Posts Tagged ‘Pwn2Own’

First Security Breach In The App Store

November 8, 2011 Leave a comment

It looks like the Judgment Day for iOS has finally arrived. Until today the robustness of the AppStore has always been considered one of the strengths of the Apple Model: unlike the Android Market, which is constantly under attack for its weak security model that allowed too many malicious users to upload malicious applications, a strict control policy had prevented, at least so far, the same destiny for the mobile Apple Application.

Unfortunately Charlie Miller, an old acquaintance of the Apple Supporters, thought that winning three Pwn2Owns in the last four years (2008, 2009 and 2011) exploiting practically every Apple Vulnerability was not enough. So he decided consequently to attack Cupertino directly inside its AppStore security model.

The story begins early last year, after the release of iOS 4.3 when the researcher became suspicious of a possible flaw in the code signing of Apple’s mobile devices.

As stated in the original article by Forbes:

To increase the speed of the phone’s browser, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The next step was to discover a bug that allowed to expand that code-running exception to any application, and that is exactly what he did, but still this was not enough.

After discovering the bug, he submitted an App to the App Store exploiting the vulnerability. The App was approved and behaved as expected (actually a behaviour to which the victims of Android malware are quite familiar): the app was able to phone home to a remote computer downloading new unapproved commands onto the device and executing them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

This method will be presented at the SysCan Conference in Taiwan next week even if a video demonstrations of the exploit is already available.

Last but not least: as a reward for discovering the bug, Apple has decided to revoke to Miller the Developer’s License.

Probably Android users will be the happiest to learn that, as stated by Miller:

Android has been like the Wild West. And this bug basically reduces the security of iOS to that of Android.

At least for one thing (security), iOS and Android are identical.

Cross-Site Scripting in svendita… All’Android Market

March 9, 2011 1 comment

Per un giorno mi ero ripromesso di non parlare dei problemi di sicurezza dell’Androide ma non ce l’ho fatta… Non si sono ancora sopite del tutto le polemiche relative al modello di sicurezza dell’Android Market (io invece mi ero quasi sopito) che oggi è trapelata la notizia di una grave vulnerabilità di tipo XSS esistente, dalla sua origine, nella versione Web dell’Android Market. Prima della sua scoperta da parte di Jon Oberheide (ricercatore di sicurezza non nuovo a questo genere di scoperte), la vulnerabilità  in questione era sfruttabile inserendo codice malevolo  all’interno del campo “Description” nella finestra di pubblicazione delle applicazioni.

La falla nel sistema di input consentiva di eseguire il codice in questione nel dispositivo client nel momento in cui l’utente  ricercava l’applicazione nel mercato (e quindi il browser leggeva il campo in questione).

Dopo la segnalazione la vulnerabilità è stata sanata, ma senza dubbio, per il povero androide, continua a piovere sul bagnato.

Piccola nota romantica: il ricercatore cacciatore di taglie informatiche ha scoperto la vulnerabilità e l’ha segnalata a Google pochi giorni prima del Pwn2Own 2011, ricevendo una taglia di 1337 $. L’avesse svelata durante il contest avrebbe ricevuto in premio 15.000 $, quindi un ordine di grandezza in più di quanto meritatamente spillato nella circostanza al gigante di Mountain View.


Get every new post delivered to your Inbox.

Join 3,710 other followers