Ios Platform Sec
Ios Platform Sec
Authors:
Lee Neely
Dave Mold
Neal
Hindocha
Tom Neaves
Table of Contents
iOS Platform Security...................................................................................1
1.Executive Summary...............................................................................3
2.Introduction............................................................................................3
3.Purpose..................................................................................................4
4.Threats...................................................................................................4
5.Platform Security....................................................................................4
5.1.Vulnerabilities...................................................................................4
5.1.1.Recovery of data...........................................................................4
5.1.2.Insertion of unauthorized application / functionality.....................5
5.1.3.Change of security policy..............................................................6
5.1.4.Jailbreaking....................................................................................6
5.1.5.Malware.........................................................................................6
5.1.6.Unsupported firmware and patching.............................................7
5.2.Controls............................................................................................7
5.2.1.Authentication Controls.................................................................7
5.2.2.Authorisation Controls...................................................................7
5.2.3.Data Security Controls..................................................................8
5.2.4.Auditing and Logging Controls....................................................10
5.2.5.Assurance Controls......................................................................10
5.2.6.Security Monitoring Controls.......................................................12
5.2.7.Incident Response Controls.........................................................12
5.2.8.Security Profiles...........................................................................13
5.2.9.Built-In Encryption.......................................................................13
5.2.10.Control of connections...............................................................13
5.2.11.Backups.....................................................................................14
5.2.12.Additional Encryption................................................................14
6.Checklist...............................................................................................14
6.1.Avoid Data Leakage........................................................................14
6.2.Vulnerabilities.................................................................................14
6.3.Controls..........................................................................................14
6.4.General...........................................................................................15
1. Executive Summary
Apple has introduced three highly successful mobility platforms (iPod,
iPhone and iPad, collectively known as iDevices). It is possible to store
large amounts of data on the iDevices. The data can be anything from
documents to emails to sensitive information such as passwords.
This document aims to provide practical step-by-step guidance to securing
data on the iDevice. This guide is structured for users configuring a standalone device or corporations without central mobile device management
solution, wishing to protect the valuable information stored on their
device.
Apple iOS Security is a developing technology. Optimal security requires a
combination of technical and administrative controls. Not only must the
device be securely configured, and the applications use the security APIs
to protect their data, but also the user must not extract data from a secure
application and insert it into a less secure application. Security settings for
Jailbroken (aka hacked) devices are out of scope for this guide as the
security features are no longer at a known state.
Following the guidelines in this document, it is possible to secure the
iDevice(s). However, with the existence of vulnerabilities, the difficulty in
full file system encryption and the rules imposed on app-developers by
Apple, it is not possible to secure them to the extent a hardened computer
system can be secured.
2. Introduction
Securing iDevices is a combination of security settings (technical controls)
and smart user action (administrative controls.) This guide is intended for
individual users or corporate users without a central mobile management
solution.
As iOS and the iDevice hardware has matured, the corresponding security
options have also matured. For this guide, we assume you are using iOS 4
or higher, with current hardware, at a minimum an iPhone 3GS, iPad and
iPod touch 3rd or 4th generation.
This guide will lead you through security settings and practices which can
be configured natively on the device and the computer you synchronize
the device with.
The security measures start with the basics: Enable remote wipe, select a
good passcode and configure the device to wipe after a set number of
passcode failures. Consider where you connect to the network. Wi-Fi
hotspots are being spoofed or otherwise exploited to capture credentials of
unsuspecting users. Then consider the applications installed on the device
as not all applications implement the same data protection model.
3.
Purpose
4. Threats
Threats can be intentional or accidental, and include but are not limited to:
Theft/Loss: Whether this is a mobile device being stolen or a
misplaced in a public place, the ability for petty criminals to convert
devices into cash makes physical theft one of the highest threats to
portable devices. A recent study found 1 in 20 devices was lost or
stolen.
5. Platform Security
5.1.Vulnerabilities
5.1.1.
