Secure Coding

April 2014
Su	Mo	Tu	We	Th	Fr	Sa
1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	_3_0

Many software projects are not using secure coding practices, and thus many mistakes are quite common and lead to vulnerabilities.

These can then be used by “hackers” in order to gain access your data, and—worse—the data of your users.

This blog will demonstrate common vulnerabilities, and show methods to prevent them. They will be shown in all sorts of applications—from admin scripts over web applications to iPhone apps anything can become topic, as any of these can impact your security.

Tue Apr 10 14:21:29 UTC 2012

iPhone Folder Security App Security

1. Scope

Only free apps were tested that can at least store photos or videos. Apps that only store notes or passwords do exist, but have not been tested.

The limitation to free apps stems from the ubiquity of insecure apps on the App Store, so it is adivsable that a potential user of such an app first can test the security features before relying on them. Most free apps were either restricted to a certain file count, or contain iAds; however, for evaluating the security properties, this makes the free version fully sufficient.

As all these apps claim to provide extra security beyond the iPhone's passcode, they were tested under the assumption that an attacker has the unlocked iPhone in their hands.

2. Feature Tests

The following features were checked:

2.1. Photo, Video

It has been tested whether the app can be used to store and view photos, or videos, respectively. The test typically was done by attempting to import a media file from the Camera Roll, then trying to view it.

2.2. Other data

It has been tested whether the app can be used to store at least one other data type. Typically this means support for audio files, notes, or passwords.

2.3. Unlimited Storage

It has been tested whether the app has an obvious limitation in the amount of files or folders you can create. For apps that have such a limitation, typically a full version without such a limitation is available from the same product.

For two apps, testing of this capability was aborted due to very frequent crashes of the apps on the tested iPhone:

Private Photo HD Lite by AppInTheSky.com
ISafety Photo HD Lite by Pop-ok.com

Whether these apps have limited or unlimited storage was not revealed in the testing. However, the AppStore mentions no such limitation.

2.4. Decoy Mode

Many apps support a so-called “Decoy Mode”, which usually provides a second log-in account with a different data collection. The idea is that in case the user is forced to convey the passcode for the app, they can merely give out the Decoy Mode passcode, which shows “innocent” files.

2.5. Intruder Photo, Intruder Location

Many apps provide a security log containing photos and location data for every failed access. Although it generally sounds interesting to see who was trying to “spy on you”, any attacker with a remote clue about how these apps work can simply cover the camera, and disable location services before trying out passcodes.

2.6. Intruder Mail

Some apps even allow sending an E-Mail report containing the intruder's photo and location. This is actually a lot more useful. Although it does not help against a determined attacker (see above), it may be an actually useful tool to help discover a stolen iPhone if the thief is beaten by his curiosity. It may be a good idea to have one of these apps installed on your iPhone even if you do not intend to store any data inside.

This feature is provided by:

My Secret Folder Lite by Red Knight Interactive
Secure Browser With File Safe by Red Knight Interactive
Folder Locker Lite by Zeeplox

2.7. WiFi

Some apps provide a feature to share the files inside via WiFi. Typically, this is a HTTP, FTP or WebDAV service running on a highport without any authentication and read-write access.

2.8. iTunes Share (USB)

Some apps provide a feature to share files using iTunes File Sharing (typically used via USB). However, some apps provide only read-only and some apps provide only write-only access via this protocol.

Many apps did not advertise such functionality, but were found to “accidentally” provide read-only access via USB (read-only because adding/updating files would require changing database entries, which is sure manually possible using SQLite, but no ready tools exist for this). These are also counted as read only, too.

3. Security Tests

The following security properties were tested:

3.1. Decoy Access

Testing revealed the following security problems with Decoy Modes:

Some apps have an “insecure” decoy mode which gives an attacker who can enter Decoy Mode an easy way to enter the “secret” folders. Namely:
- AccessByKey Lite by MOST DO EVROPY s.r.o. implements Decoy Mode as separate folders, named by the folder passcode. Every passcode succeeds to log in, and can have separate data. The app however allows the user to enter “.” as passcode, which will enter the parent folder of all the “intentional” data folders, and view a list of all passcodes that have ever been entered, giving away any secrets stored in the app.
- Folder Locker Lite by Zeeplox still shows the passcode change options ion Decoy Mode, and they actually are able to change the main passcode. Therefore, all an attacker who can enter Decoy Mode has to do, is to enter settings, change the main passcode, leave the app, and enter it again using this passcode to reveal any secrets.
Most other apps have an “obvious” decoy mode:
- Decoy Mode typically does not show the settings menu, or if it does, it does not show the menu to change the passcode. This makes it very obvious to an attacker that some sort of Decoy Mode is in place.
- Some apps do not even allow to upload your own files in Decoy Mode, but merely allow showing default pictures there. That will not fool anyone.
Only two apps have a somewhat convincing Decoy Mode:
- CameraSafe LITE by Bitcartel Software implements Decoy Mode by having multiple independent accounts, none of which can see the others' data. Also, each can only change their own passcode.
- Foto Segrete - KYMS - Free by IdeaSolutions S.r.l. masquerades as a working calculator called KyCalc. Pressing = while the passcode is on the calculator display will let you in. However, Google search for “KyCalc” immediately gives away the decoy.

