Wednesday, April 29, 2015

100,000+ iOS Apps Compromised
By Bad AFNetworking Libraries.
The list of affected apps and bugs grows.

--
INTRODUCTION

Right off the bat, here is what you need to know:

*Where to check if you're running bug affected iOS apps*


Enter the name of the developer of an iOS app you use over the Internet on your iOS devices. Hit the Search button. SourceDNA will then check that manufacturer against its [secret] list of AFNetworking bug affected apps and let you know if your iOS devices are currently in danger. It an app is affected, DON'T USE IT until it has been patched to AFNetworking library v2.5.3. Keep checking at the Report page or check with the iOS app developer to find if a specific app has been patched.
--

The TWO AFNetworking library security bugs, found in versions 2.5.1 AND 2.5.2

NOTE: The AFNetworking bugs do NOT affect iOS 8 itself, or any of the native Apple iOS apps, including Safari. Apple does not use AFNetworking. Apple apps are entirely safe to use. You may wish to fall back to using iOS Safari for your Internet work, as opposed to bug affected third party apps, until this situation ends.

I read about the first of these iOS app security problems last week, but sensed the scenario was not yet complete. At the end of last week, another great big shoe dropped, making the situation considerably more dangerous. Let me walk you through a few news articles about the AFNetworking bugs, in chronological order:

March 26, 2015, Simone Bovi and Mauro Gentile at Minded Security

SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!
During a recent mobile application security analysis for one of our clients, we identified a quite unobvious behaviour in apps that use the AFNetworking library.

It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1.

The issue occurs even when the mobile application requests the library to apply checks for server validation in SSL certificates.

Given that AFNetworking library is one of the most popular networking library for iOS and OS X and it is used by Pinterest, Heroku and Simple among others, the problem could affect a very high number of mobile users. . . .
April 20, 2015, Dan Goodin at Ars Technica
1,500 iOS apps have HTTPS-crippling bug. Is one of them on your device?
Apps downloaded two million times are vulnerable to trivial man-in-the-middle attacks.
About 1,500 iPhone and iPad apps contain an HTTPS-crippling vulnerability that makes it easy for attackers to intercept encrypted passwords, bank-account numbers, and other highly sensitive information, according to research released Monday. . . .

Although AFNetworking maintainers fixed the flaw three weeks ago with the release of version 2.5.2, at least 1,500 iOS apps remain vulnerable because they still use version 2.5.1. That version became available in January and introduced the HTTPS-crippling flaw. . . .
According to research published Monday by SourceDNA, about 1,500 iOS apps remain vulnerable to man-in-the-middle attacks that can decrypt HTTPS-encrypted data. To exploit the bug, attackers on a coffee shop Wi-Fi network or in another position to monitor the connection of a vulnerable device need only present it with a fraudulent secure sockets layer certificate. Under normal conditions the credential would immediately be detected as a counterfeit, and the connection would be dropped. But because of a logic error in the code of version 2.5.1, the validation check is never carried out, so fraudulent certificates are fully trusted.
Dan's original article, quoted above, cited a blog posting by SourceDNA that had been released earlier that day, April 20th. SourceDNA's post has since been considerably updated as further information has been collected. Originally, the blog posting noted at least 1,500 iOS apps had been found to be affected by the AFNetworking library bug. That figure has currently progressed to 'over 100,000'. Below I quote the posting as of this moment. Keep an eye on it as revelations of this specific AFNetworking library v2.5.1 bug problem progresses.

April 20, 2015... SourceDNA
You know there's a security flaw hidden in over 100,000 iOS apps out of the 1.4 million total, but which ones are actually vulnerable? How would you find out?

SourceDNA is constantly scanning apps from the app stores, analyzing and indexing their binary code. This lets us search for apps by their behavior and the tools & libraries they were built with.

AFNetworking recently had a major security flaw. Due to lack of SSL cert validation, the proverbial coffee shop attacker could easily bypass SSL and see all your app's user credentials and banking data. We decided to track down apps that were still using the vulnerable version of AFNetworking and notify their developers so they could patch the flaw.

First, we had to determine the vulnerability window. We found the AFNetworking flaw was present in the Github repo from January 24 through March 25. More importantly, it had been released as version 2.5.1 on February 12 before being fixed in version 2.5.2. Any developer who updated their app during that window could have integrated the vulnerable library.

THEN THIS HAPPENED: 

A new security bug was found in both v2.5.1 and the updated AFNetworking library v2.5.2.

April 24, 2015... SourceDNA
AFNetworking Strikes Back: 25,000+ Apps
... A few weeks ago, we found that version 2.5.2 did fix this issue, but there was another flaw nearby in the same code. Domain name validation could be enabled by the validatesDomainName flag, but it was off by default. It was only enabled when certificate pinning was turned on, something too few developers are using.

This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server....

