Bit9

Mobile computing… It’s the Wild West of IT security, and this untouched land presents complicated new challenges to security professionals. Recently, a security flaw was discovered for iOS smartphone users who used the mobile apps Facebook, Dropbox, and LinkedIn. It was previously thought that these apps only presented vulnerabilities to users with “jailbroken” iOS devices, but further evidence by security researcher Gareth Wright suggests otherwise.

For users who possess these iOS devices, a cyber criminal could save authentication keys (access tokens) from unencrypted plain-text files or .plists for these apps through the use of a free tool called iExplorer. After transferring these credentials over to a different device, the cyber thief could easily login to the previous user’s Facebook account. The same vulnerability exists on iOS’s Dropbox and LinkedIn apps, and for all intents and purposes exists on the Android platform as well (not tested however). Wright was able to copy each apps unencrypted .plist over to a factory set iPhone (not jailbroken). From there he could login using the user’s compromised credentials and access all of their user data relating to each app.

The problem is how the access credentials are stored. Because these apps store user data in unencrypted text files, cyber criminals have easy access to the keys to some popular apps that hoard tons of personal information. Identity theft just got social and it isn’t stopping there. With all the recent stink regarding Android’s mobile malware problem, the past couple weeks haven’t been good for Apple. The new Flashback malware is now present on 600,000 Macs, and authentication passwords can be easily accessed without major legwork on popular iOS apps.

Your phone also doesn’t have to be stolen in order for a cyber criminal to potentially steal your login credentials. An individual could write a malicious program and implement it through a phishing attack that could access and copy the .plist information stored by these programs. All a criminal needs is access to kilobytes of information stored inside the .plist to steal terabytes of personal information or intellectual property sitting on Facebook, Dropbox and more.

Currently Facebook is working on a solution to the problem. Although they claim the issue exists for only “jailbroken” iOS devices or modulated Android ones, Wright proves it’s not isolated to just these variations of these popular smartphone operating systems. Facebook did issue this statement:

Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.

The next obvious step is to mandate encryption of access credentials by app manufacturers from both Apple and Google. Keep in mind that these apps were just a handful of tested ones by Wright. The potential exists for more apps with this vulnerability to remain on the official app marketplace provided by Apple or Google, so expecting more out of them is one of the first ways to prevent these problems moving forward.

Leave a Reply