资料内容课件

iSECPartnersFinalReport

CryptoCatiOS

Page2of35

©2014,iSECPartners,Inc.

PreparedbyiSECPartners,Inc.forOpenTechnologyFund.Portionsofthisdocumentandthetemplatesusedin

itsproductionarethepropertyofiSECPartners,Inc.andcannotbecopiedwithoutpermission.

Whileprecautionshavebeentakeninthepreparationofthisdocument,iSECPartners,Inc,thepublisher,andthe

author(s)assumenoresponsibilityforerrors,omissions,orfordamagesresultingfromtheuseoftheinformation

containedherein.UseofiSECPartnersservicesdoesnotguaranteethesecurityofasystem,orthatcomputerintrusionswillnotoccur.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page3of35

0.9

2014-02-07

Documentreadyforreadout

1.1

2014-03-14

ClarificationsregardingiOSapplicationnotbeingdistributedinAppStore

duringtesting

February7,2014

OpenTechnologyFund

Version1.1

1.0 2014-02-07 Bumpto1.0followingreadout

DocumentChangeLog

Version Date Change

iSECPartnersFinalReport

CryptoCatiOS

Page4of35

TableofContents

1

ExecutiveSummary........................................................

5

1.1

iSECRiskSummary...........................................................

6

1.2

ProjectSummary.............................................................

7

1.3

FindingsSummary............................................................

8

1.4

RecommendationsSummary...................................................

9

2

EngagementStructure.....................................................

11

2.1

InternalandExternalTeams...................................................

11

3

DetailedFindings..........................................................

12

3.1

Classifications................................................................

12

3.2

Vulnerabilities...............................................................

14

3.3

DetailedVulnerabilityList—iOSClient.........................................

15

3.4

DetailedVulnerabilityList—OtherComponents.................................

26

Appendices....................................................................

32

A

XMPPStartTLSstripping..................................................

32

A.1 Screenshot...................................................................

32

A.2Pythonscript................................................................

32

B

InvisibleChatRoomMember..............................................

34

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page5of35

1

ExecutiveSummary

ApplicationName

CryptoCat

ApplicationType

iOSapplication

Platform

iOS

Dates

January27,2014–February7,2014

ConsultantsEngaged

3

TotalEngagementEffort

3personweeks

EngagementType

ApplicationPenetrationTest

TestingMethodology

WhiteBox

TotalHighseverityissues

6

TotalMediumseverityissues

6

TotalLowseverityissues

3

TotalInformationalseverityissues

2

Totalvulnerabilitiesidentified:

17

Seesection3.1onpage12fordescriptionsoftheseclassifications.

CategoryBreakdown:

AccessControlsAuditingandLoggingAuthenticationConfigurationCryptography

DataExposureDataValidationDenialofServiceErrorReportingPatching

SessionManagement

Timing

0

0

3

2

1

8

0

1

0

2

0

0

February7,2014

OpenTechnologyFund

Version1.1

VulnerabilitySummary

EngagementSummary

ApplicationSummary

iSECPartnersFinalReport

CryptoCatiOS

Page6of35

1.1

iSECRiskSummary

TheiSECPartnersRiskSummarychartevaluatesdiscoveredvulnerabilitiesaccordingtoestimateduser

risk.Theimpactofthevulnerabilityincreasestowardsthebottomofthechart.Thesophisticationrequiredforanattackertofindandexploittheflawdecreasestowardstheleftofthechart.Thecloser

avulnerabilityistothechartorigin,thegreatertherisktotheuser.

