Search This Blog

Thursday, 6 August 2015

Insecure Local Data Storage iOS


iGoat


iGoat is a deliberately vulnerable mobile application that allows developers and testers to learn about common security issues that are often seen in iOS. If you want to find out more about the project then you can click on this link.

Setup


In order to run this application via a simulator you will need xcode installed from the app store. The next step is to download the latest version of iGoat here. You should be able to open the project file iGoat.xcodeproj with xcode, when you run the application you should see the simulator on the screen.

Optional: Inside the iGoat folder there is a ruby server igoat_server.rb. We do not need it for this tutorial but we will need it later on, you will need to install some necessary ruby gems - this can be done by running the command 'sudo gem install sinatra json'. To start the server you can run the command below




Insecure Data Storage 


Insecure data storage vulnerabilities occurs when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.

In the iGoat mobile application we will exploit sensitive data stored locally on the device. In the simulator navigate to Data Protection (Rest) > Local Data Storage.


Once you click on the 'Start' link you will see a login page similar to below. All you have to do is enter a username and password pair then login.


 Now we can try and via the insecure data. Finding the correct directory can be tricky when using a simulator. First you need to locate your device, an easy way to do this is to go to Finder and enter the path below.


Then you can sort the directory by Date Modified to determine your current device.




Once inside the device you can navigate to /Containers/Data/Application/<UUID>/ . Next navigate into the Documents directory - you will see a sqlite file called credentials.sqlite. Use the command sqlite3 credentials.sqlite to enter the sqlite3 interpreter with the database file. 

To view the tables type '.tables', you will see a table called creds. We can dump all of the information from the table by entering the command 'select * from creds;' 




Recommendations 


It is important for developers to note that the data stored in Sqlite files is saved unencrypted in the application sandbox on the device.For databases consider using SQLcipher for Sqlite data encryption.

References: https://www.owasp.org/index.php/Mobile_Top_10_2014-M2






No comments:

Post a Comment