Backdoors and surveillance mechanisms in iOS devices

This paper is actually half a year old – give or take – but it’s gotten a lot of attention recently due to, well, the fact that he has uploaded a PowerPoint from a talk about these matters, which is obviously a little bit more accessible than a proper scientific journal article.

For instance, despite Apple’s claims of not being able to read your encrypted iMessages, there’s this:

“In October 2013, Quarkslab exposed design flaws in Apple’s iMessage protocol demonstrating that Apple does, despite its vehement denial, have the technical capability to intercept private iMessage traffic if they so desired, or were coerced to under a court order. The iMessage protocol is touted to use end-to-end encryption, however Quarkslab revealed in their research that the asymmetric keys generated to perform this encryption are exchanged through key directory servers centrally managed by Apple, which allow for substitute keys to be injected to allow eavesdropping to be performed. Similarly, the group revealed that certificate pinning, a very common and easy-to-implement certificate chain security mechanism, was not implemented in iMessage, potentially allowing malicious parties to perform MiTM attacks against iMessage in the same fashion.”

There are also several services in iOS that facilitate organisations like the NSA, yet these features have no reason to be there. They are not referenced by any (known) Apple software, do not require developer mode (so they’re not debugging tools or anything), and are available on every single iOS device.

One example of these services is a packet sniffer, com.apple.pcapd, which “dumps network traffic and HTTP request/response data traveling into and out of the device” and “can be targeted via WiFi for remote monitoring”. It runs on every iOS device. Then there’s com.apple.mobile.file_relay, which “completely bypasses Apple’s backup encryption for end-user security”, “has evolved considerably, even in iOS 7, to expose much personal data”, and is “very intentionally placed and intended to dump data from the device by request”.

This second one, especially, only gave relatively limited access in iOS 2.x, but in iOS 7 has grown to give access to pretty much everything, down to “a complete metadata disk sparseimage of the iOS file system, sans actual content”, meaning time stamps, file names, names of all installed applications and their documents, configured email accounts, and lot more. As you can see, the exposed information goes quite deep.

Apple is a company that continuously claims it cares about security and your privacy, but yet they actively make it easy to get to all your personal data. There’s a massive contradiction between Apple’s marketing fluff on the one hand, and the reality of the access iOS provides to your personal data on the other – down to outright lies about Apple not being able to read your iMessages.

Those of us who aren’t corporate cheerleaders are not surprised by this in the slightest – Apple, Microsoft, Google, they’re all the same – but I still encounter people online every day who seem to believe the marketing nonsense Apple puts out. People, it doesn’t get much clearer than this: Apple does not care about your privacy any more or less than its competitors.

Source: OS News

Note: this is not mentioned in the original article but is definitely worth noting that there is at least one company put there that cares about your privacy and always has and is the leader in security. That’s BlackBerry of course, they should be recognized for how great they are and they continually get over looked unless it is for something negative. BlackBerry for life! Best mobile OS is BlackBerry 10, period.

iOS Mobile Banking Apps Vulnerable to Man in the Middle Attacks

It’s mighty convenient to load up a mobile banking app with a slick interface as opposed to logging into the website via your smartphone’s web browser, but in doing so, you may inadvertently be putting yourself at a greater risk of so-called mail-in-the-middle attacks, hijack attempts, and other unfriendly behavior. A recent study suggests that mobile banking apps for iOS may be less secure than you think.

A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.

Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them — around 90 percent — contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.

The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.

“Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions,” the report concludes.

Source: Hot Hardware

Apple iOS apps subject to man-in-the-middle attacks

HTTP Request Hijacking attack said to be simple to do against Apple IOS apps

Network World – Many Apple iOS applications are vulnerable to a man-in-the-middle attack that can result in permanent manipulation by the attacker, according to start-up Skycure, which released its research findings on this today during the RSA Europe conference.

Skycure CTO Yair Amit says many mobile iOS apps are vulnerable to a “very simple attack that relies on the 301 HTTP Response, a permanent re-direction.” If an Apple iOS app can cache these so-called 301 HTTP Re-Direct Response requests — and many popular iOS apps do, according to Skycure — then the app is vulnerable to being repeatedly hijacked via re-direction to the attacker’s server.