None of these provide the required security to fool a determined attacker. Furthermore, an attacker could simply force you to connect your iPhone to their computer, and perform a backup using iTunes for further analysis. Every single app will either reveal its data that way, or the fact that there is hidden data stored outside the application (e.g. by existence of encrypted files, or discrepancy of free and used disk space). Better consider this mode a toy, not an actual feature.

Given these observations, it was decided that in the results table, only a decoy mode that actually has a vulnerability to get access to the non-secret files is denoted as BAD. Any decoy mode not exposing the secret files, no matter how unconvincing, was counted as GOOD.

3.2. USB Security

It was attempted to get access to the app's folder using the access method described on Hacking ifuse - iExplorer for Linux, i.e. either via iExplorer, via IPA application backup, or via a modified ifuse client. Most apps were found to expose the secret files in unencrypted form using the method described there.

Note that this attack is only possible from a computer that once was connected to the iPhone which was unlocked at the time. The testing assumptions are however that the attacker has the unlocked iPhone in their hands, as these apps are all meant to provide extra security beyond the usual passcode lock of the iPhone. However, once a computer was connected once, it can be “paired” with the iPhone using iTunes or the idevicepair utility on Linux, and will from then on also allow connections from the same computer while locked!

The only tested apps not exposing their files to this attack were:

Dot Lock Photo by AgileMobileApps (stores data outside the app, namely, in the Keychain)
Dot Lock Photo+Video by AgileMobileApps (stores data outside the app, namely, in the Keychain)
CameraSafe LITE by Bitcartel Software (encrypts)
Covert Photo Free by Itchyfinger Ltd. (encrypts)
Dot Lock My Data Lite by MinhMobileDev (stores data outside the app, namely, in the Keychain)
My Locked Folder Lite by MinhMobileDev (stores data outside the app, namely, in the Keychain)
Photo Safe Pro by Software Opus LLC (encrypts)

Note that storing data outside the app - especially in an unexpected place like the Keychain, which also will not shrink after deleting the files again and thus can permanently use up the space - violates AppStore guidelines and may lead to removal of these apps from the Store. It furthermore means that the data is not deleted when the app is deleted, and may take up space “forever”. Also, jailbreaking the device (which however is bound to leave traces) is likely to expose the data in this case.

3.3. Public Encryption

It generally is not a good idea to rely merely on security by obscurity. It therefore is best practice to use published cryptographic algorithms that had peer review among cryptographers and that withstood many attacks in the past.

Only the following app fulfills this:

CameraSafe LITE by Bitcartel Software (uses and advertises AES-256 encryption, and also allows a sufficiently long passcode)

The following two apps may be using strong encryption, but do not publish their choice of algorithm and thus may or may not be secure:

Covert Photo Free by Itchyfinger Ltd. (advertises use of “Apple's own built-in encryption algorithms”, which likely means some AES variant, but only supports 4-digit PINs!)
Photo Safe Pro by Software Opus LLC (advertises “256 bit encryption” which likely means AES-256, and supports sufficiently long passcodes)

However, the following things have to be noted:

AES-256 is less secure than AES-128 due to recent attacks; AES-256 security has been reduced to 99.5 bits, while AES-128's security only could get reduced to 126.1 bits. Still, at the moment 99.5 bits security is good enough for practical purposes.
Even though the security of the underlying cryptographic algorithm may be good, this does not make a 4-digit PIN or other simple key (including 3x3 “dot lock”) secure. Good and long passcodes are absolutely required for security! Also, it has not been tested whether these apps use an actually secure method to derive the encryption key from user input.

3.4. Passcode Security

Many apps were found to expose their passcode in plaintext, or in easily decodable form, as part of App Backups or even in the iTunes Share area (see above). Typically the passcode was found either as a folder name, as entry in a SQLite database, or as entry in a binary-encoded plist file.

