iPhone apps just as unsafe as Android apps, says security researcher
iPhone apps just as unsafe as Android apps, says security researcher
UPDATED with comment from Blueish Shield of California.
iPhone users shouldn't feel as well smug about their phone's security — iOS apps are just equally unsafe to use equally Android apps, a security researcher and college instructor told the Def Con hacking conference this past weekend.
Like many Android apps, many iOS apps transmit user passwords in plaintext or save the password unprotected on the telephone, said Sam Bowne, an instructor at the City College of San Francisco. Others fail to apply encryption properly, rendering the apps vulnerable to attacks.
- The best Android antivirus apps to keep your smartphone safe
- Why Apple iPhones don't demand antivirus software
- New: Nasty Android flaw could put millions at hazard — what to do
"Finding vulnerabilities in mobile apps is like taking a time machine back to the early '90s when people didn't know anything about security," Bowne said.
Nonetheless, because Apple has made it very difficult to examine iOS apps or the iOS operating system, no one knew how unsafe iOS apps actually were until recently.
"I did a lot of Android auditing considering it'due south very easy on Android," Bowne said. "It was very difficult on iOS until Checkra1n."
Last autumn, a team led by 1 of Bowne'south old students released the Checkra1n jailbreak, which cracks open the software of whatever iPhone model from the iPhone 4s to the iPhone 10. That gave Bowne the adventure to examine iOS apps.
"I discovered that it is true what I had heard -- that iOS apps are just as bad as Android apps," Bowne said, fifty-fifty though "the [iOS] operating system is a petty more secure, and the coding language is harder to reverse engineer."
Much of the blame falls on third-party app developers that are contracted to build apps for other companies, Bowne said. But ultimately, the responsibility lies with the companies whose names are on their apps.
"Information technology's painfully obvious," Bowne said, "that the standards of well-nigh app developers are extremely low, and that the management [of the companies that use the apps] does not review the security of apps they purchase from third-party developers, non even for the simplest flaws."
When your banking app makes simple security mistakes
Ten or 15 per centum of Android apps that Bowne has examined brand uncomplicated security mistakes, the researcher told the Def Con attendees.
Every bit of 2015, those included pinnacle banking, stock-trading and insurance apps, all from brands that are household names. None of the apps had integrity checks to preclude their code from being tampered with.
"You can meet the source code, you can modify the code, you can brand a modified app and run it, and they don't discover that it's modified and they don't notice that it'southward an unauthorized app when it connects to the server," Bowne said.
Crooks could employ these flaws to create modified versions of the Android apps. If a crook got you to install i of the corrupted apps, the crook would gain admission to your account as shortly as you logged in.
At that place'southward a list of these vulnerable banking, stock-trading and insurance apps on Bowne's website. We're not naming them hither because some take likely been stock-still since Bowne found the flaws in 2015.
'Very strange' countersign handling
"An enormous number of apps think who you are by storing your password locally on the phone," Bowne said, which he chosen "very foreign." It'south a shortcut that creates unnecessary risks.
Bowne named more than a dozen Android apps from well-known restaurant, supermarket, drugstore, home-improvement and part-supply retail chains that, as of 2017, stored user passwords locally either in plaintext or with bad encryption that could hands be cracked.
At present for the bad news for iPhone users. You'd assume that iOS apps would be safer, because overall Apple tree's mobile operating organization is harder to break into. But that's non the case, Bowne said.
"I never actually knew how bad it was on iOS" until the Checkra1n jailbreak, adult past Bowne's former pupil AxiomX, he said: "I couldn't really await inside the file system."
"Considering of him and the team that joined him to make the Checkra1n exploit, we could at present go into the organisation of modern iPhones," Bowne said. "And that was fun."
iOS apps have the same problems
During Dec 2019 and January 2020, Bowne said, "I audited a few hundred iPhone apps — and I plant all the same problems with iPhone apps."
For example, the Blueish Cross Blue Shield of Massachusetts iOS app stored passwords on the phone without encryption.
The Blue Shield of California iOS app broke web encryption, making it vulnerable to homo-in-the-centre attacks. In 2014, Fandango and Credit Karma were fined by the FTC because their Android and iOS apps did this too.
[Update: In response to our query, Blue Shield of California said that its iOS had been fixed.]
The Westward Point and Air Force Academy athletics teams' iOS apps both transmitted user passwords over the internet in plaintext, Bowne said. The Zillow Rentals iOS app stored passwords in plaintext on the telephone.
Reached for comment, a Zillow spokesperson told Tom'due south Guide, "We are aware of the reported issue affecting iOS users and our teams are working to develop an update to protect our customers. We'll exist releasing a security update soon that users tin can download via the App Store."