While this general type of man-in-the-middle attack has been known on the Web for many years, for mobile applications the result is worse in that it “persistently changes the URL” of the server and lets the attacker take dynamic control over the app, says Amit. In the information that Skycure is publishing today, the company notes the impact of the attack is basically that instead of loading data from the real site that the user wants to visit, the attacker can make the app permanently load the data from the attacker’s site.

Skycure isn’t releasing the names of the vulnerable iOS apps because this issue hasn’t necessarily been fixed. Amit says according to Skycure’s research, a significant portion of apps available through the official Apple App Store could be attacked this way. The problem is not a vulnerability in iOS itself but a coding weakness on the part of the developer.

Skycure says “HTTP Request Hijacking” of Apple iOS mobile devices such as iPhones and iPads starts with a man-in-the-middle attack, which would typically commence in a public WiFi zone, such as in a coffee shop.  While a type of attack like this has been known to happen on the Web between computer-based Web browsers and Web servers for quite some time, the way a similar attack works on mobile devices hasn’t yet been subject to much scrutiny, says Amit.

He adds the implication of such an attack on news or financial information received through iOS devices is troubling.
“In a mobile application, it changes the application,” he says, adding “there’s no easy way to remove the problem.” But Skycure believes there are a number of steps that app developers can take to remediate or mitigate against it.

Among them are making sure the app doesn’t cache a 301 HTTP Re-Direct Response for re-direction. Another is to make sure the mobile device interacts with a designated server via an encrypted protocol, such as HTTPS, instead of HTTP. “If you want your application to behave differently with a server, just release an update,” he suggests. Making changes to apps to correct for this may be somewhat disruptive to the end-user, he adds.

The HTTP Request Hijacking attack on iOS that Skycure has identified may also exist in Android or other mobile-device platforms, but Skycure currently puts its focus primarily on Apple iOS. Skycure believes one danger in this type of man-in-the-middle attack on mobile devices is that it is much less visible to the victimized end-user than the more traditional computer-based form of the attack.

Source: Network World

Security experts warn against using LinkedIn app for Apple iPhone

App embeds link to an email sender's profile and could compromise security of the device

The new LinkedIn iPhone app that embeds a link to an email sender’s profile on the professional network presents a number of security risks and should not be used, experts warned.

Criticism of the app, called Intro, started soon after its release last week. The first to slam LinkedIn was security consultancy Bishop Fox, which accused the site of “hijacking email.”

Over the weekend, Jordan Wright, a security engineer at CoNetrix, said he was able to spoof  Intro profile information, using a technique that a criminal could easily replicate for a phishing attack.

On Monday, Neohapsis, which does penetration testing and risk assessment for mobile apps, got into the act, saying Intro users were taking on serious risks for a “marginal convenience feature at best.”

“I can’t think of a situation where a user would agree to a reduced level of transport security of their emails in exchange for the novelty of being able to instantly view their LinkedIn contact’s details in the iPhone email client,” Gene Meltser, technical director at Neohapsis Labs, said.

LinkedIn has defended Intro, saying the criticism is based on “inaccuracies and misperceptions“.

Wright’s spoofing experiment started with the interception of the security profile Intro inserts into iOS. He then found the username and password used to log into the LinkedIn service and grabbed the first email to look closely at what LinkedIn injects.

His investigation found that he could remove the Intro data and replace it with his own, thereby commandeering the Intro profile tab to show whatever information he wanted.

While his proof-of-concept would be benign to an email recipient, “it would be just as easy to attach a malicious payload, request sensitive information, etc.,” Wright said.

Fox compared Intro to a “man-in-the-middle” attack, because all messages go through LinkedIn servers and are analyzed and scraped for data “pertaining to whatever they feel like it.”

Also, by pushing a security profile to the iOS device, so LinkedIn can re-route emails, posed the risk of having the profile used to wipe a phone, install apps, delete apps and restrict functionality.

“You are effectively putting your trust in LinkedIn to manage your users’ device security,” Fox said.

Continue reading by clicking the source link below.

Source: NetworkWorld

Apple Patent Reveals Swype-like Keyboard

Android users are probably familiar with the Swype keyboard which basically allows users to type on their phones just by swiping (or “swyping”) between characters versus pecking at individual letters one at a time. In fact one iOS developer has event attempted to port Swype onto iOS devices although it didn’t exactly take off. However it seems that Apple did think about keyboard alternatives back in the day, and thanks to a recent patent that was published, it looks like Apple’s idea was pretty similar to Swype. According to the patent filing, it was filed for back in 2007 which is the same year that the first iPhone debuted, suggesting that Apple was already looking for keyboard alternatives for touchscreen devices back in the day.

