When it comes to security, Apple has gone to great lengths to make its iOS platform much less prone to exploits and has engineered measures such as sandboxed environment, protected app space and even encrypting every single file created on the iPhone with its own encryption key wrapped in the user’s passcode.

But developers have become increasingly reliant on Apple for app security and as a result security has now become an afterthought for many app developers. That’s why security experts attending the Black Hat cybersecurity conference in Las Vegas think developers should take matters in their own hands and add more security above Apple’s baked-in protections…

In a post over at HartfordBusiness, CNN writer David Goldman quotes a presentation by senior forensic scientist Jonathan Zdziarski which explains that all a hacker needs to do in order to hack all the apps on your phone is to steal your device and discover and exploit an iOS vulnerability before Apple does.

Zdziarski then outlines one of the possible scenarios.

A bug in PayPal’s app, for instance, allows a hacker to place malicious code in a stolen iPhone and get all the log-in information that a user enters. It’s unlikely. The hacker would need about 20 minutes with the iPhone to do it before handing the phone back to the owner. But the point is it’s possible – and it shouldn’t be.

PayPal is “investigating the issue”.

This is unsettling. I’m using PayPal’s iPhone app on a daily basis, having been unaware that my login information could be easily compromised.

He also says Apple should enforce password confirmations every time a user returns to an app they’ve previously logged into.

This is also a valid point. Some apps provide this as an option, but a system-wide solution would have been much better.

For example, Dropbox’s official iOS client allows you to set in preferences an app lock code which kicks in each time you switch from Dropbox to another app.

Now, Apple’s platform security team manager Dallas De Atley gave a presentation at the Black Hat cybersecurity conference (Apple attended for the first time).

His speech, however, was met with a ‘meh’ as it’s mostly the stuff gleaned from Apple’s previously published white paper on iOS security.

The New York Times wrote that De Atley “had basically done the equivalent of reading aloud a white paper, timed to a PowerPoint deck, before escaping out a side door without answering any questions”.

Atley’s presentation re-iterated Apple’s approach to iOS security like this:

“Our attitude is: security is architecture. It has to be built in from the very beginning,” Mr. De Atley said. In building the iPhone, he said, Apple took a bare-bones approach and sought to use the minimum number of components.

Apple purposefully decided not to ship the phone with a shell, or support remote log-in access. “There’s an entire set of attack vectors we don’t have to fundamentally worry about on iOS,” he said.

He also outlined a number of sandboxing technologies Apple had in place, noting that Apple’s goal is “to physically isolate and separate processes from each other so that if one has a flaw, it can’t easily wreak havoc on the rest of the system”.

Some examples of this sandboxing:

As examples, he noted that all third-party apps were stored in their own container on users’ devices. User data is kept partitioned from the device’s operating system so that any updates to the system do not affect the user’s personal data.

He added that every single file created on the iPhone gets its own encryption key and is wrapped in the user’s passcode.

With conference attendees criticizing Atley’s presentation, Cupertino should probably take a long and hard look at iOS security and impose stricter rules as to how third-party apps handle login credentials.

I for one would welcome this.

I just want to be on the safe side knowing that apps won’t expose my private information by storing login credentials in plain text on the device.

Oh yeah, it’s a real issue.

Thoughts?

  • Justin Amberson

    Christian, you’re a writer for iDownloadBlog.com, the site that serves up juicy news on the latest jailbreak tweaks and apps. I don’t know if you fail to realize this or not, but jailbreaking your device is a security risk. Apps obtained from Cydia are installed in an unsandboxed directory and have unlimited access to the entire filesystem.

    I’m the developer of an app called DataDeposit, which backs up all of your app data to Dropbox. DataDeposit needs this filesystem access to work. I’m not a bad guy, but it wouldn’t be hard to parse your install directory for apps like PayPal and then do something with whatever is inside the bundle.

    The point is, the iPhone filesystem was never meant to be examined in this way. users who don’t jailbreak are at a very low risk for security issues. Your comment about using the PayPal app and feeling uneasy is sort of funny in this light. You’ve already jailbroken your device, which is half the process for putting malicious code onto it. Now all you need is an uscrupulous dev to get a safe looking package on Cydia and you’re toast.

    • Good point Justin!

    • I hear what you’re saying but I think the point Zdziarski is making here is that jailbroken or NOT, apps on an iOS device aren’t always as secure as we might think. As far as I know, he’s demonstrated exploits that didn’t rely on a jailbroken device. And FWIW, I know Christian doesn’t jailbreak his devices 🙂

      • Justin Amberson

        The apps themselves may be developed with bad practices, like connecting over HTTP with username and password broadcast in the clear. What Zdziarski is indeed talking about are apps that are using a poor security practice of storing passwords in plain-text. Facebook had this problem with an authentication token being stored in plain-text, but it was fixed.

        Developers do need to have more secure practices. I was just pointing out the irony in Christian’s editorial, that he’s suddenly paranoid about security problems although he writes for a blog that advocates circumventing the first line of defense anyway =). Cool to know that he doesn’t jailbreak, though.

        By the way, I’ve pretty much stopped development on DataDeposit after iCloud came out. But if you’re interested, you can send some apps over to Dropbox and then inspect the contents of the archive to see what kind of data is being stored by your apps.

        Have a nice day.

    • EpicFacepalm

      There is no evidence that it was existed. Jailbroken iOS devices are a lot popular and thanks to very talented hackers we can do that. If we ever faced that security risks some people might report them to public.

      Of course, there were malwares like iKee, but, we knew them. I don’t think there is a stealth malware in Cydia. At least IMO, Saurik or BigBoss’, ModMyi’s repo admins would remove them.

    • tim

      I love datadeposit! it’s great! good job on it btw.