack vector that we predict to be the most effective is PC based malware. When the user connects to iTunes, the malware will execute and gather its payload. There is already a proof of concept program called Spyphone (http://www.taranfx.com/spyphone-app-steals-personal-data-from-all-iphones) that can compromise large amounts of personal information from an iPhone – and it does not need to be Jailbroken.
• Physical - A much less sophisticated, but highly effective method of accessing the iPhone is through a stolen handset. Simply, there are no secure methods for protecting against a straightforward physical attack. Remote data wipe is useless if the SIM card has been removed. PIN protection is useless if the phone is Jailbroken and connected to a computer (iPhone Explorer -http://www.iphone-explorer.com). To add insult to injury, the Blackra1n Jailbreaking method does not require the access PIN either. You could do this to a friends phone in the time it takes them to go to the toilet.
• Wireless Networks – Attacks using malicious or compromised wireless hotspots and networks performing basic packet sniffing through to URL cache poisoning are likely to become ever increasingly prevalent.
• Others – A fantastic (and slightly technical) article regarding iPhone privacy has been released recently; I highly recommend it for some bed time reading - http://seriot.ch/resources/talkss_papers/iPhonePrivacy.pdf

So, where does this leave us? Back in the 1990’s it would appear. Fundamental security issues such as Session Hijacking, security of databases and Code Injection are never going to be well understood and implemented by the hordes of Application Developers (both professional and amateur). We have no choice but to rely on vendors to provide appropriate security, which so far they have failed to do.

This means that before adopting any new technology, thorough consideration of the risks involved must form part of the evaluation process.

Although validation is a growing area of business for us, all to often we still get asked to mop up after a technology has been rushed through to production. Almost always it would have been much cheaper, easier and less embarrassing had the risks been considered beforehand.
Bill Robson is e-Sentinel’s lead Penetration Tester and over the past decade has assessed the security of some of the largest corporations in the UK and Australia. His passion for information security keeps him on the leading edge of security research and trends in the connected world.

If you have any queries or concerns about the security of your current web site, web applications or about secure application development, please Contact Us at e-Sentinel.

e-Sentinel is one of Australia’s most trusted, independent providers of information assurance and computer system validation solutions working with clients in passenger air transport, medical, pharmaceutical, manufacturing, critical infrastructure, finance, banking and gaming.