However given that it’s 6 years later and the only revision to the Apple keyboard on iOS would be its design, it’s safe to say that Apple decided not to pursue this idea, or other keyboard ideas the Cupertino company and its team might have cooked up then. In any case Apple’s keyboard is more than functional and is pretty accurate as far as onscreen keyboards are concerned.

Source: Ubergizmo

How to turn off iOS 7 frequent location tracking and increase your privacy

By default, iOS 7 will track and record places that you visit most often to provide better location-based data such as in the Today summary of Notification Center. If you value your privacy more than you do location-based data, you can turn the feature off. Turning off features like these can also help save a bit of battery life too.

Here’s how:

1. Launch the Settings app from the Home screen of your iPhone or iPad.

2. Tap on Privacy.

3. Now tap on Location Services at the top.

4. Towards the bottom of the next screen, tap on System Services.

5. Again, towards the bottom of the next page, tap on Frequent Locations.

6. At the top of the next screen, turn the Frequent Locations option to the Off position.

That’s all there is to it. Locations you travel to most will no longer be tracked. While this comes at the expense of not having as accurate location data in places like the Today Summary screen, it also preserves your privacy better and to a lot of us, that’s more important.

Source: iMore

BlackBerry Messenger for iOS submitted to App Store, waiting on approval

BlackBerry Messenger (BBM), once the crack in crack-berry, is going multi-platform this month, including iOS and Android. While no firm release date has been set, BlackBerry’s Alex Kinsella has just stated that BBM for iOS has already been submitted to the App Store. Twitter:

Just in case we forgot to mention, BBM for iPhone was submitted for review 2 wks ago. #waiting #BBM4ALL

Apple approved Google’s Hangouts, Facebook Messenger, the indie WhatsApp, and a plethora of other instant messaging clients, so there shouldn’t be a problem with the core concept. If BlackBerry is trying anything fancy, like screen sharing, that could complicate review. So could any issues related to this being their first iOS app, unlike other major competitors who’ve gotten past their first, painful app launches and settled into the App Store groove.

Either way, we should be getting it soon. Anyone itching to start BBM’ing from their iPhone?

Via: iMore

Another, New iOS Lock Screen Vulnerability Uncovered

Hot on the heels of a vulnerability that gave snoopers the ability to bypass the iPhone’s passcode in iOS 6 and make calls, view and modify contacts, and even access to photos via the Contacts app, is a new one that allows the entire contents of the handset to by synced with iTunes.

“The vulnerability is located in the main login module of the mobile iOS device [applies to iPhone or iPad] when processing to use the screenshot function in combination with the emergency call and power button,” said Vulnerability Lab, who initially discovered the flaw.

The vulnerability allows anyone with physical access to the iOS device the ability to easily bypass the passcode lock and use  a USB cable to get access to the data stored on the iPhone or iPad from a Mac or PC.

Below is a video demonstrating the vulnerability.

This is a very serious vulnerability indeed, as it means that someone could get access to data stored on an iOS device without leaving a trace. While home users might not like the idea of family and friends snooping through their data, it’s businesses who use iPhones and iPads that need to be really worried. This vulnerability means that storing sensitive information on an iOS 6 is not a good idea, and additional steps need to be taken to protect the data.

Source: Forbes

iPhone Lockscreen Can Be Bypassed with New iOS 6.1 Trick

A security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn’t the first time this has happened — a very similar bug affected iOS 4.1 and was fixed in iOS 4.2. We’ve reached out to Apple for comment and will update you once we hear back.

Watch this Youtube Video demonstration of the hack.

Source: The Verge

Chart: Top U.S. Smartphone Operating Systems By Market Share

According to Nielsen, a leading global information and measurement company, Smartphone owners became the majority of mobile phone users for the first time this year, growing from 49 percent of mobile subscribers in Q1 2012, to 56 percent by Q3 2012. Mobile app usage also continued to grow. Among the top 10 mobile apps, Twitter was the fastest growing Android app, and the Facebook Messenger app grew the most among iPhone apps.

Google remained the top Web brand, with an average 172 million unique visitors each month between January and October 2012, followed by Facebook, which garnered an average of 153 million visits each month. Online video continued to grow in 2012, but YouTube remained the top online video source, averaging 132 million unique viewers during the year.

Source: Nielsen