Recovery of data
http://blog.crackpassword.com/2011/05/elcomsoft-breaks-iphoneencryption-offers-forensic-access-to-file-system-dumps/
http://mocana.com/blog/2011/02/18/iphone-hackers-can-gainaccess-to-your-passwords-in-6-minutes-or-less/
http://www.cellebrite.com/ufed-iphone-physical-extractionextraction-and-encryption-faq.html
If data encryption is disabled, it is possible to retrieve all information
stored on the iDevice. PIN codes and passwords can be bypassed on
any iDevice that is vulnerable to a bootrom vulnerability, or by using
physical extraction. Currently, all iDevices on the market, except the
iPad 2, are vulnerable to at least one bootrom vulnerability. It should
be noted that bootrom vulnerabilities cannot be distributed through
iOS updates.
iDevices contain two partitions; The OS partition, which is the first
1GB of storage, and the user partition, which is the remaining space.
Even if data encryption is enabled, the OS partition is not encrypted.
Decrypting a bit-image of the User partition is possible when you
have physical access to the device. If a simple passcode is enabled,
brute force attempt to recover the passcode is a quick task, taking
under 20 minutes on an iPhone 4. Brute force is not necessary if you
have the escrow keys. These are created by iTunes on the computer
backing up the device.
There are however files on the user partition that will still be
encrypted after the partition is decrypted, for example the email
storage and the keychain.
Mechanisms are being devised to recover/decrypt the contents of
fully encrypted iDevices. In general, these mechanisms rely on
having not only the device but also the device that is backing it up.
Some of these techniques involve brute force password attacks on
the raw device at a level below the configurable iOS setting that
wipes the device on repeated password failures.
To mitigate this issue, make sure that access is not provided to both
the iDevice and the system that performs its backup. Furthermore,
brute force attempts can be made on PIN codes and passwords.
Therefore, make sure to follow current best practices when choosing
the password and do not use short PIN codes such as four digits.
Protections could include not only disk encryption of the device, but
also taking a layered approach for sensitive data where the COTS
solution provided protection to data stored on the device in addition
to storing application specific data in their own container.
Finally, it should be noted that although information such as pictures
have been deleted, it may still be recoverable. To permanently
remove such information, use an app that cleans the free space at
regular intervals.
http://www.zdziarski.com/blog/?page_id=407
5.1.2.
http://www.reghardware.com/2011/06/15/pin_spy_app_pulled/
By default, iDevices can only load applications through either the
Apple App Store or a corporate App Store connected with the Apple
Developer Program. Applications in these stores must pass a
minimal certification, and in the event Apple determines they are
inappropriate they may be deleted from devices. Some
applications in this avenue have additional functionality which may
not be desirable, such as uploading your location data when the
application is used to record all the users of a given application.
Aside from location data, applications may attempt to leverage the
microphone, camera, screen captures and keystroke logging.
Hacked iDevices can install applications from multiple application
stores which dont have Apples oversight. These are the most likely
sources of unauthorized application functionality. Hacked device
owners are dependent on the third-party application providers for
security and/or appropriate use of the available technology and
dont have Apples QA or oversight to protect them. Using a Hacked
device is a risk based decision, and the alternatives, risks and
impacts should be considered.
5.1.3.
Apple iPCU (iPhone Configuration Utility) allows for the creation for
security policies (aka profiles) for iDevices. The policies can be
signed, encrypted, and may require a password for removal. In the
extreme case, they can be made permanent and only removed via
device wipe. When creating security profiles, at a minimum require a
unique strong password to remove it.
Profiles can be delivered to the device via the web, email
attachment or pushed via MDM (Mobile Device Management)
solution. Depending on the source of the security profile, the device
user/owner may or may not be involved in accepting those policies.
Some products expire the certificates necessary to communicate
with corporate resources when a new policy is published to
incentivize user adoption of the updated profile.
Jailbreaking
http://en.wikipedia.org/wiki/IOS_jailbreaking
Jailbreaking an iDevice allows applications to be installed from
sources other than the approved application store, as well as
providing remote access, such as SSH access, to the device. iOS has
preloaded password tables which include well known
username/password combinations. The root password for example,
has been alpine since the release of the first iPhone. Users and
corporations will have to make a risk based decision on their
acceptance of hacked devices. Application Developers have to
assume deployments include hacked devices and implement
necessary security protections, if any.
If you elect to hack your device, be sure to change all the built-in
passwords.
5.1.5.
