LAS VEGAS -- While Apple was making its decidedly lackluster Black Hat debut just one floor up, security researcher Jonathan Zdziarski was explaining the dark art of iOS app hacking to a smaller but still crowded room.

A senior forensics scientist at viaForensics, he clearly didn't have much faith in the security of apps running on iOS. "iOS can be infected through a new zero-day, or you can take a phone and run real fast. Apparently, bars are a great way to pick up iPhones," he said as the audience chuckled, clearly remembering the two separate lost iPhone prototype incidents. He wasn't joking, though. There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.

"You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it." Or, he explained, "Give me two minutes with somebody's phone and I can dump the entire file system from it." From there, he said he could look at apps for an exploit to take advantage of remotely.

He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use. His slide projector showed images from the "Apple Store for Government," a sentence in a news story about the Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey using an iPad to read classified documents, and a photo of President Obama using an iPad.
A slide from Zdziarski's session on iOS app hacking. (Credit: viaForensics)
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it's true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.) Zdziarski noted that security has become an afterthought for iOS app developers, since they're trusting Apple's iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. "Anybody with freely available open source tools can get around that encryption now," said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn't even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. "Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase." So, although the phone's operating system may be protected, the level of data security on the phone presumes that iOS won't be hacked. He showed how he was able to unroll the encryption on the OneSafe app using a single command line. OneSafe has since worked with Zdziarski and fixed the problem. But, he said, there are credit card processing apps that are much worse. He refused to name which ones to protect the personal data of the people using those apps. He suggested that Apple tie a longer passphrase to the boot cycle, so that the phone won't boot without a passphrase. For developers, he gave them tools called Tamper Response Techniques to help them determine if they're apps been attacked or infected with foreign code toward the end of his session. He also cautioned them not to take shortcuts with encryption. Despite the app security flaws, Zdziarski said that he was not bashing Apple. "This wasn't a 'pick on Apple' talk. They've done a great job trying to improve security, but developers have to know that they can't just rely on the monoculture to carry them."