The only tested apps not exposing the passcode in any obvious way were:

All apps not exposing their data to App Backups by means of encryption or outside storage (see above)
Lock Folder Free by coco Cai (stores passcode information in the keychain)
Lock Photos Free by coco Cai (stores passcode information in the keychain)
Lock Photos & Videos HD by costani.com (stores passcode information in the keychain)
Pocket Folder by Gong Pengjun (stores passcode information in the keychain)
Secret - Store Anything by One Wave AB (stores the password hashed using MD5)
UbiDisk by FocusByte (stores passcode information int he keychain since version 2.0.0)

Notable apps attempting to provide passcode security, but failing at it, are:

Your Secret Folder by SSA Mobile LLC (uses MD5, but only supports short passcodes; a simple Google search for the MD5 hashed passcode will find it)
Your Secure Browser by SSA Mobile LLC (uses a proprietary algorithm to encode the passcode; proprietary algorithms tend to only rely on security by obscurity and thus are easily broken using debugging tools, but what makes matters worse is that this app stores the plaintext passcode in the successful access log)

4. Conclusion

The only tested app providing some sense of actual security is CameraSafe LITE byBitcartel Software. It even comes with a Decoy Mode, but cannot store anything other than photos.

Anything else cannot be recommended from a security perspective.

From a usability perspective, UbiDisk (Super Downloader) byFocusByte made the best impression. It provides video playback, remembers the last position, can open many file types, supports WiFi access both via HTTP and FTP (which works fine with lftp including mirror/sync support, but crashes when attempting to use the FTP access from Google Chrome), USB access, and even includes a web browser with downloader. Since 2.0.0, it also can download arbitrary file types from Safari!

5. How To Do It Right

Ideally, such an app would work like this:

On first start, a random master key is created and stored in the keychain.
User is queried for passphrase; any passphrase will “work”
The passphrase is processed using a key derivation function that employs key stretching.
The master key is “decrypted” with the result of the previous step and yields a “user key”
Files and file names are encrypted using the “user key”
As file names contain a checksum of some sort, their proper decoding can be verified. Names that do not decode right will not be shown.

A Linux tool working this way is EncFS.

6. Results

Vendor
Name

Version

Photo

Video

Other
Data

Unlimited
Storage

Decoy Mode

Intruder
Photo

Intruder
Location

Intruder
Mail

WiFi

iTunes
Share

Decoy
Access

USB
Security

Public
Encryption

Passcode
Security

Notes

8bit Factory
Z-Lock

1.0

YES

BAD

Decoy mode failed to log in

AgileMobileApps
Dot Lock Photo

1.1

YES

GOOD

Data is stored in the Keychain

AgileMobileApps
Dot Lock Video+Photo

2.0

YES

GOOD

Data is stored in the Keychain

Aims MIGITAL Technovations Pvt Ltd
Image Hider

1.1

YES

BAD

AppInTheSky.com
Private Photo HD Lite

1.0

YES

BAD

Crashed during testing

Apps2Be
Dot Lock Protection

2.0

YES

GOOD

BAD

Ashish Sudra
Download + Secret Folder Lite

1.0

YES

BAD

BAENPARK
Secret Photo Album

1.1

YES

BAD

Bitcartel Software
CameraSafe LITE

1.6.1

YES

R/O

GOOD

YES

GOOD

AES-256 encryption; supports multiple accounts for decoy purposes

Blue Pill Inc.
Secret Folder

1.0

YES

BAD

Decoy mode failed to log in

BlueScreen
Private Photo Lite Free

2.3

YES

GOOD

BAD

chen kaiqian
Secret Folder Lite

3.1.1

YES

W/O

GOOD

BAD

coco Cai
Lock Folder Free

1.1

YES

GOOD

BAD

GOOD

Passcode is stored in keychain

coco Cai
Lock Photos Free

1.4

YES

GOOD

BAD

GOOD

Passcode is stored in keychain

costani.com
Lock Photos & Videos HD

1.0.0

YES

R/O

BAD

GOOD

Passcode is stored in keychain

Easy To Use Products
Secure Photo+Video Safe Lite

2.2.1

YES

GOOD

BAD

Focusbyte
UbiDisk (Super Downloader)

2.0.0

YES

BAD

GOOD

pre-2.0.0 exposed the passcode in a plist file. Fixed now.

GalaxyStudio
Lock Photo+Video+Note+Audio+...

