April 2012 Archives

Wed Apr 11 15:55:39 UTC 2012

Integer Overflows

A funny tale from PHP development: apparently, preventing integer overflows is hard. So, let's try to write code to allocate a 2D matrix of double...

unsigned int rows, cols;
// ...
if(rows < 1 || cols < 1)
        errx(1, "Invalid size");
double **M = calloc(rows * cols * sizeof(double), 1);

The inherent problem here is that the goal is to detect a miscalculation–by doing calculations. And many attempts failed in the past. So, how to best do this?

Standard Method: pre-verification of each step

if(rows < 1 || cols < 1)
        errx(1, "Invalid size");
if(rows > SIZE_MAX / (size_t) cols)
        errx(1, "Integer overflow");
size_t rc = rows * cols;
if(rc > SIZE_MAX / sizeof(double))
        errx(1, "Integer overflow");
size_t n = rc * sizeof(double);
double **M = calloc(rc, 1);

What are we doing there? We basically verify before each calculation step that the calculation will neither overflow nor divide by zero. We use the fact that the division operator / rounds downwards. Also, an integer division cannot overflow. So the following equations hold:

rows        <=  SIZE_MAX / (size_t) cols
rows * cols <= (SIZE_MAX / (size_t) cols) * cols
rows * cols <=  SIZE_MAX - {value between 0 and cols-1}
rows * cols <=  SIZE_MAX

And thus is proven this step causes no integer overflow.

The problem with this method is that it is tedious and leads to quite complex code.

Interesting Method: pre-verification in a single step

if(SIZE_MAX / (size_t) rows / (size_t) cols / sizeof(double) < 1)
        errx(1, "Integer overflow");
double **M = calloc((size_t) rows * (size_t) cols * sizeof(double), 1);

So, what is this now? Why does this trick guarantee no overflow? Let's work on this equation too.

Theorems for integer division "/":

  a >= b   =>   a/c >= b/c

  Proof:

    Write a as (a/c) * c + (a%c) with (a%c) between 0 and c-1.
    Write b as (b/c) * c + (b%c) with (b%c) between 0 and c-1.

    Then it follows:

                      a >= b
      (a/c) * c + (a%c) >= (b/c) * c + (b%c)
    ((a/c) - (b/c)) * c >= (b%c) - (a%c)

    If the theorem were not true, then (a/c) < (b/c).
    This means that (a/c) < (b/c) <= -1. We get:

    -1 * c >= ((a/c) - (b/c)) * c >= (b%c) - (a%c)
        -c >= (b%c) - (a%c)
         c <= (a%c) - (b%c)

    However, this cannot be fulfilled for any (a%c) and (b%c) in the range from
    0 to c-1. q.e.d.

Furthermore:

  a < b*c  =>   a/c < b

  Proof:

    Let's prove the equivalent relation

    a/c >= b   =>   a >= b*c

    Write a as (a/c) * c + (a%c) with (a%c) between 0 and c-1.

    Then it follows:

                (a/c) >= b
            (a/c) * c >= b*c
    (a/c) * c + (a%c) >= b*c + (a%c)
                    a >= b*c + (a%c)
                    a >= b*c

    q.e.d.

// Let's define:
r := (size_t) rows
c := (size_t) cols
d := sizeof(double)

// Assuming no overflow takes place, then we get using the above mentioned theorems:
SIZE_MAX             >= d*c*r        | / r
SIZE_MAX / r         >= d*c          | / c
SIZE_MAX / r / c     >= d            | / d
SIZE_MAX / r / c / d >= 1

// Assuming an overflow takes place, then we get using the above mentioned theorems:
SIZE_MAX             <  d*c*r        | / r
SIZE_MAX / r         <  d*c          | / c
SIZE_MAX / r / c     <  d            | / d
SIZE_MAX / r / c / d <  1

Therefore, the check above always yields the correct result.

Ridiculous Method: floating point post-verification

What actually happens on overflow? The first bits get cut off. We easily see that the overflown value is at most half the correct value, as cutting off a binary number's first bit always reduces it to less than half. So, we can do this:

if(rows < 1 || cols < 1)
        errx(1, "Invalid size");
size_t ni = (size_t) rows * (size_t) cols * sizeof(double);
float nf = (float) rows * (float) cols * sizeof(double);
if(ni < 0.8f * nf)
        errx(1, "Integer overflow");
double **M = calloc(ni, 1);

We know that on overflow, ni will be smaller than 0.5 times the correct value. So, as long as our calculation of nf is accurate enough so that 0.8f * nf is between 0.5 times the correct value, and the correct value itself, this actually works!