iOSclient-Publickeydataloggedlocally

iOSclient-Autocorrectionleaksinformationtodisk

iOSclient-Crashestriggeredbymalformedmulti-partymessages

iOSclient-HMACvalidationtimingattack

iOSclient-InformationleakingfromiOSscreenshots

WeakSSL/TLSversionsandciphersuitessupportedbyXMPPservice

Browserclients-ChatroomeavesdroppingusingaregularXMPPclient

iOSclient-Lackofreturnvaluecheckingforsensitivefunctioncalls

CryptoCatchatroomslogencryptedmessagesandcanbemadepersistent

Browserclients-MisleadingsecurityUIforSMPidentitychecking

iOSclient-Privatemessagesareloggedinplaintext

iOSclient-Privatekeystoredinplaintextonlocalstorage

iOSclient-XMPPconnectionvulnerabletoStartTLSstripping

CryptoCatOTRimplementationvulnerabletoman-in-the-middleattacks

CryptoCat’ssecuritymodelreliesonunrealisticuserrequirements

Simple

AttackSophistication

Difficult

February7,2014

OpenTechnologyFund

Version1.1

High

UserRisk

Low

iSECPartnersFinalReport

CryptoCatiOS

Page7of35

1.2

ProjectSummary

TheOpenTechnologyFund(OTF)engagediSECPartnerstoperformasource-codeassistedsecurity

reviewoftheCryptoCatiOSapplication.AtotalofthreeconsultantsworkedontheprojectbetweenJanuary27thandFebruary7th,2014foratotalofthreeperson-weeksofwork.Thissecurityanalysis

wasstructuredas``besteffort''withinthegiventimeframe.

ThegoalofthisengagementwastoreviewtheCryptoCatiOSapplicationwithafocusonmisuse

ofcommoniOSAPIs,flawsinimplementationofcryptographicprotocols,andremotelyexploitablevulnerabilitiesthatcouldimpacttheconfidentialityorintegrityofCryptoCatchatsessions.

TheiSECteamperformedthetestingoftheiOSclientusingboththeiOSsimulatorandphysical

iDevices.iSECalsousedCryptoCatbrowserclientsandathird-partyXMPP/OTRclient1toreviewcross-platforminteractionswithinaCryptoCatchatroom.

Itemsthatwereoutofscopeforthisengagementinclude:

Areviewofthemulti-partycryptographicprotocol.

TheCryptoCatbrowser,desktopandAndroidclients.

Addendum(3/15/14):TheiOSapplicationwasin-developmentcodethatattimeoftestingwasavailable

onlyinapre-productionformonGitHubandnotdistributedviatheAppStore.TheCryptoCatteamhadtimetoreviewthevulnerabilitiespriortopublicationintheAppStoreandclaimstohaveaddressedthem;however,iSEChasnotvalidatedanyfixesandcannotmakeanyclaimstothecurrentstatusofany

vulnerabilities.

Whilenotinscopefortheengagement,iSECalsoidentifiedvulnerabilitiesthatpertaintothereleased

anddeployedbrowserextensionandserverconfiguration.TheseissueswerefoundwhiletestingtheiOSclient'sintegrationwithotherCryptoCatcomponents.

1iSECusedtheAdiumchatclient-https://adium.im/

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page8of35

1.3

FindingsSummary

CryptoCat'sgoalofprovidingamessagingsystemthatisbotheasy-to-useandsecureisimportantand

challenging.TheissuesidentifiedinthisreportdemonstrateseveralinstancesinwhichthedesignandimplementationofCryptoCatfailtomeetthisgoal.Infact,duetovulnerabilitiesidentified,thepracticalsecurityofCryptoCatonallplatforms,attimeofreview,iscurrentlyequivalenttoastandard

XMPPclientwithoutOTRandfallsshortofthesecurityprovidedbyanXMPPclientwithOTR.

CryptoCatDesignFlaws

ThemostseriousproblemsaffectingCryptoCataredesignissuesthatdiminishthesecurityofall

CryptoCatcommunications.

CryptoCat'sOTRimplementationonallplatformsallowsachatpeertochangetheirOTRkeyduring

achatsessionwithoutusernotification.Anattackerperformingaman-in-the-middleattackagainsttheclient'sXMPPorHTTPSstreamcaninjecttheirownOTRkeyinthediscussionafterauserhasauthenticatedtheirpeer'sOTRfingerprint.Thispermitstheattackertodecryptallmessagesthatfollow,andnouserwouldhavereasontosuspectthecompromise.Groupmulti-partydiscussionsdo

notseemtosufferfromthesamevulnerability.