1.5

YES

GOOD

BAD

GOAPPS
Lock Your Photos Plus

1.0

YES

BAD

Gong Pengjun
Pocket Folder

1.0

YES

BAD

GOOD

Passcode is stored in keychain

Hedonic Software
Stash Free

2.1.1

YES

R/O

GOOD

BAD

i-App Creation Co, Ltd.
Pic Lock 2.0 Free

2.2.0.6

YES

R/O

BAD

Decoy only in full version

i-App Creation Co, Ltd.
Video Lock Free

2.2.0.5

YES

BAD

in USB and IPA, videos have a dot prefix

IdeaSolutions S.r.l.
Foto Segrete - KYMS - Free

1.3.6

YES

GOOD

BAD

Decoy: claims to be a calculator app on the phone

Imran Shirajee
iPrivate Lite

2.0.1

YES

BAD

Itchyfinger Ltd.
Covert Photo Free

1.1

YES

GOOD

AES?, but only 4 digit PINs

iTrendz
Photo-Locker

1.0

YES

BAD

iwinni
HD Photo Lock

1.0

YES

R/O

BAD

iwinni
iVideo Manager

1.1

YES

R/O

BAD

James Rees
Hidden Folder X

1.0

YES

BAD

Kadamedia
Tiny Folder

1.0

YES

GOOD

BAD

Decoy passcode is fixed (Z)

Maggie Q
Password Folder for Safe TM

1.0

YES

W/O

GOOD

BAD

MinhMobileDev
Dot Lock My Data Lite

2.0

YES

GOOD

Data is stored in the Keychain

MinhMobileDev
My Locked Folder Lite

2.0

YES

GOOD

Data is stored in the Keychain

MOST DO EVROPY s.r.o.
AccessByKey Lite

1.9

YES

R/O

BAD

EXPLOIT: Enter “.” to see all passcodes that have been used in the past. Each passcode succeeds and enters its own folder, thus can serve as decoy account.

One Wave AB
Secret - Store Anything

1.2

YES

BAD

GOOD

Passcode security relies on MD5, which is only effective on long passphrases

Permeative Technologies Pvt Ltd
Secure Photos and Videos

1.0

YES

BAD

Pop-ok.com
iSafety Photo HD Lite

1.0

YES

BAD

Crashed during testing

Privacy & Picture Browser Lab
The Folder Drive Free

1.0

YES

W/O

GOOD

BAD

Red Knight Interactive
My Secret Folder Lite

1.0

YES

GOOD

BAD

Red Knight Interactive
Secure Browser with File Safe

1.0

YES

BAD

RedFish, Inc.
The Secret Folder

1.1

YES

GOOD

BAD

RV AppStudios LLC
Best Secret Folder

1.1

YES

GOOD

BAD

Decoy mode has fixed photos, cannot be changed

Sensible Code
My Secret Apps Lite

1.1

YES

GOOD

BAD

Software Opus LLC
Photo Safe Pro

1.1.8

YES

R/O

GOOD

AES-256?

SSA Mobile LLC
Your Secret Folder

1.3

YES

GOOD

BAD

Passcode security relies on MD5, which is not effective on the passcodes this app supports

SSA Mobile LLC
Your Secure Browser

1.1

YES

BAD

Passcode is hashed by proprietary algorithm; however, access log contains plaintext passcode

Top Publishing
Locked Folder Secret

2.3.5

YES

BAD

Crashed during testing; decoy and intruder detection is advertised but not in the app

YummyApps Inc.
Hide My Folder

1.0.2504

YES

GOOD

BAD

Zeeplox
Folder Locker Lite

1.01

YES

BAD

EXPLOIT: Decoy mode can change main passcode

UPDATE: I managed to find out that AgileMobileApps' and MinhMobileDev's apps store the data in the Keychain (namely, in /private/var/Keychains/keychain-2.db.

UPDATE: FocusByte fixed the issues of UbiDisk I mentioned here. On Sep 16 2012, an update "2.0.0" was released that fixes the crashes of the FTP server, and moved the password storage to the Keychain, where it is safe from prying via USB. It is still possible to retrieve the passcode from there, but doing so involves jailbreaking the device; furthermore, Focusbyte can't do anything about this anyway because the security of a 4-digit PIN can be broken no matter what they do simply by having a decrypted dump of the device storage (jailbreak!), the device passcode (crack tools for this exist) and simple brute force. Therefore: Great work, Focusbyte! I updated the test results to match the current version of UbiDisk.

Posted by OpBaI | Permanent link | File under: ios

Sun Apr 8 16:23:57 UTC 2012

Hacking ifuse - iExplorer for Linux

For Windows and OS X, there is a tool named iExplorer that allows to view and modify an iPhone app's file system data.

The tool ifuse by the libimobiledevice project provides similar access.

Let's compare what the two tools show. First of all, iExplorer.

Its general view on a non-jailbroken iPhone is shown on a news article about Facebook and Dropbox apps. Apparently, one can see Media, as well as data views of each app, containing Documents, *.app, Library, tmp, and some iTunes metadata.