By standard methods, you find that a single calculation step for float of addition, multiplication, division, or rounding an input introduces a relative error of at most 10^-6, as long as no negative values or denormals are involved anywhere. How many such errors do we need so that 0.8 becomes 1.0 or 0.5?

223143 of them. We'll never hit THAT in a buffer size calculation...


Posted by OpBaI | Permanent link | File under: code, c

Tue Apr 10 14:21:29 UTC 2012

iPhone Folder Security App Security

1. Scope

Only free apps were tested that can at least store photos or videos. Apps that only store notes or passwords do exist, but have not been tested.

The limitation to free apps stems from the ubiquity of insecure apps on the App Store, so it is adivsable that a potential user of such an app first can test the security features before relying on them. Most free apps were either restricted to a certain file count, or contain iAds; however, for evaluating the security properties, this makes the free version fully sufficient.

As all these apps claim to provide extra security beyond the iPhone's passcode, they were tested under the assumption that an attacker has the unlocked iPhone in their hands.

2. Feature Tests

The following features were checked:

2.1. Photo, Video

It has been tested whether the app can be used to store and view photos, or videos, respectively. The test typically was done by attempting to import a media file from the Camera Roll, then trying to view it.

2.2. Other data

It has been tested whether the app can be used to store at least one other data type. Typically this means support for audio files, notes, or passwords.

2.3. Unlimited Storage

It has been tested whether the app has an obvious limitation in the amount of files or folders you can create. For apps that have such a limitation, typically a full version without such a limitation is available from the same product.

For two apps, testing of this capability was aborted due to very frequent crashes of the apps on the tested iPhone:

  • Private Photo HD Lite by AppInTheSky.com

  • ISafety Photo HD Lite by Pop-ok.com

Whether these apps have limited or unlimited storage was not revealed in the testing. However, the AppStore mentions no such limitation.

2.4. Decoy Mode

Many apps support a so-called “Decoy Mode”, which usually provides a second log-in account with a different data collection. The idea is that in case the user is forced to convey the passcode for the app, they can merely give out the Decoy Mode passcode, which shows “innocent” files.

2.5. Intruder Photo, Intruder Location

Many apps provide a security log containing photos and location data for every failed access. Although it generally sounds interesting to see who was trying to “spy on you”, any attacker with a remote clue about how these apps work can simply cover the camera, and disable location services before trying out passcodes.

2.6. Intruder Mail

Some apps even allow sending an E-Mail report containing the intruder's photo and location. This is actually a lot more useful. Although it does not help against a determined attacker (see above), it may be an actually useful tool to help discover a stolen iPhone if the thief is beaten by his curiosity. It may be a good idea to have one of these apps installed on your iPhone even if you do not intend to store any data inside.

This feature is provided by:

  • My Secret Folder Lite by Red Knight Interactive

  • Secure Browser With File Safe by Red Knight Interactive

  • Folder Locker Lite by Zeeplox

2.7. WiFi

Some apps provide a feature to share the files inside via WiFi. Typically, this is a HTTP, FTP or WebDAV service running on a highport without any authentication and read-write access.

2.8. iTunes Share (USB)

Some apps provide a feature to share files using iTunes File Sharing (typically used via USB). However, some apps provide only read-only and some apps provide only write-only access via this protocol.

Many apps did not advertise such functionality, but were found to “accidentally” provide read-only access via USB (read-only because adding/updating files would require changing database entries, which is sure manually possible using SQLite, but no ready tools exist for this). These are also counted as read only, too.

3. Security Tests

The following security properties were tested:

3.1. Decoy Access

Testing revealed the following security problems with Decoy Modes:

  • Some apps have an “insecure” decoy mode which gives an attacker who can enter Decoy Mode an easy way to enter the “secret” folders. Namely:

    • AccessByKey Lite by MOST DO EVROPY s.r.o. implements Decoy Mode as separate folders, named by the folder passcode. Every passcode succeeds to log in, and can have separate data. The app however allows the user to enter “.” as passcode, which will enter the parent folder of all the “intentional” data folders, and view a list of all passcodes that have ever been entered, giving away any secrets stored in the app.

