[Dailydave] iPhone Security

Kristian Erik Hermansen kristian.hermansen at gmail.com
Tue Jan 5 15:53:33 EST 2016


On Tue, Jan 5, 2016 at 8:31 AM, Dave Aitel <dave at immunityinc.com> wrote:
> http://immunityproducts.blogspot.com/2016/01/the-danger-of-other-on-iphone.html

The TL;DR version is that the mail client is not validating the
SSL/TLS certificate. In older versions of iOS, when testing, I felt
this was a weak area of the platform. I notified Apple Security of the
issue, but received no response from them about it. However, in later
versions of iOS 8/9 (?) a new option / enforcement was added to the
platform for certificate validation. I never trusted Apple would
completely fix this, or they may have a regression, so I was weary of
utilizing it. Since you need to put in your Google creds for Contacts
(and for calendar before Google released a standalone Calendar app in
2015), that was something I would only enable like once a month while
on trusted wifi to sync new contacts). In any event, there are tons of
outstanding issues on Apple's platforms that have weaknesses that I
have reported and go unfixed. Here is a short list of other things
that smell dangerous too and remain unfixed last I checked...

* Apple App Store connections do not utilize HTTPS
* Apple App Store leverages a lot of XML (hint hint)
* Privileged network-positioned attackers (NSA?) can uniquely track
Apple iOS clients by injecting HTTP headers and getting them cached
client-side, or utilize other client sniffing tricks
* Updates for Apple platform and apps come over HTTP, but do you
really trust the in-line digital signatures over HTTP against nation
states?
* Apple OS X printer drivers (like HP) are distributed over HTTP
links, without encryption, and install without any Apple binary
signature (inject your OS backdoors here into the kernel via the ZIP
file stream in transit)
* Numerous other Apple OS X components, distributed apps, drivers, and
sometimes other components are distributed without being signed /
attributed to Apple (untrusted).
* Apple Maps API data wasn't encrypted, last I checked

I could keep going...here are some links and descriptions...

* Apple Maps on iOS Leaks All Geo Data over HTTP without Encryption

http://gspe19.ls.apple.com/tile.vf

* Apple iOS crypto libraries don't support strong ciphers > 128bits

* iOS Allows Invalid Profile Cryptographic Keys to be Installed

Open the following links in Safari:

http://iapnupdatetfdata.straighttalk.com

http://iapnupdateatt.straighttalk.com

* Numerous Apple updates / downloads over insecure HTTP:

http://mesu.apple.com/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml

http://download.info.apple.com/Apple_Support_Area/

http://supportdownload.apple.com/download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/Mac_OS_X/downloads/031-3384.20140211.Xcc3e/BootCamp5.1.5621.zip

http://support.apple.com/downloads/DL907/en_US/hpprinterdriver3.1.dmg

http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=22512&cat=33&platform=osx&method=sa/TextTranslator.zip

-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen


More information about the Dailydave mailing list