When we try with ifuse, we can get the Media folder too, but we will only get the Documents subfolder of apps. How come?

Source code of ifuse quickly tells why:

...
        case KEY_APPID_LONG:
                opts.appid = strdup(arg+7);
                opts.service_name = HOUSE_ARREST_SERVICE_NAME;
                res = 0;
                break;
...
        if (!strcmp(opts.service_name, HOUSE_ARREST_SERVICE_NAME)) {
...
                plist_free(dict);

                fuse_opt_add_arg(&args, "-omodules=subdir");
                fuse_opt_add_arg(&args, "-osubdir=Documents");
        }
...

So the restriction to see only the Documents subfolder (which, by the way, matches iTunes, and also is usually what the end user wants) is simply implemented by loading the subdir module of FUSE, and telling it to restrict the view to Documents.

Now we all know that we can just delete these two lines of code, and recompile ifuse, and be happy. I'll show you a simpler way.

# sed -e 's!-osubdir=Documents!-osubdir=././././.!g' < /usr/bin/ifuse > /usr/local/bin/ifuse-hacked
# chmod 755 /usr/local/bin/ifuse-hacked
# ^D
$ ideviceinstaller -l
...
my.com.pragmatic.My-Apps-Lite - My Apps Lite 1.1
...
$ ifuse-hacked --appid my.com.pragmatic.My-Apps-Lite ~/mnt
$ ls -la ~/mnt
drwxr-xr-x   6 me me   272 Mar 28 22:51 .
drwx------ 121 me me 12288 Apr  8 18:12 ..
drwxr-xr-x   2 me me    68 Mar 28 23:03 Documents
-rw-r--r--   1 me me 39156 Mar 28 22:51 iTunesArtwork
-rw-r--r--   1 me me  2498 Mar 28 22:51 iTunesMetadata.plist
drwxr-xr-x   6 me me   204 Mar 28 22:54 Library
drwxr-xr-x   7 me me  7650 Mar 28 22:51 My Apps Lite.app
drwxr-xr-x   2 me me    68 Apr  6 16:45 tmp

By the way...

There is another way to get at the same data without modifying ifuse:

$ ideviceinstaller -a my.com.pragmatic.My-Apps-Lite -o copy=/tmp -o remove
$ unzip -l /tmp/my.com.pragmatic.My-Apps-Lite.ipa

This article is a preparation for a following article about security of a certain set of iPhone apps. Stay tuned!

Posted by OpBaI | Permanent link | File under: ios

Sat Apr 7 16:12:40 UTC 2012

Error checking

Suddenly at a previous workplace, a HP-UX machine running Sendmail suddenly started beeping regularily, in intervals of a few minutes. Further examination showed: it was the X server no longer starting up properly.

Yes, I know, a X server is not supposed to run on a mail server. But this is not the problem I am talking about here.

Further examination led to the X server failing to start up because of wrong permissions in /etc–anything there suddenly was owned by the group mail, and having 664 permissions. How can this have happened?

The culprit was easily found: a cronjob along the lines of

13 * * * * cd /var/spool/mail; find . -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

At a certain time, the remote mount of /var/spool/mail was down, making the cd command fail. However, the cronjob just continued to run, and performed that nasty find command all over the root file system.

We were lucky that the server did not succeed in accessing the user home directories due to the same issue...

The Solution

First of all: don't do such weird hacks to solve a setup problem of e.g. Sendmail. These hacks never help. In this case, it only was necessary due to a bug in the procmail setup. Typically, procmail gains root privileges by setuid bit, then changes its user context to the target user's in order to run commands from the user's .procmailrc file. For some reason, this mechanism was not working on the system, and the previous admins thought it to be a good idea to install such a cron job to work around the problem. As a side effect, this meant that any user had full access to any user's mail by simply putting the right commands in their .procmailrc.

This specific problem however stemmed from being careless when writing shell scripts. One should never perform such a critical command on anything it is not meant for. In this case, this means: either should one have used an explicit path specification as argument to find:

13 * * * * find /var/spool/mail -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Or, one should check the status of the cd command and abort on failure:

13 * * * * cd /var/spool/mail && find -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Or, one could get used to implicit error abort in POSIX shells by using set -e:

13 * * * * set -e; cd /var/spool/mail; find -type f -exec chgrp mail {} \; -exec chmod 664 {} \;

Any of these measures would have prevented the catastrophic failure that in the end led to the system being reinstalled in order to restore permissions back to normal.

Lesson learned: check for error conditions, bail out to prevent worse things from happening

Posted by OpBaI | Permanent link | File under: unix, shell