    • Folder Locker Lite by Zeeplox still shows the passcode change options ion Decoy Mode, and they actually are able to change the main passcode. Therefore, all an attacker who can enter Decoy Mode has to do, is to enter settings, change the main passcode, leave the app, and enter it again using this passcode to reveal any secrets.

  • Most other apps have an “obvious” decoy mode:

    • Decoy Mode typically does not show the settings menu, or if it does, it does not show the menu to change the passcode. This makes it very obvious to an attacker that some sort of Decoy Mode is in place.

    • Some apps do not even allow to upload your own files in Decoy Mode, but merely allow showing default pictures there. That will not fool anyone.

  • Only two apps have a somewhat convincing Decoy Mode:

    • CameraSafe LITE by Bitcartel Software implements Decoy Mode by having multiple independent accounts, none of which can see the others' data. Also, each can only change their own passcode.

    • Foto Segrete - KYMS - Free by IdeaSolutions S.r.l. masquerades as a working calculator called KyCalc. Pressing = while the passcode is on the calculator display will let you in. However, Google search for “KyCalc” immediately gives away the decoy.

None of these provide the required security to fool a determined attacker. Furthermore, an attacker could simply force you to connect your iPhone to their computer, and perform a backup using iTunes for further analysis. Every single app will either reveal its data that way, or the fact that there is hidden data stored outside the application (e.g. by existence of encrypted files, or discrepancy of free and used disk space). Better consider this mode a toy, not an actual feature.

Given these observations, it was decided that in the results table, only a decoy mode that actually has a vulnerability to get access to the non-secret files is denoted as BAD. Any decoy mode not exposing the secret files, no matter how unconvincing, was counted as GOOD.

3.2. USB Security

It was attempted to get access to the app's folder using the access method described on Hacking ifuse - iExplorer for Linux, i.e. either via iExplorer, via IPA application backup, or via a modified ifuse client. Most apps were found to expose the secret files in unencrypted form using the method described there.

Note that this attack is only possible from a computer that once was connected to the iPhone which was unlocked at the time. The testing assumptions are however that the attacker has the unlocked iPhone in their hands, as these apps are all meant to provide extra security beyond the usual passcode lock of the iPhone. However, once a computer was connected once, it can be “paired” with the iPhone using iTunes or the idevicepair utility on Linux, and will from then on also allow connections from the same computer while locked!

The only tested apps not exposing their files to this attack were:

  • Dot Lock Photo by AgileMobileApps (stores data outside the app, namely, in the Keychain)

  • Dot Lock Photo+Video by AgileMobileApps (stores data outside the app, namely, in the Keychain)

  • CameraSafe LITE by Bitcartel Software (encrypts)

  • Covert Photo Free by Itchyfinger Ltd. (encrypts)

  • Dot Lock My Data Lite by MinhMobileDev (stores data outside the app, namely, in the Keychain)

  • My Locked Folder Lite by MinhMobileDev (stores data outside the app, namely, in the Keychain)

  • Photo Safe Pro by Software Opus LLC (encrypts)

Note that storing data outside the app - especially in an unexpected place like the Keychain, which also will not shrink after deleting the files again and thus can permanently use up the space - violates AppStore guidelines and may lead to removal of these apps from the Store. It furthermore means that the data is not deleted when the app is deleted, and may take up space “forever”. Also, jailbreaking the device (which however is bound to leave traces) is likely to expose the data in this case.

3.3. Public Encryption

It generally is not a good idea to rely merely on security by obscurity. It therefore is best practice to use published cryptographic algorithms that had peer review among cryptographers and that withstood many attacks in the past.

Only the following app fulfills this:

  • CameraSafe LITE by Bitcartel Software (uses and advertises AES-256 encryption, and also allows a sufficiently long passcode)

The following two apps may be using strong encryption, but do not publish their choice of algorithm and thus may or may not be secure:

  • Covert Photo Free by Itchyfinger Ltd. (advertises use of “Apple's own built-in encryption algorithms”, which likely means some AES variant, but only supports 4-digit PINs!)

  • Photo Safe Pro by Software Opus LLC (advertises “256 bit encryption” which likely means AES-256, and supports sufficiently long passcodes)

However, the following things have to be noted:

  • AES-256 is less secure than AES-128 due to recent attacks; AES-256 security has been reduced to 99.5 bits, while AES-128's security only could get reduced to 126.1 bits. Still, at the moment 99.5 bits security is good enough for practical purposes.