Apple'south all-time app protection is optional
Bowne was surprised by the passwords transmitted in plaintext from iOS apps, considering he thought Apple'southward App Transport Security (ATS) protection feature made encryption mandatory. Merely he checked Apple'south developer guides and institute that apps don't have to utilise ATS. A separate written report in mid-2019 found that fully ii-thirds of iOS apps didn't use ATS at all.
"I had believed that Apple was more secure than that, but information technology's not so," Bowne said. "And it's certainly not so in do."
Even the iOS app for students at Bowne'southward own school, City Higher of San Francisco, transmitted user passwords with cleaved encryption, he said. Several other colleges around the country used the same programmer to build their iOS apps, with the same results.
Bowne found most a dozen iOS apps from regional banks in the Midwest and California, built by 2 different developers, that exposed user passwords in a log file on the phone.
"Y'all would think, at to the lowest degree, that a developer that'due south making a whole product line would have some security auditing, only obviously they don't and their customers don't," Bowne said. "So you lot can merely sell cleaved junk forever and nobody volition catch you for a long time."
Bowne disclosed all these iOS app vulnerabilities to the app distributors before this twelvemonth, and many have been fixed, he said, "if they're ever gonna be fixed."
The worst app in the globe?
The "worst app in the world," Bowne said, is probably an Indian financial app for Android chosen Equity Pandit that he called "incredibly, heed-bogglingly insecure" even though it's still in mutual utilize.
Ideally, when you type your countersign into an app, the app should ship the countersign in encrypted form to the app'due south server, where it should be compared to the encrypted password the server has on file for your username.
If the encrypted passwords friction match, then an encrypted authorization token should be sent from the server to your phone to grant you access.
Hither'south what the Equity Pandit Android app does instead, co-ordinate to Bowne: When you type in your electronic mail accost followed past an incorrect countersign, the Equity Pandit app sends your unencrypted e-mail accost to Equity Pandit's server.
The server looks up the correct password for your email address and transmits the unencrypted countersign to the app on your phone. And so the app checks the password you typed in against the right password it has just been sent from the server.
How to go anyone'south countersign
Anyone who knows your e-mail address can utilize this flaw to strength the Equity Pandit server to send them your password, which the aggressor volition be able to see in plaintext using easily bachelor Android emulation tools.
"I gave my students homework to just steal my countersign from my account on their server," Bowne said, referring to Disinterestedness Pandit's server. "Anybody can get anybody'due south countersign at any time."
Bowne said he told Disinterestedness Pandit about this trouble with its Android app years ago, but the problem still hasn't been stock-still. He continues to utilize the app in his hacking classes. Neither Disinterestedness Pandit's Android app nor its iOS app have been updated since early 2016.
"That is astonishing to me," Bowne said, "that a company, especially a financial visitor, can just manus out all the passwords of everybody all the time and nobody cares and it's still going on."
Almost every bit bad was the Academy of Houston alumni app for Android, Bowne said. Before you fifty-fifty logged in, it would let you search for yourself on a listing of alumni.
To make that easier, it would just send the schoolhouse's entire alumni database to your telephone, including alumni names, account numbers, credit card numbers, email addresses and passwords. That's earlier you even created an account.
This may have been done so that the lookup process would run faster on a phone with a bad network connection. But the upshot was that thousands of people were probably walking around with each other's personal private data on their phones. That Android app has since been fixed, Bowne said.
x pct repair rate
Tom's Guide has reached out to Equity Pandit, the Urban center College of San Francisco and Blue Shield of California seeking annotate. Attempts to reach Blueish Cross Blue Shield of Massachusetts were unsuccessful. Nosotros will update this story when we receive replies.
The trouble with mobile-app flaws is that, in Bowne's feel, maybe 10 percent of companies that he notifies of flaws in their apps will ever set up them. That's better than a few years ago, Bowne said, when 2 percent of companies would gear up the flaws and others would threaten to sue him or call him a criminal.
"It's condign more common that they will at least admit that it is possible that they might have a security flaw," Bowne said, "and that in principle they should practise something about it instead of just shooting the messenger."
PowerPoint slides for Bowne's Def Con presentation are on his website, and the video of the presentation is on YouTube, starting about 15 minutes in. If you'd like to learn more than nigh reverse-engineering and auditing apps, many of Bowne's CCSF classes can be attended for costless via remote-learning platforms.
Source: https://www.tomsguide.com/news/bad-ios-android-apps-bowne-dc28
Posted by: ernstsaussiona.blogspot.com
0 Response to "iPhone apps just as unsafe as Android apps, says security researcher"
Post a Comment