Application security

The Security Weaknesses of the iOS: The Aisi Helper, Sandjacking, and Image Threats

Ravi Das
May 5, 2017 by
Ravi Das

Introduction

As we have eluded in other articles, the world of Information Technology and all of its related hardware and software applications are growing at a very fast pace. In fact, it is so fast that even the consumer, the business, or even the corporation simply cannot keep with this pace. It seems like that hardly one new technology is being adopted, it is time to change and evolve into another, brand new technological platform.

However, with all of this change, there is one common denominator, and it too is evolving at a very rapid pace as well: The mindset of the Cyber attacker. For example, they seem to be launching brand new threats and attacks on an almost daily basis, even faster than the pace of technological change just discussed.

In the past few decades, the Cyber attacker could be counted on doing one thing: Launching attacks on a large scale, and hoping to penetrate a system, somewhere and somehow.

However, over time, given the level of the sophistication of tools that the Cyber attacker now possesses, the threats towards targets and the end goal to be achieved seem to be much more specific, targeted, strategic, and even surgical.

In other words, one attack vector can do as much or even greater harm when compared to an all-out Cyber based attack.

With this in mind, the Cyber attacker wants to inflict the most damage as to where it will hurt the most -meaning our individual identities to achieve financial gain.

Gone are the days (for the most part) where the Cyber attacker will attempt to send you a Phishing E-Mail straight to your workstation. Now, their prime target is of much greater value -your Smartphone.

As it has been described in our previous articles, the Smartphone is an extension of both our personal and professional lives. Because of this, all of our confidential and private information/data is stored onto it, including those that are used to accomplish our every day, work related tasks.

We are often believed into thinking that our Smartphone is safe from a Cyber based attack.

However, as reality dictates, this is far from the truth. The Cyber attacker knows about this not only at a technical level but also from the level of the human emotion-thus striking fear and the feeling of paralysis when we expect it the least.

For example, given the increased adoption and usage of the Virtual Wallet (this is a mobile app which can store credit card information, and you literally make payment by tapping your Smartphone onto the Point of Sale Terminal) the Cyber attacker can very easily hijack this vital information in a very covert fashion, and thus render the Virtual Wallet to be utterly useless when we need it the most to make a payment.

The concept of the Virtual Wallet and the Security vulnerabilities that it possesses will be discussed in a future article. However, for the time being, our last two articles have focused specifically upon the major Security weaknesses which are posed to the major Smartphone models of today.

It should be noted at this point that these particular weaknesses are both hardware and software application based (most notably from the standpoint of the Operating System which the particular Smartphone is using).

Our first article examined at length some of these types of threats, mostly taking the angle from the software application perspective. For example, we have reviewed the risks which are posed to the Knox System as well as the Android Operating System which is primarily used by the Samsung devices.

The second article continued this theme, by taking a look at another threat from the hardware perspective, specifically the issues surrounding Swiftkey Keyboard, also used by many of the Samsung devices.

Also, the various Security issues which are faced by the iOS Operating System (which is used primarily in the Apple wireless devices such as that of the iPad and the iPhone). A special focus was given upon the "FairPlay Man In The Middle" attack (also known as the "FMITM," which makes extensive usage of a family of rogue mobile apps, known specifically as the "Ace Deceiver."

In this article, we continue with the theme of the Security threats which are posed to the iOS Operating System, by first focusing on the implications of the "FMITM" attack.

The Security Implications of the "Fair Play Man In The Middle Attack."


Although fortunately, there have been very limited circumstances of the "FMITM" attack, nevertheless, it is still a very much feared threat to the iOS Operating System, primarily because it can be launched at any time, from any place.

If this does indeed happen, many businesses and corporations all over the world could be greatly affected, as many of their employees use their Smartphone to conduct work related matters.

Therefore, it is very important to understand the both the technical and the social implications of the "FMITM" Attack. Interestingly enough, at present, this threat has only impacted those end users who use the iOS System only in mainland China. To make this happen, the Cyber attackers in China devised a Windows-based client known as the "爱思助k or the Aisi Helper." In this scenario, it is assumed that the iPhone is connected to a computer, via a USB connection. This rogue based application tricks the user into believing that it can do the following:

  • Windows Operating System Reinstalls
  • Creating backup and restore files
  • Device management

However, in the background, in a very covert fashion, the "Aisi Helper" is also installing rogue applications to the iPhone from the PC on which it is connected to. In turn, the end user is then prompted, or "further encouraged" to download more apps from a spoofed App Store.

However, to access and download these particular apps, the end user must enter their Apple based username and password combination. Once this happens, this information is then transmitted and uploaded to an Ace Deceiver C2 Server and is encrypted in such a way that only the Cyber attacker can decrypt it.

As mentioned, the "FMITM" attack can grow and proliferate on an exponential basis primarily for the following reasons:

  1. There is no need for an Enterprise level Certificate because there is "trust" that is required by the end user;
  2. At present, there are no known patches being offered to alleviate the risk to the iPhone. It is also expected that even if such a patch is made available to the end user, the Cyber attacker will find a way to bypass it its protective mechanisms;
  3. The rogue apps do not have to be made available on a constant basis at the App Store to a launch a particular attack. They only need to be made available to the end user just on a one-time basis to spread its dangerous payload;
  4. The rogue applications download and install themselves onto an end user's iPhone. As a result of this, they can very easily bypass any software based Quality Assurance (QA) or any other types and kinds of Penetration Testing;
  5. The only indication that a rogue mobile app has been downloaded if there is a new icon that is present on the screen of the infected iPhone device. However, the probability of this ever being noticed by the end user is quite low, as he or she is busy using their device(s) for other purposes.

