Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft

[seppler]

Sorry, I was commenting on the possibility of 'drive-by' data theft. A passcode is sufficient to prevent 'drive-by' data theft from plugging a phone into a public charging station or PC. Putting a phone into DFU mode isn't something someone would do while charging their phone I would hope.

One caveat: If you unlock your phone while charging, there would be enough of a window to grab these files, I think (I haven't tested this, though)

 

[OldSchoolMacGuy]

We've been exploiting this for several years now for forensic purposes.

 

[Xenomorph]

So don't jailbreak your phone and don't plug it in to random computers. Problem solved!

- It does not require your device to be jailbroken. iExplorer (and similar programs) allows for viewing/modification of many files under the iOS "mobile" account (not root).

- I believe having a passcode lock will protect against this. iOS keeps things encrypted. That's why with methods to bypass the lock screen (like the iPad 2 smartcover trick) resulted in the inability to launch programs or load emails.

- The DFU exploit to get the unlock code for your device (demonstrated on a YouTube video) only works on pre-A5 devices (it uses the limera1n exploit). iPhone 4S, iPad 2, and iPad (3rd generation) are immune.

Basically, get yourself a nice A5+ device and keep a passcode on it.

 

[OldSchoolMacGuy]

If you have a passcode and your phone is currently locked, iExplorer cannot access your files.

Plenty of ways to unlock that phone in minutes though even without the passcode.

 

[foodog]

That's not entirely accurate. MOST of the files on the iPhone are still only encrypted with a key that is accessible to anyone with physical access to your phone. The *other* key you're thinking of (the one that goes with your passcode if you have one set) only currently encrypts emails, plus any files that an app developer WANTS encrypted. FB probably does not bother using that API. This is all still true as of iOS 5.1.

Therefore, until Apple gets around to encrypting ALL user files with the passcode and not just the accessible device key, you are vulnerable just by losing your phone.

And to those who would argue "just don't lose your phone": things like encryption are supposed to protect against the lost phone scenario. If physical access automatically gets around encryption, I fail to see the point of the encryption.

remote wiping protects against the lost phone scenario too.

 

[OldSchoolMacGuy]

- The DFU exploit to get the unlock code for your device (demonstrated on a YouTube video) only works on pre-A5 devices (it uses the limera1n exploit). iPhone 4S, iPad 2, and iPad (3rd generation) are immune.

Basically, get yourself a nice A5+ device and keep a passcode on it.

This isn't true. There are other workarounds for A5 and later devices. Passcode all you want, it won't protect you although it will help for the general user.

 

[TwinMonkeys]

This is exactly why I refuse to have the FB app on my phone and I NEVER log into apps using my FB account. Turns out I'm not as crazy as my friends think I am.

It's unfortunate. You don't really expect a company as big as Facebook to have such blatant security issues, but the reality is that big companies are usually rife with these types of issues because developing these big sites with hundreds of developers working on dozens of projects simultaneously is hard to manage well. Facebook is a $100+ billion dollar company and is dominant in their field, but the reality is that they are putting their brand at risk with the way that most Facebook Apps on the platform work - many of these Apps request many more permissions to do crazy stuff (post on my profile automatically, access my data anytime, etc) and that just makes me extremely hesitant to use any Apps. This is the biggest privacy issue on Facebook IMO. People talk about Facebook sharing data with companies through ads, but regardless of whether people use the types of companies listed at http://www.buyfacebookfansreviews.com or Facebook ads directly, no company advertising on Facebook is getting access to any personally identifiable information through ads - the Apps issue is much bigger. Everybody would be smart to avoid installing ANY Facebook Apps they are not 100% sure about.

 

[Biti]

Does this apply if you have a passcode in place on your iOS device or can programs like IExplore still access your files even with a passcode on?

Try it. Download iExplorer and look at your connected devices. It doesn't challenge you for your passcode.

 

[OldSchoolMacGuy]

Funny to see people afraid for their privacy yet they use Facebook in the first place.

Sharing your personal info with friends, associates, marketers, companies/products, celebrities, and people you hardly know = OK

Sharing that same info with someone else = Oh noes!

 

[puckhead193]

I don't get how these big corporations create such crappy apps.