Anotherissueisthatthesecurityofusers'communicationsreliessolelyonmanualverificationofpeers'

keyfingerprintsthroughasecurechannel.Furthermore,CryptoCatclientsgeneratenewencryptionkeysoneverychatsession,placingtheburdenofrepeatedauthenticationtasksonusers.iSECbelievesthisisnotapracticalsecuritymodel-requiringuserstoestablishsecurechannelsinordertoverifyeachindividualchatsessionnegatesthepromiseofCryptoCat.Afterall,thereisnoneedforCryptoCat

ifonemustfirstcommunicatesecurelyinordertouseitwithconfidence.

iOS-SpecificVulnerabilities

AsthefocusofthisengagementwastheCryptoCatiOSclient,theiSECteamspentmostofitstime

reviewingthisapplicationanddiscoveredseveralvulnerabilities.

TheiOSclient'sXMPPimplementationallowsanattackertoforcetheclienttocommunicateover

plaintextXMPPinsteadofSSL/TLS,resultinginallXMPPtrafficbeingvulnerabletoman-in-the-

middleattacks.ExploitingthisflawtogetherwithCryptoCat'svulnerableOTRimplementationallowsanattackertodecryptallOTRmessagessentorreceivedbytheiOSApp.

TheiSECteamalsoidentifiedmultipleinstancesofsensitivedatabeingleakedbytheiOSAppto

thedevice'slogsorfilesystem,includingOTRmessagesandtheuser'sprivatekey;suchfilescanbe

retrievedbyanattackerwithphysicalaccesstothedevice.

IssuesAffectingOtherComponents

iSECdiscoveredissuesaffectingotherCryptoCatcomponentsincludingthebrowserextensionsand

CryptoCat'sXMPPserver.Theseissues,foundwhiletestingtheiOSclientitsintegrationwiththeotherCryptoCatcomponents,allowanattackertocollectencryptedlogsofgroupmessagesexchanged

withinaCryptoCatchatroomusingvarioustechniques.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page9of35

1.4

RecommendationsSummary

Thissummaryprovideshigh-levelrecommendationsdesignedtoaddressthemostpressingissues

affectingCryptoCat.IndividualrecommendationsdescribedinSection3.3onpage15ofthisreportshouldbereviewedandimplementedinordertoaddresseveryvulnerabilitydescribedinthisreport.

CryptoCatfacesseveralchallengesifitistoprovideatrulysecuremessagingplatform.Implementation

flawsarerelativelyeasytofix,butaddressinglimitationsinthedesignofCryptoCatrequiresignificant

changestoitscryptographicprotocols.Thelargestchallengeiscreatingauserexperiencethatisbothsimpleandsecure-agoalsodauntingfewdevelopersfullyembraceit.

ShortTerm

Shorttermrecommendationsaremeanttoberelativelyeasilyexecutedactions,suchasconfiguration

changesorfiledeletionsthatresolvesecurityvulnerabilities.Thesemayalsoincludemoredifficult

actionsthatshouldbetakenimmediatelytoresolvehigh-riskvulnerabilities.Thisareaisasummaryofshorttermrecommendations;additionalrecommendationscanbefoundinthevulnerabilitiessection.

EnforcetheusageofStartTLSforallXMPPconnectionsoniOS.TheCryptoCatiOSapplication

shouldterminateanyXMPPconnectiontoaserverdoesnotadvertisesupportforStartTLS.

PreventinformationleakageoniOS.TheCryptoCatiOSapplicationleakssensitivedatasuchasthe

user'sprivatekeythroughvariousmechanismsincludingdebuglogsandapplicationbackgrounding.Topreventthisdatafrombeingexposed,recommendationsdescribedinthisdocumentshouldbeimplemented.

Provideuserswithinstructionsonhowtocheckfingerprints.UponinstallingaCryptoCatclient,

usersshouldbepromptedwithguidelinesonhowtoproperlychecktheirpeers'fingerprintsinorder

toestablishasecurechatsession.