Sandjacking" An iOS Operating System


In the world of software development, programmers often use a technique what is specifically known as a "Sandbox." It can be defined as follows:

"A sandbox is an isolated computing environment in which a program or file can be executed without affecting the application in which it runs. Sandboxes are used by software developers to test new programming code." (SOURCE: 1)

In other words, it is a specific environment in which blocks of software code can be tested out for any bugs or Security vulnerabilities before it is released into the production environment. This same type of technique is also used to create mobile and any other software applications onto the iOS Operating System.

However, even a Sandbox based environment also needs its protective mechanisms, because it too, can be prone to Cyber based attacks. When a hacker breaks into the iOS Sandbox environment, this is known as "Sandjacking," and although this has not become a serious threat yet, it does have the potential to do widespread damage, like that of the "MITM" attack.

Through the use of Penetration Testing, it has been shown that through a tool known as the "XCode 7", software developers can quite easily gain access to the Apple Digital Certificates which are needed to build the iOS based apps just by simply inputting their name and respective E-Mail address.

However, it should be noted that these apps are specifically meant for Quality Assurance (QA) testing and Security testing purposes. In a theoretical sense, these apps cannot be uploaded onto the App Store.

However, once again, through Penetration Testing, it has been shown that these test iOS apps can be uploaded live onto the App Store. This is done through a technique specifically known as "Su-A-Cyder."

However, keep in mind that this threat is only prevalent if the iPhone is connected to a hard-wired computer, or even another wireless device (such as that of an iPad). From here, any legitimate app can then be replaced with a rogue mobile app, after the Digital Certificates have been obtained, as described previously.

While Apple has claimed to have a released a patch which fixes this Security vulnerability, there was one key item which was left out: The iOS Restore features. For example, at recent Security based conferences, it was clearly demonstrated that after the legitimate mobile app has been replaced by the rogue app, and even after the iPhone has been completely purged and restored, the rogue app remains.

To make matters even worse, this entire process can be completely automated. As a result, millions of iPhones could be potentially affected in just a matter of a few minutes.

Threats to The iOS Via Images


Ever since the days Phishing E-Mails were being used to launch Identity Theft attacks, it has been widely known that the images (such as .JPEG, .BMP., .TIFF, etc.) can also malicious code if the end user clicked on them.

In response to this, many Security Vendors have cautioned not only businesses and corporations but also the population at large to be extremely careful of even hovering the mouse over any suspicious image, even if it is not in an E-Mail message. This even includes exercising caution when accessing and viewing websites.

However, this kind of threat has even been extended to the iOS and OS X platforms. Although at the time this Security vulnerability was revealed just as a so-called "Proof of Concept," it has far-reaching implications if it ever existed as an actual threat. This weakness revealed in the OS X 10.11.6 as well as the iOS 9.3.3. Operating Systems.

This was discovered by Cisco System's "Talos Team." It was discovered that the built in tools in these particular Operating Systems could be manipulated in such a way that that malicious .exe files (such as that of a Trojan Horse, Malware, or even Spyware) could be very easily inserted into images which appeared in the Safari Web Browser.

The affected image file extensions include the .IFF, OpenEXR, and even the .BMP.

The .TIFF was deemed to be the most vulnerable, as this could deliver a malicious a payload even when an image was just simply by delivered by opening a Web page. Although Apple has claimed to have fixed this potential threat, the fear still exists that a sophisticated Cyber attacker can still find a gap in these patches, and take further advantage of that.

Conclusions

In summary, our previous article examined the "Man In The Middle Attack" which is somewhat prevalent on the Android Operating System, and in turn, affecting the Samsung Wireless device. This article examined this threat in more detail, by focusing specifically on its Security based implications.

As described, although this threat is geographically limited to just China, the real fear is that it can spread itself very quickly throughout the rest of the world, thus affecting literally millions upon millions of end users.

Also, for a very long time, many end users, even including businesses and corporations, have always felt very safe in using the iOS and the iPhone, because there are hardly any Cyber threats targeted towards it which are publicly announced. However, this is far from the truth, as this article has also examined.

In particular, the risks of Sandjacking and malicious code being delivered to image files were examined.

We continue with this theme in the next article, where more threats to the iOS Operating System and the iPhone will be further examined.

Resources

  1. http://searchsecurity.techtarget.com/definition/sandbox
  2. http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/
  3. https://securityintelligence.com/news/sandjacking-new-ios-threat-lets-attackers-out-of-the-box/
  4. https://www.macobserver.com/news/new-security-threat-targets-os-x-ios-graphics/
  5. http://www.csoonline.com/article/2826038/mobile-security/top-6-threats-to-ios-devices.html#slide2
  6. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/apple-threat-landscape.pdf
  7. https://idency.com/wp-content/uploads/2014/08/Lacoon-White-Paper-iOS-Threats.pdf
  8. https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf
Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.