iPhone Security Analysis

It is presentation of the Paper written by Charlie Miller, Jake Honoroff, Joshua Maason at Indepandent Security Evaluators (ISE). This paper is about find vulnerability in Apple iPhone and a few suggestion how to fix them.

1. Summary of Apples iPhone

  • Released by Apple Inc. on June 29, 2007
  • Runs a customised version of MAC OS X
  • Run on ARM 1176JZF-S Processor
  • Has the Features like multi touch, accelerometer etc etc.
  • Support QUAD-Band GSM and supports AT&T EDGE network.
  • Apple walay says ”People Like our phone”

2. iPhone as Close Phone

  • iPhone Only works only on AT&T networks means no Warid and Jazz (I think).
  • You can not install Third Party Applications.
  • You are not access File System, you can access small portion in a ”SandBox”. That is mainly for adding  and removing Songs waghaira.
  • Thats SandBoxed area can only be accessed by iTunes provided by Apple inc.

3. Weakness in iPhone

  • Apple has mainly tried to Avoid attacks (by Making it close)
  • Never tried to handle it.
  • The Only user is root (The Power User)
  • Attacks (will be discussed later) avoided through restricting user to access a portion of file system.
  • No Address Randomization and Non – Executable Heap.

4. Attacks

4.1 Jail Breaking

  • The process of gaining root access to filesystem to install 3rd party tools.
  • The Access to File System is RW.
  • Mainly The Owner of the Phone do the Attack
  • Using jail breaking Leeds to Unlocking.
  • Jailbreaking tool is avilble for download (If you have iPhone).

4.2 Unlocking

  • Unlocking means to use service of any service provider other then ATT&T.
  • The Following tools are available
    AnySIM ————– (Free of Cost)
    TurboSim———— (Paid)
    SimFree ————– (Paid)
  • anySim use a patch to bypass the AT&T check.
  • TurboSim hasn’t yet reveled their secret.
  • SimFree tells the iPhone that current sim is of AT&T

4.3 Buffer overflow

  • We can find vulnerability and use buffer overflow attack, due to my kindness I gave an Example.
  • Suppose we a password function
    Void func(chat *passedStr)
    Char localStr[4];
    strcpy(localStr, passedStr);
  • In above Function there is no check on Password length
  • Lets suppose password should be four characters (abcd)
  • If an attackers provide the password ”abcd\x12\x23\x56\x78”
  • The value would be \x87654321 (little endian)
  • The over write value \x87654321 will execute a function system() and passing desired values.

4.4 Other Attacks

  • The Other attacks are return-to-libc and reverse engineering. (Need to study them)
  • By Visiting a malicious website due the fact that mobile Safari (iPhone Browser) is not a full fledged browser.
  • By Crashing the iPhone and studying the log.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s