We've updated Searchlight to show which apps are still vulnerable, and we'll continue to publish new results there as affected apps are updated....
April 24, 2015, Dan Goodin at Ars Technica
Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks
Just when you thought it was safe to use AFNetworking apps, a new threat emerges.
At least 25,000 iOS apps available in Apple's App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned. 
...The bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that's trivial for hackers to monitor or modify, even when it's protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).
"The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. "The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be 'microsoft.com' just by presenting a valid cert for 'sourcedna.com.'"

Lawson estimated that the number of affected iOS apps ranged from 25,000 to as high as 50,000. SourceDNA has provided a free search tool that end users and developers can query to see if their apps are vulnerable. To make it harder for attackers to exploit the vulnerability maliciously, SourceDNA isn't providing a comprehensive list of vulnerable apps. . . .
iOS users should immediately check the status of any apps they use, especially if the apps convey bank account numbers or other sensitive personal information. It may take the developers of vulnerable apps a few days to release an update that incorporates the AFNetworking fix, so users should be prepared to avoid any vulnerable versions for the time being. The AFNetworking error affects only apps that use the code library. The device itself and other apps, including browsers, aren't affected by the flaw, even if one or more apps on the device are vulnerable.
(All emphasis above is mine). The way this series of bugs is progressing, I'd count on 50,000+ iOS Apps affected.

Some of the iOS apps testing positive for this second AFNetworks library v2.5.2 bug include:

Bank of America
Wells Fargo
JP Morgan Chase

Meanwhile, ALL Microsoft iOS apps have tested positive for the original AFNetworks library v2.5.1 security bug.

DEVELOPERS: Update your iOS apps to AFNetworks library v2.5.3 immediately.

iOS USERS: Check ALL the iOS apps you use over the Internet via the Source DNA testing page. Bop back up to the top of this article for the link to the Source DNA iOS Security Report page where you can check for affected developers and their applications. But here is the link again for your pleasure and convenience:


* Note that I will provide updates near the top of this post if/when further information about the AFNetworking bugs is available.

--

Thursday, April 23, 2015

Not In-The-Wild:
iOS 8 SSL Certificate Parsing Bug:
Crash, Crash, Crash

--

Interest Level: Background

The system used to encrypt data sent across the Internet has had a bad time this past year. A parade of bugs and exploits have been found. Related problems in hash functions have been found. Fraudulent security certificates have been forged by questionable certificate authorities. Google has injected a level of paranoia as well as demands for technology improvements, while itself ignoring its own aspirations. The result is a complicated and confusing mess that leaves users wondering what is safe and what is not.

On Wednesday, Dan Goodin of Ars Technica reported a new twist in the Internet encryption contortions by way of a report and public presentation from the company Skycure. They have found a bug in iOS 8 that allows an attack on iOS devices over Wi-Fi through the use of a malicious SSL security certificate. This attack can trigger Apple devices running iOS 8 to go into an endless crash loop while in the connection vicinity of the offending Wi-Fi network.

Note that this bug is NOT yet being exploited in the wild. It is at this point simply of interest while we wait for Apple to patch the bug and prevent it from becoming a real problem for users.

Below, I have linked both Dan Goodin's article and the source blog post from Skycure.

If you're interested in higher level Mac and iOS security, this is well worth a read. Otherwise, it's in the background as only a potential problem to iOS users.

iOS bug sends iPhones into endless crash cycle when exposed to rogue Wi-Fi
SSL cert parsing error allows attackers to create "No iOS Zone," researchers say.
- Dan Goodin, Ars Technica

“No iOS Zone” – A New Vulnerability Allows DoS Attacks on iOS Devices
- Yair Amit, Skycure

Both articles provide videos illustrating the SSL certificate bug.

Share and Enjoy,
:-Derek

--

Upcoming Changes To The Mac-Security Blog

--

In order for me to continue this blog amidst the other work I do, I'm going to make two basic changes.

The first is that this blog is going to generally change from longer posts with my commentary to shorter informative posts that act as alerts to those interested in what's going on in Macintosh and iOS security. This allows me to be more spontaneous and not have to spend a great deal of time writing.

The second is that the geek-level of this blog is going to increase considerably. Translation: I'm going to raise the level of what I post to that of my own level of understanding and interest in Mac and iOS security. This allows me to be more spontaneous and closely fit my blog posts with what I am discussing on the net with others about Mac security.

As such, I expect this blog will at times challenge the understanding and comprehension of some readers. I also expect criticism that the blog draws attention to esoteric and unimportant aspects of Mac security. The usual phrase used in such criticism is FUD: Fear, Uncertainty and Doubt. This means that taking my posts too seriously may mean that they sound needlessly alarmist. We will hopefully sort out how to address this situation as my new approach progresses.

The overall reason for these changes is that my time is limited, but I still want to share the latest news regarding all aspects of Mac and iOS security. I regularly chatter about computer security with several people on the Internet. I'd like save myself time and effort by synchronizing my blog posts with my background security chatter.

We'll see how well this works over time. For the moment, it's a strategy that allows me to be more active on the blog and may well help many readers keep up with what's going on both on important and esoteric levels.

Please feedback at me to help me know the impact of this new approach.

Thanks!

:-Derek


--