i EXPLOITME MOBILE IPHONE LABS – Secure Logging & Basic Encryption – All things in moderation

EXPLOITME MOBILE IPHONE LABS – Secure Logging & Basic Encryption

Hi all!
In previous articles, we have checked SECURE CONNECTION & PARAMETER MANIPULATION in iOS System. In this post, we will check Secure Logging and Basic Encryption in iOS system.

Secure Logging
Sometimes developers are overzealous about logging. We will access the iPhone’s logs in order to see if our application logs any sensitive information. An attacker with access to a phone may be able to recover sensitive information form the device logs, even if the application itself is secured.
Turn on emulator iPhone and run application. We will view log via Console app( Applications available on Mac OSx in /Application/Utilities) Transfer money within the app.

console app

So, we have seen sensitive information without having done logged.
If you use iPhone device you can view log information by Organizer in Xcode.

Basic Encryption

In this Lab, we will implement grab some sensitive information from the device file. In this case the sensitive information is not encrypted, and we simply find it. Perform a search by path led in the Setup. In iOS system information will save in file .plist. We will open file .plist in folder /Library/Preferences/.

plist

Here we can see the username/password is stored as clear text. I just view files obtained user information fairly easily. This is quite a dangerous error. However, the local password is encrypted and includes Salt.

Solution

We need some way to encrypt the jdoe / password username and password and store it on the device. The app should be able to extract the username/password combination when it needs to access the server, but an attacker in our situation should not be able to extract them.
We solve this by encrypting the username and password. The obvious question here is “where do we store the key?” For now, we will hardcode a key into the application. This is bad! In a later lab, we will show you how to break this, but for now, here is how our (broken) encryption looks like:

NSString* kSecretEncryptionKey = @"SECRETKEYFORENCRYPTINGTHEPASSWRD";

NSData* BankEncryptString(NSString* plaintext, NSData* key, NSData* iv)
{
    NSData* result = nil;

    NSData* plaintextData = [plaintext dataUsingEncoding: NSUTF8StringEncoding];

    size_t bufferSize = [plaintextData length] + [key length];

    void *buffer = calloc(bufferSize, sizeof(uint8_t));
    if (buffer != nil)
    {
        size_t dataOutMoved = 0;

        CCCryptorStatus cryptStatus = CCCrypt(
            kCCEncrypt,
            kCCAlgorithmAES128,
            kCCOptionPKCS7Padding,
            [key bytes],
            kCCKeySizeAES256,
            [iv bytes],
            [plaintextData bytes],
            [plaintextData length],
            buffer,
            bufferSize,
            &dataOutMoved
        );

        if (cryptStatus == kCCSuccess) {
            result = [NSData dataWithBytesNoCopy: buffer length: dataOutMoved freeWhenDone: YES];
        } else {
            free(buffer);
        }
    }

    return result;
}

NSString* BankDecryptString(NSData* ciphertext, NSData* key, NSData* iv)
{
    NSString* result = nil;

    size_t bufferSize = [ciphertext length];

    void *buffer = calloc(bufferSize, sizeof(uint8_t));
    if (buffer != nil)
    {
        size_t dataOutMoved = 0;

        CCCryptorStatus cryptStatus = CCCrypt(
            kCCDecrypt,
            kCCAlgorithmAES128,
            kCCOptionPKCS7Padding,
            [key bytes],
            kCCKeySizeAES256,
            [iv bytes],
            [ciphertext bytes],
            [ciphertext length],
            buffer,
            bufferSize,
            &dataOutMoved
        );

        if (cryptStatus == kCCSuccess) {
            result = [[NSString alloc] initWithBytesNoCopy: buffer length: dataOutMoved encoding: NSUTF8StringEncoding freeWhenDone: YES];
        } else {
            free(buffer);
        }
    }

    return result;
}

Leave a Reply