sat0ri

So recently, after almost a year in development, I finally published my iOS security app called TrustR. Frankly I’m quite surprised that no other security teams beat me to the release of this new type of security app – since it secures the iOS platform in such an obvious and necessary way.

For years the media has reported regularly about iOS apps introducing vulnerabilities to the system, exposing personal information or intentionally implementing privacy violating features. A feature to warn users about unsafe apps seemed to me like the perfect addition to the security model. Especially considering how the AppStore technology makes people blindly download all kinds of apps, often mistakenly assuming they can trust these apps as they would trust Apple.

So the features of TrustR has indeed been welcomed and TrustR has already revealed thousands of security problems on customer devices.

Security products often neglect the threat of privacy violation in favor of, the more publicity generating, vulnerabilities and malware. This will not be the case with TrustR because of my own personal disgust by the tendency for big corporations to basically steal data behind the back of trusting consumers. It seems to me like an unethical and advanced form of greed that could lead to the death of privacy and subsequently perhaps personal freedom.

Unrestricted Access

For those who haven’t read up on iOS security, the problems usually arise due to the apps unrestricted access to the various data such as:

•   Address book
•   Picture folder (often including GPS and timestamps for tracking)
•   Youtube history
•   Safari searches
•   Phone number, email and Unique Device ID
•   Keyboard cache
•   Wifi connection logs (Can be used for tracking)

A security problem we see quite alot is apps with a http or ftp server vulnerable to directory traversal – such a simple security problem that basically exposes all the information above, to anyone on the network with minor hacker skills.

Then we see the many privacy violating apps, like recently exposed Path, which stole your entire address book without your permission. The problem was fixed, after a lot of bad press and it now features a popup asking if Path can “steal” your address book. Due to the unclear Path privacy policy regarding the use of data they collect, I for one am going to just stay away from that app.

We also see several examples of the mistake first made by Paypal, who back in the day launched their app without proper check of the server certificate, thereby exposing login information to anyone able to perform a SSL Man In The Middle on the device.

Quite amusing was the recent cross site scripting exploit for Skype – once again exposing the address book and the other private data mentioned above to a remote attacker.

Wonderful Malware Apps

The possibility of combining apps with malware is something I find quite fascinating. People carry their iOS devices in and out of office networks and home networks. All of a sudden, after downloading an innocent looking farting app, the phone itself becomes a small trojan horse – with direct access to e.g. open network shares or a portable malware launch platform directed at desktop or server operating systems.
The review process of apps is of course intended to keep out such apps – but the thoroughness of these reviews is not enough to reveal well hidden malicious activity trickered by outside events. That said, you need not worry about malware apps too much at this point.

Thats all for now. Chill out and get TrustR – while its still free

References

• Appstore
• Rookie Systems