Apple Security Fails to Stop iPhone Application Hacking
The security built into the iPhone has improved dramatically in the recent years – a great thing for Apple fans - and in an ironic way, it’s also good for hackers. It has resulted in a homogeneity that indirectly facilitates hacking.
With the business policy “bring your own device” in full swing, Apple has successfully spread its iPhones and iPads across scores of Fortune 500 companies. Even many government agencies – including the White House and the U.S. military – are among the Apple customers. For these sales to go through, Apple had to update its mobile operating system iOS with some of the most powerful security features in the industry.
This policy had an adverse unintended consequence: Many application developers failed to install their own safeguards, relying instead almost exclusively on Apple to ensure the security of their applications. Consequently, thousands of applications in the iTunes share exactly the same security features, such that a single vulnerability could have a domino effect.
“Security is now a secondary addition to many application developers,” said Jonathan Zdziarski, forensic scientist via Forensics, as part of the Black Hat Cyber Security conference held in Las Vegas on Thursday. “It means that if you can hack one (application), you can hack all.”
Apple declined to comment.
The technology giant made its first official appearance at the Black Hat forum this year with a session on the security features of iOS, but the arid presentation was little more than a public reading of a document recently issued by Apple. The presenter Dallas De Atley, team leader responsible for the security platform from Apple, did not take questions after his speech and quickly left through a side door.
While a few meters away in another room Zdziarski conducted his workshop “The Dark Art of iOS Application Hacking“. The scenarios described by Zdziarski are scarry; but also seem unlikely. To hack all applications on your phone, a hacker would have to steal your iPhone, which is not so difficult, and discover and exploit a vulnerability in iOS before Apple does. It has happened before, especially when the hacker Charlie Miller found a way to introduce a malicious application on the jealously guarded Apple’s iTunes store. When Miller announced his feat, Apple withdrew his developer license.
However, so-called “zero day exploits” or “zero-day attacks” used in the security vulnerability once exposed in public forums before the publication of the patch that fixes have been extremely rare in iOS.
“This is not the story of “Peter and the Wolf” Zdziarski told CNNMoney. “But the bottom line is that unless you add your own security mechanism to your application, you are highly vulnerable.”
To illustrate, Zdziarski demonstrated live some of the vulnerabilities faced by certain popular iPhone applications that do not provide much more security apart from the protection that Apple includes on its own.
A ‘bug’ in the PayPal app , for example, allows an attacker to place malicious code on an iPhone stolen and to get all the registration information. Such an attack is unlikely, because the hacker would need about 20 minutes with the iPhone to run before handing the phone to its owner. But the point is that it is possible and should not be. PayPal, which is a subsidiary of eBay, said it is investigating the issue.
“The safety of our users is a priority for PayPal,” the company said in a statement. “One of the advantages of using PayPal on a mobile device is that the financial information of a user is stored in the cloud and not on your device. Therefore, even if a device is compromised, the user’s financial information is inaccessible “.
One vulnerability is that Apple does not request the password confirmation each time a user returns to a previous application that was logged. In a demo, Zdziarski adjusted the application code and introduced “userIsLogged: 1.” That “1″ means “truth” in this case, and the application was tricked into believing that the user has been properly identified.
According to Zdziarski, the ultimate goal was not to criticize Apple, PayPal or any other company in specific. On the contrary, it was simply to urge developers to not be lazy when it comes to the security of their applications for the iPhone.
“Apple has a good security. Just do not totally rely on it,” he suggested.