Insecure Data storage Analysis of iOS Applications

All Blog

One might think that we are done with the static analysis of the application, but it is not so. We still need to look further into some more controls for static analysis.

Insecure Data Storage in NSUserDefaults

Unencrypted sensitive data in NSUserDefaults is not secure as it can be read and modified by specially crafted attacks. Objects of NSUserDefaults class can be checked by opening the

file <Bundle_Identifier>.plist

in Library/Preferences directory if NSUserDefaults are stored as preferences.

Screenshot 2020 05 15 at 6.46.32 PM
certcube-nsuserDefaults

It can be observed that the Facebook application does not store NSUserDefaults in the Preferences directory.

By using cycript, standard user defaults object can be dumped as shown in the screenshot.

Screenshot 2020 05 15 at 6.30.56 PM
certcube:cycript1

Insecure Data Storage in NSHTTPCookie

It is dangerous for an application to store sensitive data in NSHTTPCookie. This is because objects of this class are immutable which means that even if they are deleted or overwritten, they will continue to persist in memory. They are stored in the Local Data Storage in binary form. They can be dumped using Objective C or Swift functions. Cookies are sent in the request headers in the application traffic. To check the same using cycript, follow the steps shown in the screenshot.

Screenshot 2020 05 15 at 6.32.43 PM
certcube : cycript

Pasteboard Leaking Sensitive Information

Pasteboard or clipboard in iOS is shared by all the applications and hence might be accessed by any application. A malicious application can monitor pasteboard of the device using the Objective C or Swift functions. Hence, pasteboard must be disabled on sensitive fields. For checking purpose, we can long press on sensitive fields and check if we get a copy option.

Screenshot 2020 05 15 at 6.35.14 PM

Insecure Data Storage in Keychain

Keychain in iOS is a password and certificate management tool. It is used to store store items that the user needs but may not be aware of. It is a common storage for all wifi passwords as well as application data. All these items are stored in an encrypted database whose path is ‘/var/Keychains/keychain-2.db’. But now, there are many open source tools that can dump the iOS keychain in plain text. Keychain Dumper and Keychain editor are a few of them. Keychain Dumper can be downloaded from https://github.com/ptoomey3/Keychain-Dumper.

This tool is used to dump the keychain of the whole device and then application’s keychain data can be filtered out accordingly.

Screenshot 2020 05 15 at 6.53.30 PM
Certcube : keychain
Screenshot 2020 05 15 at 6.53.38 PM
certcube :keychain

Sensitive Information Leakage through Application Logs

An iOS application may use logging feature in order to make its debugging easier. NSLog in Objective-C and print/println in Swift may print information to application logs at the time of crash or any other event. Production-ready applications should make sure that no sensitive information is being logged into the application’s logs. Logs can be dumped as shown in the following screenshots.

Screenshot 2020 05 15 at 7.04.45 PM
Certcube : logs

Response Caching

By default, many iOS application frameworks enable response caching. This can lead to sensitive information disclosure as the server’s responses might contain victim’s sensitive information in clear text. Responses may be found cached in database file or in a binary file in the Library/Caches directory. We can read database files using any DB browser as shown in the screenshot.

Screenshot 2020 05 15 at 7.11.15 PM
certcube : curl_cache_Respnse importent

Sensitive Information Leakage Via Application Background Snapshot

Every iOS application captures a screenshot by default when it moves to the background. That screenshot might contain the victim’s sensitive information. In iOS, the screenshot gets saved in ‘Library/Caches/Snapshots/<Bundle_Identifier>’ directory.

Check your application folder if your application stores it means its a bug

Leave a Reply

Your email address will not be published. Required fields are marked *