  • Even though the security of the underlying cryptographic algorithm may be good, this does not make a 4-digit PIN or other simple key (including 3x3 “dot lock”) secure. Good and long passcodes are absolutely required for security! Also, it has not been tested whether these apps use an actually secure method to derive the encryption key from user input.

3.4. Passcode Security

Many apps were found to expose their passcode in plaintext, or in easily decodable form, as part of App Backups or even in the iTunes Share area (see above). Typically the passcode was found either as a folder name, as entry in a SQLite database, or as entry in a binary-encoded plist file.

The only tested apps not exposing the passcode in any obvious way were:

  • All apps not exposing their data to App Backups by means of encryption or outside storage (see above)

  • Lock Folder Free by coco Cai (stores passcode information in the keychain)

  • Lock Photos Free by coco Cai (stores passcode information in the keychain)

  • Lock Photos & Videos HD by costani.com (stores passcode information in the keychain)

  • Pocket Folder by Gong Pengjun (stores passcode information in the keychain)

  • Secret - Store Anything by One Wave AB (stores the password hashed using MD5)

  • UbiDisk by FocusByte (stores passcode information int he keychain since version 2.0.0)

Notable apps attempting to provide passcode security, but failing at it, are:

  • Your Secret Folder by SSA Mobile LLC (uses MD5, but only supports short passcodes; a simple Google search for the MD5 hashed passcode will find it)

  • Your Secure Browser by SSA Mobile LLC (uses a proprietary algorithm to encode the passcode; proprietary algorithms tend to only rely on security by obscurity and thus are easily broken using debugging tools, but what makes matters worse is that this app stores the plaintext passcode in the successful access log)

4. Conclusion

The only tested app providing some sense of actual security is CameraSafe LITE byBitcartel Software. It even comes with a Decoy Mode, but cannot store anything other than photos.

Anything else cannot be recommended from a security perspective.

From a usability perspective, UbiDisk (Super Downloader) byFocusByte made the best impression. It provides video playback, remembers the last position, can open many file types, supports WiFi access both via HTTP and FTP (which works fine with lftp including mirror/sync support, but crashes when attempting to use the FTP access from Google Chrome), USB access, and even includes a web browser with downloader. Since 2.0.0, it also can download arbitrary file types from Safari!

5. How To Do It Right

Ideally, such an app would work like this:

  • On first start, a random master key is created and stored in the keychain.

  • User is queried for passphrase; any passphrase will “work”

  • The passphrase is processed using a key derivation function that employs key stretching.

  • The master key is “decrypted” with the result of the previous step and yields a “user key”

  • Files and file names are encrypted using the “user key”

  • As file names contain a checksum of some sort, their proper decoding can be verified. Names that do not decode right will not be shown.

A Linux tool working this way is EncFS.

