Archive for May, 2009

There is no hiding the source (and use SSL while you’re at it)

May 31, 2009 1 comment

Security through obscurity is never a good thing and will always be broken. We can see this with the iPhone’s encrypted AppStore binaries. Once the phone is jailbroken, it is trivial to decrypt the apps; you simply run the program with gdb and set a breakpoint after the decryption software has run. Viola! you have the decrypted app. The virus writers do a much better job at this.

Recently I downloaded a Firefox plugin (I know, nothing to do with the iPhone, but illustrates my point) which required paid registration to gain access to all the features. I pulled up wireshark and noticed that every time I started Firefox it would query the companies servers to see if the license was valid. The silly part was, however, that all the queries ran over traditional http (no encryption). It would be trivial to change the hosts file on my computer so that their domain was redirected somewhere else. Perhaps to a server that I controlled that would tell the program that the license was valid.

This is not the worst part, however. In the ~/.mozilla/firefox/profile.default/extensions/addondirectory (not sure where it is on Windows) directory I had access to all the javascript which did the queries to see if the registration was valid. A simple modification of two or three lines of code to make the server response a static “VALID” is all it would have taken.

Why do I bring this all up? First of all any iPhone app developer who thinks no one will have access to the files on the device is obviously wrong. Hard coded passwords, registration numbers/processes, etc are all a bad idea. Second, of all the third party apps I’ve tested that use network connections to push out the user’s recent score in a game, download the high score list, etc, none of them use SSL. This is a bad idea because using MITM techniques I could modify the packets and no one would be able to detect that. Also, let’s say there was a buffer overflow in the code that parses the high score list. Any exploit could be thwarted if the connection were SSL and proper certificate checking were performed. Instead, however, all an attacker would have to do is MITM the host and inject the exploit when the high score list comes back from the server.

Categories: General Tags: , ,

Bad proxy, bad!

May 21, 2009 Leave a comment

At the IEEE Symposium on Security and Privacy this year, a group from Microsoft Research and some students presented an attack on browsers using proxies. There paper can be found here. Basically any browser that was using a proxy server (either through WPAD, automatic or manual configuration) was vunerable to this attack. Basically the proxy server could respond to an https request with an error, but they could put any html/javascript/etc code in the response they wanted. For example, the server could respond with an error that also had an iframe pointing to the originally requested page. That page would then get displayed, but the attacker could inject additional javascript to steal elements off of the iframed page. They also demoed another attack in which the attacker tricked the browser into caching the actual page’s certificate but also sent some refresh code. The browser would then show the real site’s certificate info but the attackers website. This would be perfect for phishing sites.

This got me to wonder, are smart phone browsers vulnerable to this too? My guess is that they are, but to what extent. I believe that AppStore and iTunes connections are SSL. What about older Windows Mobile IE browsers? In the next few weeks I hope to code up a tool that can test these OSes against this vulnerability.