OnlyacceptasingleOTRkeyexchangepercontact.Topreventman-in-the-middleattacks,Cryp-

toCatclientsshouldrejectOTRkeyexchangestriggeredafterthepeeralreadysuppliedtheirOTRpublickeyduringachatsession.

HardentheXMPPserver'sconfiguration.Disablechatroomhistoryloggingandpersistentrooms;

improvetheserver'sSSL/TLSconfigurationbydisablingweakcryptographicciphers.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page10of35

LongTerm

Longtermrecommendationsaremorecomplexandsystematicchangesthatshouldbetakentosecure

thesystem.Thesemayincludesignificantchangestothearchitectureorcodeandmaytherefore

requirein-depthplanning,complextesting,significantdevelopmenttime,orchangestotheuser

experiencethatrequireretraining.

ReviewtheCryptoCatAndroidapplication.Issuesdescribedinthisdocumentandaffectingthe

iOSclientshouldbeverifiedontheAndroidclient.

Re-architecttheCryptoCatclientstouselong-livedcryptographickeysandaTrustonFirstUse

securitymodel.ConsiderrelyingonasecuritymodelsimilartothatusedbySSH.Specifically,storetheuser'scryptographickeysandtheircontacts'nicknameandfingerprintspairsintheclient.Notifytheuserwhentheyneedtomakeatrustdecisiononfirstuseanddisplayanerrortotheuserifapeer's

fingerprintchanges.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page11of35

2

EngagementStructure

2.1

InternalandExternalTeams

TheiSECteamhasthefollowingprimarymembers:

•

AlbanDiquet—SecurityEngineer

alban@

•

DavidThiel—SecurityEngineer

david@

•

ScottStender—SecurityEngineer

scott@

•

AaronGrattafiori—AccountManager

aaron@

•

TomRitter—AccountManager

tritter@

TheOpenTechnologyFundteamhasthefollowingprimarymembers:

DanMeredith—OpenTechnologyFund

meredithd@

TheCryptoCatteamhasthefollowingprimarymembers:

•

NadimKobeissi—CryptoCatProject

nadim@crypto.cat

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page12of35

3

DetailedFindings

3.1

Classifications

Thefollowingsectiondescribestheclasses,severities,andexploitationdifficultyratingassignedto

eachidentifiedissuebyiSEC.

AccessControls

Relatedtoauthorizationofusers,andassessmentofrights

Authentication

Relatedtotheidentificationofusers

Cryptography

Relatedtomathematicalprotectionsfordata

DataValidation

Relatedtoimproperrelianceonthestructureorvaluesofdata

ErrorReporting

Relatedtothereportingoferrorconditionsinasecurefashion

SessionManagement

Relatedtotheidentificationofauthenticatedusers

Theissuedoesnotposeanimmediaterisk,butisrelevanttosecu-

ritybestpracticesorDefenseinDepth

Informational

Theriskisrelativelysmall,orisnotariskthecustomerhasindicated

isimportant

Low

Largenumbersofusers,verybadforclient'sreputationorserious

legalimplications.

High

February7,2014

OpenTechnologyFund

Version1.1

Individualuser'sinformationisatrisk,exploitationwouldbebad

Medium forclient'sreputation,ofmoderatefinancialimpact,possiblelegalimplicationsforclient

Undetermined Theextentoftheriskwasnotdeterminedduringthisengagement

SeverityCategories

Severity Description

Timing Relatedtotheraceconditions,locking,ororderofoperations

Patching Relatedtokeepingsoftwareuptodate

DenialofService Relatedtocausingsystemfailure

DataExposure Relatedtounintendedexposureofsensitiveinformation

Configuration Relatedtosecurityconfigurationsofservers,devices,orsoftware

AuditingandLogging Relatedtoauditingofactions,orloggingofproblems

VulnerabilityClasses

Class Description

iSECPartnersFinalReport

CryptoCatiOS

Page13of35

Undetermined

Thedifficultyofexploitwasnotdeterminedduringthisengagement

Attackersmustwriteanexploit,orneedanindepthknowledgeof

acomplexsystem

Medium

February7,2014

OpenTechnologyFund

Version1.1

Theattackermusthaveprivilegedinsideraccesstothesystem,may

High needtoknowextremelycomplextechnicaldetailsormustdiscoverotherweaknessesinordertoexploitthisissue