6. Results

Vendor
Name
Version Photo Video Other
Data
Unlimited
Storage
Decoy Mode Intruder
Photo
Intruder
Location
Intruder
Mail
WiFi iTunes
Share
Decoy
Access
USB
Security
Public
Encryption
Passcode
Security
Notes
8bit Factory
Z-Lock
1.0 YES YES YES YES NO NO NO NO NO NO - BAD NO BAD Decoy mode failed to log in
AgileMobileApps
Dot Lock Photo
1.1 YES NO NO NO YES NO NO NO NO NO GOOD GOOD NO GOOD Data is stored in the Keychain
AgileMobileApps
Dot Lock Video+Photo
2.0 YES YES NO NO YES NO NO NO NO NO GOOD GOOD NO GOOD Data is stored in the Keychain
Aims MIGITAL Technovations Pvt Ltd
Image Hider
1.1 YES NO NO YES NO NO NO NO NO NO - BAD NO BAD
AppInTheSky.com
Private Photo HD Lite
1.0 YES NO NO YES NO NO NO NO NO NO - BAD NO BAD Crashed during testing
Apps2Be
Dot Lock Protection
2.0 YES YES NO NO YES YES YES NO NO NO GOOD BAD NO BAD
Ashish Sudra
Download + Secret Folder Lite
1.0 YES YES YES NO NO NO NO NO NO YES - BAD NO BAD
BAENPARK
Secret Photo Album
1.1 YES NO NO YES NO NO NO NO NO NO - BAD NO BAD
Bitcartel Software
CameraSafe LITE
1.6.1 YES NO NO NO YES NO NO NO NO R/O GOOD GOOD YES GOOD AES-256 encryption; supports multiple accounts for decoy purposes
Blue Pill Inc.
Secret Folder
1.0 YES YES NO YES NO NO NO NO NO NO - BAD NO BAD Decoy mode failed to log in
BlueScreen
Private Photo Lite Free
2.3 YES YES NO NO YES NO NO NO YES YES GOOD BAD NO BAD
chen kaiqian
Secret Folder Lite
3.1.1 YES YES NO NO YES NO NO NO YES W/O GOOD BAD NO BAD
coco Cai
Lock Folder Free
1.1 YES YES YES NO YES NO NO NO NO NO GOOD BAD NO GOOD Passcode is stored in keychain
coco Cai
Lock Photos Free
1.4 YES NO NO NO YES NO NO NO NO NO GOOD BAD NO GOOD Passcode is stored in keychain
costani.com
Lock Photos & Videos HD
1.0.0 YES YES NO NO NO NO NO NO NO R/O - BAD NO GOOD Passcode is stored in keychain
Easy To Use Products
Secure Photo+Video Safe Lite
2.2.1 YES YES NO NO YES NO NO NO YES NO GOOD BAD NO BAD
Focusbyte
UbiDisk (Super Downloader)
2.0.0 YES YES YES YES NO NO NO NO YES YES - BAD NO GOOD pre-2.0.0 exposed the passcode in a plist file. Fixed now.
GalaxyStudio
Lock Photo+Video+Note+Audio+...
1.5 YES YES YES NO YES NO NO NO YES YES GOOD BAD NO BAD
GOAPPS
Lock Your Photos Plus
1.0 YES NO NO YES NO NO NO NO NO NO - BAD NO BAD
Gong Pengjun
Pocket Folder
1.0 YES NO YES YES NO NO NO NO YES NO - BAD NO GOOD Passcode is stored in keychain
Hedonic Software
Stash Free
2.1.1 YES YES YES NO YES NO NO NO YES R/O GOOD BAD NO BAD
i-App Creation Co, Ltd.
Pic Lock 2.0 Free
2.2.0.6 YES NO NO NO NO NO NO NO NO R/O - BAD NO BAD Decoy only in full version
i-App Creation Co, Ltd.
Video Lock Free
2.2.0.5 NO YES NO NO NO NO NO NO NO YES - BAD NO BAD in USB and IPA, videos have a dot prefix
IdeaSolutions S.r.l.
Foto Segrete - KYMS - Free
1.3.6 YES YES NO NO YES NO NO NO NO YES GOOD BAD NO BAD Decoy: claims to be a calculator app on the phone
Imran Shirajee
iPrivate Lite
2.0.1 YES NO NO NO NO NO NO NO NO NO - BAD NO BAD
Itchyfinger Ltd.
Covert Photo Free
1.1 YES NO NO NO NO NO NO NO NO NO - GOOD ? GOOD AES?, but only 4 digit PINs
iTrendz
Photo-Locker
1.0 YES NO NO YES NO NO NO NO NO YES - BAD NO BAD
iwinni
HD Photo Lock
1.0 YES NO NO YES NO NO NO NO NO R/O - BAD NO BAD
iwinni
iVideo Manager
1.1 NO YES NO YES NO NO NO NO NO R/O - BAD NO BAD
James Rees
Hidden Folder X
1.0 YES YES NO YES NO NO NO NO NO NO - BAD NO BAD
Kadamedia
Tiny Folder
1.0 YES NO YES YES YES NO NO NO NO NO GOOD BAD NO BAD Decoy passcode is fixed (Z)
Maggie Q
Password Folder for Safe TM
1.0 YES YES NO NO YES NO NO NO YES W/O GOOD BAD NO BAD
MinhMobileDev
Dot Lock My Data Lite
2.0 YES YES NO NO YES NO NO NO NO NO GOOD GOOD NO GOOD Data is stored in the Keychain
MinhMobileDev
My Locked Folder Lite
2.0 YES YES NO NO YES NO NO NO NO NO GOOD GOOD NO GOOD Data is stored in the Keychain
MOST DO EVROPY s.r.o.
AccessByKey Lite
1.9 YES YES NO YES YES NO NO NO NO R/O BAD BAD NO BAD EXPLOIT: Enter “.” to see all passcodes that have been used in the past. Each passcode succeeds and enters its own folder, thus can serve as decoy account.
One Wave AB
Secret - Store Anything
1.2 YES YES YES NO NO NO NO NO NO NO - BAD NO GOOD Passcode security relies on MD5, which is only effective on long passphrases
Permeative Technologies Pvt Ltd
Secure Photos and Videos
1.0 YES YES NO YES NO NO NO NO NO NO - BAD NO BAD
Pop-ok.com
iSafety Photo HD Lite
1.0 YES NO NO YES NO NO NO NO NO NO - BAD NO BAD Crashed during testing
Privacy & Picture Browser Lab
The Folder Drive Free
1.0 YES YES NO NO YES NO NO NO YES W/O GOOD BAD NO BAD
Red Knight Interactive
My Secret Folder Lite
1.0 YES YES YES YES YES YES YES YES NO NO GOOD BAD NO BAD
Red Knight Interactive
Secure Browser with File Safe
1.0 YES YES YES YES NO YES YES YES NO NO - BAD NO BAD
RedFish, Inc.
The Secret Folder
1.1 YES YES YES YES YES YES YES NO NO NO GOOD BAD NO BAD
RV AppStudios LLC
Best Secret Folder
1.1 YES YES NO YES YES YES YES NO NO NO GOOD BAD NO BAD Decoy mode has fixed photos, cannot be changed
Sensible Code
My Secret Apps Lite
1.1 YES YES YES YES YES NO NO NO NO YES GOOD BAD NO BAD
Software Opus LLC
Photo Safe Pro
1.1.8 YES NO NO NO NO NO NO NO YES R/O - GOOD ? GOOD AES-256?
SSA Mobile LLC
Your Secret Folder
1.3 YES YES NO YES YES YES YES NO NO NO GOOD BAD NO BAD Passcode security relies on MD5, which is not effective on the passcodes this app supports
SSA Mobile LLC
Your Secure Browser
1.1 YES YES YES YES NO YES YES NO YES NO - BAD NO BAD Passcode is hashed by proprietary algorithm; however, access log contains plaintext passcode
Top Publishing
Locked Folder Secret
2.3.5 YES YES YES YES NO NO NO NO NO NO - BAD NO BAD Crashed during testing; decoy and intruder detection is advertised but not in the app
YummyApps Inc.
Hide My Folder
1.0.2504 YES YES YES YES YES YES YES NO NO NO GOOD BAD NO BAD
Zeeplox
Folder Locker Lite
1.01 YES YES NO YES YES YES YES YES NO NO BAD BAD NO BAD EXPLOIT: Decoy mode can change main passcode

