The dark art of iOS app hacking presented at Black Hat.
There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.
“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.
He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.
All due to a double-edged sword.
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)
Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.
A great illustration of how developers need to understand the need for security trumps all.
- 19% Of iOS Apps Access Your Address Book Without Your Permission… Until iOS 6 [Report] (cultofmac.com)
- Apple investigating iOS in-app purchase hack (zdnet.com)
Interesting, but not surprising.
The demand for tablet computers such as the iPad is growing so quickly that shipments of them are projected to surpass notebook shipments by 2016.According to market research firm NPD DisplaySearch, the mobile PC category is poised to soar from 347 million units in 2012 to more than 809 million by 2017. Tablets will be leading the way for that massive growth in the next few years.Tablet shipments are expected to grow from 121 million units to 416 million units by 2017, compared to 208 million shipments in 2012 to 393 million shipments in five years. Tablets will likely surpass notebook shipments in 2016.
- iPad Sales To Pass Notebook Sales Within Four Years (webpronews.com)
- Media Tablet Shipments to Surpass Notebook PCs by 2016 (geobrava.wordpress.com)
IT organizations have come to a stunning realization: There is no stopping the great iPad enterprise invasion. Risks abound as companies must deal with securing iPad apps without much help from Apple, says Julie Palen, senior VP of mobile device management at Tangoe, a telecom expense management software and services provider.
Palen’s group develops software that helps companies such as Wells Fargo and Coca-Cola manage BlackBerrys, iPhones, Android devices, and iPads — any devices connecting to a company’s back-end computing environment via Active Sync, BES, and Good Mobile Messaging.
The iPad, in particular, has had a rapid rise in enterprise adoption. More than 65 percent of Fortune 500 companies are deploying or piloting the iPad, Apple said during its most recent earnings call. Around 60 percent of Tangoe’s new business deals in the last quarter involve companies that have already deployed iPads or are planning to do so.
But the iPad isn’t really enterprise ready, in terms of manageability and security, says Palen, a 10-year veteran of mobile device management. She says IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. (Source: InfoWorld)
Be sure to read the entire interview. Very interesting that the biggest obstacle to “security” in the enterprise with iPad’s is Apple itself.
Powered by ScribeFire.