Commonlyexploited,publictoolsexistorcanbescriptedthatex-

Low

ploitthisflaw

DifficultyLevels

Difficulty Description

iSECPartnersFinalReport

CryptoCatiOS

Page14of35

3.2

Vulnerabilities

ThefollowingtableisasummaryofiSEC'sidentifiedvulnerabilities.Subsequentpagesofthisreport

detaileachofthevulnerabilities,alongwithshortandlongtermremediationadvice.

CryptoCatiOS

Addendum(3/15/14):TheiOSapplicationwasin-developmentcodethatattimeoftestingwasavailable

onlyinapre-productionformonGitHubandnotdistributedviatheAppStore.TheCryptoCatteamhadtimetoreviewthevulnerabilitiespriortopublicationintheAppStoreandclaimstohaveaddressedthem;however,iSEChasnotvalidatedanyfixesandcannotmakeanyclaimstothecurrentstatusofany

vulnerabilities.

1.XMPPconnectionvulnerabletoStartTLSstripping

DataExposure

High

2.Privatemessagesareloggedinplaintext

DataExposure

High

3.Privatekeystoredinplaintextonlocalstorage

DataExposure

High

4.InformationleakingfromiOSscreenshots

DataExposure

Medium

5.Lackofreturnvaluecheckingforsensitivefunctioncalls

Configuration

Medium

6.HMACvalidationtimingattack

Cryptography

Medium

7.Crashestriggeredbymalformedmulti-partymessages

DenialofService

Low

8.Publickeydataloggedlocally

DataExposure

Low

9.Autocorrectionleaksinformationtodisk

DataExposure

Low

10.PrecompiledOpenSSLbinariesin

TBMultipartyProtocolManager

Patching

Informational

11.Outdatedcurve25519-donnaimplementation

Patching

Informational

OtherCryptoCatComponents

12.CryptoCat'ssecuritymodelreliesonunrealisticuser

requirements

Authentication

High

13.CryptoCatOTRimplementationvulnerableto

man-in-the-middleattacks

Authentication

High

14.Browserclients—MisleadingsecurityUIforSMP

identitychecking

Authentication

High

15.CryptoCatchatroomslogencryptedmessagesand

canbemadepersistent

DataExposure

Medium

16.Browserclients—Chatroomeavesdroppingusinga

regularXMPPclient

DataExposure

Medium

17.WeakSSL/TLSversionsandciphersuitessupported

byXMPPservice

Configuration

Medium

February7,2014

OpenTechnologyFund

Version1.1

Vulnerability Class Severity

Vulnerability Class Severity

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page15of35

3.3

DetailedVulnerabilityList—iOSClient

FINDINGID:iSEC-RFACC0114-5

TARGETS:TheCryptoCatiOSapplication,astestedbetweenJan27andFeb7.

DESCRIPTION:WhenconnectingtotheXMPPserveratcrypto.cat:5222,theiOSclientdoesnotre-

quireStartTLStobeusedtoencrypttheXMPPstreamusingSSL/TLS.

Specifically,duringtheinitialXMPPhandshake,theserveradvertisesforStartTLSwithinitslistof

supportedJabberfeaturesandtheiOSclientperformsaStartTLShandshakewiththeserver.Sub-sequentXMPPtrafficisthenencryptedusingSSL/TLS.However,iftheserverdoesnotadvertisesupportforStartTLS,theiOSclientwillcontinuecommunicatingwiththeserveroverplaintextXMPP.Consequently,anattackeronthenetworkcanmodifytheinitialXMPPhandshaketoremoveStartTLSfromtheserver'sadvertisedfeatures,inordertopreventtheiOSclientfromswitchingtoSSL/TLS.DoingsowillresultintheclientsendingsubsequentXMPPmessagessuchasencryptedmulti-partymessagesinplaintext,therebydisclosingthemtotheattacker.