UPDATE: I managed to find out that AgileMobileApps' and MinhMobileDev's apps store the data in the Keychain (namely, in /private/var/Keychains/keychain-2.db.

UPDATE: FocusByte fixed the issues of UbiDisk I mentioned here. On Sep 16 2012, an update "2.0.0" was released that fixes the crashes of the FTP server, and moved the password storage to the Keychain, where it is safe from prying via USB. It is still possible to retrieve the passcode from there, but doing so involves jailbreaking the device; furthermore, Focusbyte can't do anything about this anyway because the security of a 4-digit PIN can be broken no matter what they do simply by having a decrypted dump of the device storage (jailbreak!), the device passcode (crack tools for this exist) and simple brute force. Therefore: Great work, Focusbyte! I updated the test results to match the current version of UbiDisk.


Posted by OpBaI | Permanent link | File under: ios

Sun Apr 8 16:23:57 UTC 2012

Hacking ifuse - iExplorer for Linux

For Windows and OS X, there is a tool named iExplorer that allows to view and modify an iPhone app's file system data.

The tool ifuse by the libimobiledevice project provides similar access.

Let's compare what the two tools show. First of all, iExplorer.

Its general view on a non-jailbroken iPhone is shown on a news article about Facebook and Dropbox apps. Apparently, one can see Media, as well as data views of each app, containing Documents, *.app, Library, tmp, and some iTunes metadata.

When we try with ifuse, we can get the Media folder too, but we will only get the Documents subfolder of apps. How come?