Malware
http://krebsonsecurity.com/2011/05/weyland-yutani-crime-kittargets-macs-for-bots/
iOS Malware falls into three categories. Code designed to hack (or
jailbreak) the device, code designed to take advantage of the
changed security settings on a hacked iDevice or code designed to
exploit vulnerabilities. Workarounds and/or software updates are
published to counteract the first and third category. The owner of a
hacked device must investigate and find fixes for any malware that
exploits the changes in security settings resulting from jailbreaking
the iDevice.
5.1.6.
http://www.theregister.co.uk/2011/03/10/apple_update_omits_iphone
3g/
Apple limits the long-term support, aka backwards compatibility of
new iOS releases with older iDevices. In general, Smartphones have
an effective support lifecycle of 18-24 months due to the rate of
technology and device evolution. This is not a vendor specific
phenomenon. Lifecycle replacement cost and timing needs to be
planned into any Smartphone purchase to ensure continuing support
and security.
5.2.
Controls
Authentication Controls
Set a password to access the iDevice. Use: Settings->General>Passcode Lock->Turn Passcode On (with simple Passcode
Off). The longer and more complex password the better at
least 8 characters. Holding a key (e.g. A, E, Y, W, U, . , etc.) on
the keypad reveals extended charters and is a go way of using
complexity. Change this password if someone else knows it or
after 30 days.
5.2.2.
Authorisation Controls
To use connections
-
5.2.3.
The iPhone 3GS+, 3rd and 4th generation iPod and iPad feature builtIn AES 256 hardware encryption. This encryption must be properly
enabled for it to work. Devices delivered with iOS 4+ are properly
configured out-of the box. Devices that have been upgraded to iOS
4 must be restored to properly enable the full hardware encryption.
http://support.apple.com/kb/HT4175
If there is no exit option in the application, click the homebutton once to exit the application, then double-click the home
Most logs are not normally viewable on the device, and the easiest
way to see them is through syncing with iTunes and then viewing log
files. Application crash logs, which maybe symptomatic of malicious
activity, can be found in the following locations:
Mac OS X
~/Library/Logs/CrashReporter/MobileDevice/<your iDevices name>/
Windows XP
C:\Documents and Settings\<login name>\Application Data\Apple
computer\Logs\CrashReporter\<your iDevices name>\
Windows Vista
C:\Users\<login name>\AppData\Roaming\Apple
computer\Logs\CrashReporter\MobileDevice\<your iDevices name>\
5.2.5.
Assurance Controls
There are limited controls that can be applied for security monitoring
considerations are limited and mainly for corporate gateway
scanning e.g. SEIM on a proxy log. However some controls and
should be considered.
While Apple has dropped its short lived Jailbreak API, some tools do
attempt to detect jailbreak behaviour such as Good Technologies.
Some detection rules are now appearing in IDS solutions. E.g. snort
signatures exist for jailbreak exploits and routing iDevice non-3G
network traffic through an inline IPS is recommended.
5.2.7.
Security Profiles
Apple iPCU and MDM solutions for iDevices can install security
policies (or profiles) on the devices. The profiles can be signed,
encrypted, and may require a password for removal. In the extreme
case, they can be made permanent and only removed via device
wipe. When creating security profiles, at a minimum require a unique
strong password to remove it.
Profiles can be delivered to the device via the web, email
attachment or pushed via MDM solution. Depending on the source of
the security profile, the device user/owner may or may not be
involved in accepting those profiles. Some products expire the
certificates necessary to communicate with corporate resources
when a new profile is published to incentivize user adoption of the
updated profile.
Multiple security profiles can be active on a single iDevice. Security
profiles are layered, with the most restrictive setting for any option
being enforced.
Chapter: iOS Platform Security14
5.2.9.
Built-In Encryption
Control of connections
To use connections
-
5.2.11.
Backups
Additional Encryption
6. Checklist
6.1.Avoid Data Leakage
then scroll down to the Use SSL option. This will prevent others
being able to read your email over public Wi-Fi networks.
Do not backup company data to cloud services like Mobile Me
iDisk or Dropbox.
Do not use your iDevice for information or communications which
is regulated.
Do not send work related email to personal email accounts.
Erase or wipe iDevices when reassigning, replacing, returning, or
other disposition.
6.2.Vulnerabilities
6.3.Controls
6.4.General