Additionally,whiletheserveratcrypto.cat:5222requiresclientstouseStartTLSandwillcloseany

XMPPstreamthatdoesnotswitchtoSSL/TLS,anattackercouldstillperformtheman-in-the-middleattackdescribedabove;afterpreventingtheclientfromusingStartTLS,theattacker'sscriptcouldperformtheStartTLShandshakewiththeserverandforwardtheclient'sunencryptedtraffictotheserveroverSSL/TLS.

Asaproofofconcept,aPythonscripttoperformthefullattackisavailableinAppendixAonpage32.

EXPLOITSCENARIO:AnattackercompromisedthepublicWiFiaccesspointatapopularcoffeeshop.

ACryptoCatuserconnectstheiriOSdevicetotheaccesspointtogetInternetconnectivityandthenlaunchestheCryptoCatapplicationtojoinachatroom.TheattackerusesascripttostripStartTLSandimpersonatetheXMPPservertothevictim'sCryptoCatclient,inordertoman-in-the-middletheXMPPtraffic.Theattackerthenperformsaman-in-the-middleattackagainstthemulti-partyprotocolkeyexchangebyswappingthevictim'spublickeywiththeattacker'spublickeys.Thechatparticipantsforgettovalidatethefingerprintsusingasidechannelandstartchatting,therebyallowingtheattackertodecryptallmessagesexchanged.

SHORTTERMSOLUTION:ModifythecodewithintheiOSclientresponsibleforXMPPconnections

inordertohaveitenforcetheusageofStartTLSforallconnections.TheclientshouldterminateanyXMPPconnectiontoaserverdoesnotadvertisesupportforStartTLS.

LONGTERMSOLUTION:ForXMPPconnectionstothedefaultCryptoCatXMPPserverhostedat

crypto.cat:5222,implementcertificatepinningwithintheiOSclienttovalidatetheserver'sSSLcertifi-cateduringtheStartTLShandshake.Thiscanbeachievedbyembeddingtheserver'sSSLcertificateintheiOSclientandcomparingitagainsttheSSLcertificatesentbytheserveruponconnection.

February7,2014

OpenTechnologyFund

Version1.1

1.XMPPconnectionvulnerabletoStartTLSstripping

Class:DataExposure Severity:High Difficulty:Medium

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page16of35

FINDINGID:iSEC-RFACC0114-1

TARGETS:TheencodeMessagemethodinTBOTRManager.m,astestedbetweenJan27andFeb7.

DESCRIPTION:TheiOSapplicationlogstheencryptedandunencryptedcontentsofdirectmessages,

alongwiththeusernamesofthosesendingthem,totheAppleSystemLog.Thiscanexposetheinformationtoamaliciousthird-partyapplicationoraphysicalattacker.

1000

1001

1002

1003

1004

1005

1006

1007

1008

1009

1010

1011

Listing1:TBOTRManager/TBOTRManager.m

2014-01-2813:19:48.664Cryptocat[27655:70b]!!!executingthecompletionblock,(1)pending

2014-01-2813:19:48.664Cryptocat[27655:70b]--willencodemessagefromtestisec4@conference.crypto.cat/fakedavidtotestisec4@conference.crypto.cat/simu

2014-01-28

2014-01-28

2014-01-28

2014-01-28

13:19:48.665Cryptocat[27655:70b]policy_cb

13:19:48.665Cryptocat[27655:70b]convert_data_cb

13:19:48.665Cryptocat[27655:70b]--orgmessage:Ihopenobodyreadsmysecretmessage!13:19:48.666Cryptocat[27655:70b]--encryptedmessage:

?OTR:AAMD/Wku/

Ks2Ls0AAAAAAQAAAAEAAADAhfttytd4iXxc7BRfacEajOMLLNEssNstEaj7g9vMVYCVzKvpcfS9K9Ub8kaggIsXBTZ9fhZHQ3tgWOsQOjtotoCGRrpo