Source code of ifuse quickly tells why:

...
        case KEY_APPID_LONG:
                opts.appid = strdup(arg+7);
                opts.service_name = HOUSE_ARREST_SERVICE_NAME;
                res = 0;
                break;
...
        if (!strcmp(opts.service_name, HOUSE_ARREST_SERVICE_NAME)) {
...
                plist_free(dict);

                fuse_opt_add_arg(&args, "-omodules=subdir");
                fuse_opt_add_arg(&args, "-osubdir=Documents");
        }
...

So the restriction to see only the Documents subfolder (which, by the way, matches iTunes, and also is usually what the end user wants) is simply implemented by loading the subdir module of FUSE, and telling it to restrict the view to Documents.

Now we all know that we can just delete these two lines of code, and recompile ifuse, and be happy. I'll show you a simpler way.

# sed -e 's!-osubdir=Documents!-osubdir=././././.!g' < /usr/bin/ifuse > /usr/local/bin/ifuse-hacked
# chmod 755 /usr/local/bin/ifuse-hacked
# ^D
$ ideviceinstaller -l
...
my.com.pragmatic.My-Apps-Lite - My Apps Lite 1.1
...
$ ifuse-hacked --appid my.com.pragmatic.My-Apps-Lite ~/mnt
$ ls -la ~/mnt
drwxr-xr-x   6 me me   272 Mar 28 22:51 .
drwx------ 121 me me 12288 Apr  8 18:12 ..
drwxr-xr-x   2 me me    68 Mar 28 23:03 Documents
-rw-r--r--   1 me me 39156 Mar 28 22:51 iTunesArtwork
-rw-r--r--   1 me me  2498 Mar 28 22:51 iTunesMetadata.plist
drwxr-xr-x   6 me me   204 Mar 28 22:54 Library
drwxr-xr-x   7 me me  7650 Mar 28 22:51 My Apps Lite.app
drwxr-xr-x   2 me me    68 Apr  6 16:45 tmp

By the way...

There is another way to get at the same data without modifying ifuse:

$ ideviceinstaller -a my.com.pragmatic.My-Apps-Lite -o copy=/tmp -o remove
$ unzip -l /tmp/my.com.pragmatic.My-Apps-Lite.ipa

This article is a preparation for a following article about security of a certain set of iPhone apps. Stay tuned!


Posted by OpBaI | Permanent link | File under: ios

Sat Apr 7 16:12:40 UTC 2012

Error checking

Suddenly at a previous workplace, a HP-UX machine running Sendmail suddenly started beeping regularily, in intervals of a few minutes. Further examination showed: it was the X server no longer starting up properly.

Yes, I know, a X server is not supposed to run on a mail server. But this is not the problem I am talking about here.

Further examination led to the X server failing to start up because of wrong permissions in /etc–anything there suddenly was owned by the group mail, and having 664 permissions. How can this have happened?

The culprit was easily found: a cronjob along the lines of

13 * * * * cd /var/spool/mail; find . -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

At a certain time, the remote mount of /var/spool/mail was down, making the cd command fail. However, the cronjob just continued to run, and performed that nasty find command all over the root file system.

We were lucky that the server did not succeed in accessing the user home directories due to the same issue...

The Solution

First of all: don't do such weird hacks to solve a setup problem of e.g. Sendmail. These hacks never help. In this case, it only was necessary due to a bug in the procmail setup. Typically, procmail gains root privileges by setuid bit, then changes its user context to the target user's in order to run commands from the user's .procmailrc file. For some reason, this mechanism was not working on the system, and the previous admins thought it to be a good idea to install such a cron job to work around the problem. As a side effect, this meant that any user had full access to any user's mail by simply putting the right commands in their .procmailrc.

This specific problem however stemmed from being careless when writing shell scripts. One should never perform such a critical command on anything it is not meant for. In this case, this means: either should one have used an explicit path specification as argument to find:

13 * * * * find /var/spool/mail -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Or, one should check the status of the cd command and abort on failure:

13 * * * * cd /var/spool/mail && find -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Or, one could get used to implicit error abort in POSIX shells by using set -e:

13 * * * * set -e; cd /var/spool/mail; find -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Any of these measures would have prevented the catastrophic failure that in the end led to the system being reinstalled in order to restore permissions back to normal.

Lesson learned: check for error conditions, bail out to prevent worse things from happening


Posted by OpBaI | Permanent link | File under: unix, shell