 

[Biti]

[/COLOR]

Darn it!

I never thought about having public charging stations before. Now the idea is in my head and I want them! But they wouldn’t be safe.

(I bet someone will make an adapter that passes ONLY power through the dock connector, for just this kind of safety. Maybe those cables with a switch to toggle synch would do the trick already.)

How about using the power adaptor for the iOS device plugged directly into the wall plug?

 

[OldSchoolMacGuy]

I don't get how these big corporations create such crappy apps.

Facebook doesn't put any effort into their mobile app because it doesn't make them money. They don't serve any ads on it so they don't make cash with it. If they can get you to use the normal website version they will.

 

[FloatingBones]

Good to know, thanks, I'm a little less worried then. I make sure my iPhone always locks after 1 minute of being put to sleep.

That doesn't mean that the danger isn't present.

If you had your phone connected to some public power source and you received a phone call, you might be tempted to unlock your phone and keep the charger cable connected. A better solution would be to put a data-condom on your USB connection to prevent any data from ever being transmitted on the cable. That solution would give data protection to any USB device you wish to charge via a public terminal.

The small external USB batteries (like the Duracell model) implicitly provide this kind of protection.

 

[OldSchoolMacGuy]

That doesn't mean that the danger isn't present.

If you had your phone connected to some public power source and you received a phone call, you might be tempted to unlock your phone and keep the charger cable connected. A better solution would be to put a data-condom on your USB connection to prevent any data from ever being transmitted on the cable. That solution would give data protection to any USB device you wish to charge via a public terminal.

The small external USB batteries (like the Duracell model) implicitly provide this kind of protection.

You can get Dock connector cables that charge only and do not sync. Many of the cheap ones do this.

 

[longofest]

Seriously? These companies are storing secret keys in plain text on a shared device? Crypto 101 says that is seriously a not cool thing to do.

 

[ownamac]

Doesn't Apple approve all apps before they are offered on the AppStore? I don't know what goes in to "approving" an app, but it seems like proper handling of authentication data should be one of them.

My guess is the location of authentication data may now find its way onto Apple's approval process checklist.

Though a bit dated from 2009, see Question 6 of Apple's response letter to the FCC's inquiry regarding Apple's approval process:
http://www.apple.com/hotnews/apple-answers-fcc-questions/

 

[EricBlue]

I realy can´t understand how difficult it can be for Facebook to hire some decent programmers.

A crapy iOS app. And when i use their webpage, every now and then it just says: Your personal page is not accessable. Please try again in a few hours. Not to speak about their message system.

Totally unprofessional.

 

[aristotle]

This does not affect devices that were not jailbroken. It only affects jailbroken devices.

When you jailbreak, you are "breaking" the BSD jails" iOS uses to separate third party app processes from accessing each others data stores and accessing hidden data not accessible by the official api.

A file manager app on a jailbroken device can see all of the directories on the device where a standard iOS install is locked down.

To avoid these vulnerabilities, simply don't jailbreak your device.

 

[TallManNY]

This does not affect devices that were not jailbroken. It only affects jailbroken devices.

When you jailbreak, you are "breaking" the BSD jails" iOS uses to separate third party app processes from accessing each others data stores and accessing hidden data not accessible by the official api.

A file manager app on a jailbroken device can see all of the directories on the device where a standard iOS install is locked down.

To avoid these vulnerabilities, simply don't jailbreak your device.

If your phone is lost, can't the person who finds it jailbreak it and then do this exploit? You can't remote wipe it if they keep it off the Internet (like by putting it in airplane mode).

 

[RichieB]

This does not affect devices that were not jailbroken. It only affects jailbroken devices.

You are totally missing the point. Plugging in a non jailbroken device into a rogue charger can also expose your credentials. Try it yourself using iExplorer.

 

[slippyr4]

FUD and hyperbole much.

Java is the responsibility of Oracle not apple

Apple maintain the mac builds of java. Those issues were fixed on other platforms some time ago, so the java issue was significantly an apple one.

 

[applesith]

Does anyone know if the .plist is stored in my icloud/itunes account at all? my account was recently compromised and i want to know if the person could have accessed this for dropbox.