/ByZGSiEfye0NGrLwAsVesV0AYPAr8JtzoB5xXanVU6FHyQ+qAVUKSsHhy70+X9iGgBZU+KUqrlFLwVN73mcRp9q4HIy+huiNEXnCgJBHnXRhWpFVc7cOglioz+Z8InpAvQGZqzOQ/jJcGP5zaL8l1gUgvPcuexJGF+5AAAAAAAAAAIAAAAn3SMntmZaPzlKFs5+kkpz2skCy5gpq6vNkfr6Fvdi1qSowaicEYKKUpphJfte+DsNax/rwlF1JRP4FaYAAAAA.

EXPLOITSCENARIO:AmaliciousapplicationonadevicerunningiOS6directlyreadsusermessages

outoftheAppleSystemLog,constitutingabreachofconfidentiality.OniOS7,asimilarattackispossiblebutcurrentlywouldrequirephysicalpossessionofthedeviceorthatthedevicebejailbroken.

SHORTTERMSOLUTION:UseadefinetoenableNSLogstatementsfordevelopmentanddebugging,

anddisablethesebeforeshippingthesoftware.ThiscanbedonebyputtingthefollowingcodeintotheappropriatePREFIX_HEADER(*.pch)file:

LONGTERMSOLUTION:Considerusingbreakpointactions2todologging;thesecanbemoreconve-nientinsomecircumstances,anddonotresultindatabeingwrittentothesystemlogwhendeployed.

2

/questions/558568/how-do-i-debug-with-nsloginside-of-the-iphone-

simulator

February7,2014

OpenTechnologyFund

Version1.1

#ifdefDEBUG

# defineNSLog(...)NSLog(VA_ARGS)#else

# defineNSLog(...)#endif

NSString*newMessage=@"";if(newMessageC){

newMessage=[NSStringstringWithUTF8String:newMessageC];

}

otrl_message_free(newMessageC);

NSLog(@"--orgmessage:%@",message);

NSLog(@"--encryptedmessage:%@",newMessage);

completionBlock(newMessage);

}];

2.Privatemessagesareloggedinplaintext

Class:DataExposure Severity:High Difficulty:Medium

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page17of35

FINDINGID:iSEC-RFACC0114-2

TARGETS:TheCryptoCatiOSapplication,astestedbetweenJan27andFeb7.

DESCRIPTION:UponreceivingarequestforgenerationofanOTRprivatekey,theapplicationcalcu-

latesthekeyandwritesittothelocalfilesysteminplaintext.Thisallowsforrecoveryofthekeyfromthedeviceitself,aswellasfromdevicebackupsonthedesktopandfromApple'siCloudservice(asallcontentsoftheDocumentsfolderaresyncedtoiCloud).

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

Listing2:TBOTRManager/TBOTRManager.m

Listing3:Logsfromtheapplicationupongeneratingtheprivatekey

13:11:07.168Cryptocat[27655:1303]!!!willgeneratetheprivatekeyonbgthread13:11:10.698Cryptocat[27655:1303]!!!privatekeycalculated

13:11:10.699Cryptocat[27655:70b]!!!privatekeypath:/Users/dthiel/Library/Application

2014-01-28

2014-01-28

2014-01-28

Support

/iPhone

Simulator/7.0/Applications/300D6DAB-9120-4C14-8C3B-7B53352B4743/Documents/private-key

2014-01-2813:11:10.700Cryptocat[27655:70b]!!!finishingtheprivatekeygenerationonmainthread

EXPLOITSCENARIO:AgovernmentcompelsAppletodisclosesomeorallCryptoCatprivatekeys

storedontheiriCloudservice,usingthesekeystodecryptpastcommunications.Alternatively,lawenforcementforensicallyanalyzesthedeviceitselftoextractthekey.

SHORTTERMSOLUTION:StorethisprivatekeyintheKeychain,withaccessibilityattributesthatpre-

vent