iSEC Research Labs

Blackbox Android App Analysis with Introspy

13 Dec 2013 - Marc Blanchou & Alban Diquet

As previously announced during our Ruxcon presentation, we’re now releasing Introspy for Android. The final version of the tool was demonstrated at the iSEC Open Forum here in San Francisco.

Blackbox Android Pentesting

Similarly to the iOS version that was released a few months ago, Introspy for Android is a tool designed to help penetration testers understand what an Android application does at runtime, and to greatly facilitate the process of reviewing the application’s security mechanisms.

The tool can easily be installed on a rooted device running Cydia Substrate and provides a GUI interface to configure hooks, filters and options. See the project page as well the slides we presented at the Open Forum for more information about what the tool does and how it works.

Source code and pre-compiled packages are available on the project’s source repository on Github.

Browser Extension Password Managers

05 Nov 2013 - Paul Youn

Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This paper examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user’s password.

Previous research on password managers has focused on the cryptographic protections of the passwords themselves in particular environments such as mobile devices. This research instead focuses on browser specific integrations and mechanisms to remotely compromise credentials. Four of the most popular password managers were examined: LastPass, OneLastPass, 1Password, and MaskMe.

This research shows that the examined password managers made design decisions that greatly increase the chance of users unknowingly exposing their passwords through application-level flaws. Many of the flaws relate to the browser-integrated password managers that don’t follow the same-origin policy that is crucial to browser security. In the case of password managers, this means that passwords could be filled into unintended credential forms, making password theft easier.

Check out the full paper here.

Ruxcon 2013 - Introspy Presentation Slides

27 Oct 2013 - Alban Diquet

Update: Introspy for Android is now available; we’ve also updated the slides with additional information regarding the tool.

The slides for the Introspy: Security Profiling for Blackbox iOS and Android presentation from Ruxcon 2013 are now available.

The presentation was given by Marc Blanchou and Alban Diquet, and introduces a tool designed to facilitate the black-box testing of iOS and Android applications.

  • Slides can be downloaded here
  • Introspy’s project page is available here

Only the iOS version is currently available; we will update this blog post as soon as we release the Android tool.

Working with the Open Technology Fund

14 Oct 2013 - Tom Ritter

Over the past year, iSEC Partners has worked with the Open Technology Fund on several of their supported projects. OTF funds projects that develop open and accessible technologies promoting human rights and open societies. Some of the projects they support that we’ve been able to work on are Open Whisper Systems’ RedPhone and TextSecure, Commotion, and GlobaLeaks, among others.

We consider ourselves very fortunate to be able to work on projects that are both very technically interesting and helping make the world a better place. Projects that OTF supports are used ‘in the field’ documenting human rights abuses abroad, provide secure and encrypted communication platforms, and help document Internet interference and censorship. An extension of our Liberation Technology Auditing Cheatsheet, this work is directly in line with our efforts to make the entire Internet a more secure place.

In conjunction with these audits, we’ve also helped OTF perform a review of their audit process. The goal of this review was to take a look at the breadth, scope, and coverage of security audits performed on OTF funded applications to date. We aimed to identify the strengths and shortcomings in OTF’s current process and provide recommendations to improve the breadth of coverage and to derive greater value in the future. Applicable to both OTF and other funding agencies in the Liberation Technology and Civil Society communities, we hope this work inspires more development and more integration between security professionals and project teams. OTF has published this review over on their website where you can take a look.

iOS Secure State Preservation

18 Sep 2013 - Tom Daniels

iOS 6 introduced the concept of application state preservation. The purpose of state preservation is to hide unexpected application termination from users. Regardless of why the application was terminated (e.g., the user explicitly kills the app or the system terminates it to free up memory for the foreground application), state preservation allows users to return directly to the last point of use within the app to provide as smooth a user experience as possible. This is achieved by serializing the state of your app’s view controllers and views when it is backgrounded and storing them to disk.

For a detailed explanation of the preservation and restoration process, refer to Apple’s State Preservation and Restoration Programming Guide.

SecureNSCoder

Developers need to be careful when persisting view states, as there is the potential to expose sensitive application information since the serialized data is in plaintext. Therefore, any data that should remain private needs to be appropriately protected from offline recovery. As such, iSEC created a sample application that implements a more secure process for state preservation and restoration by encrypting objects before encoding and writing them to disk. The goal was to provide developers with a reference for securely implementing state preservation so they can protect their application data while still providing users with an uninterrupted experience.

The NSCoder subclasses for key-based encoding, NSKeyedArchiver and NSKeyedUnarchiver, define delegate protocols that allow applications to customize the encoding and decoding processes, including manipulation of the objects to be (de)serialized. By using a custom class that implements these delegate protocols we can serialize objects, encrypt them with a key from the Keychain, and then pass them back off to UIKit for preservation. When the app is relaunched the data is decrypted and deserialized before being reinstantiated by the view controller. Through implementing the delegate protocol, developers can take fine grained control over which objects are encrypted or simply encrypt all state information.

Project Page

Check out the project page on GitHub and try out secure state preservation in your apps!