資料內(nèi)容課件

iSECPartnersFinalReport

CryptoCatiOS

Page2of35

?2014,iSECPartners,Inc.

PreparedbyiSECPartners,Inc.forOpenTechnologyFund.Portionsofthisdocumentandthetemplatesusedin

itsproductionarethepropertyofiSECPartners,Inc.andcannotbecopiedwithoutpermission.

Whileprecautionshavebeentakeninthepreparationofthisdocument,iSECPartners,Inc,thepublisher,andthe

author(s)assumenoresponsibilityforerrors,omissions,orfordamagesresultingfromtheuseoftheinformation

containedherein.UseofiSECPartnersservicesdoesnotguaranteethesecurityofasystem,orthatcomputerintrusionswillnotoccur.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page3of35

0.9

2014-02-07

Documentreadyforreadout

1.1

2014-03-14

Clari?cationsregardingiOSapplicationnotbeingdistributedinAppStore

duringtesting

February7,2014

OpenTechnologyFund

Version1.1

1.0 2014-02-07 Bumpto1.0followingreadout

DocumentChangeLog

Version Date Change

iSECPartnersFinalReport

CryptoCatiOS

Page4of35

TableofContents

1

ExecutiveSummary........................................................

5

1.1

iSECRiskSummary...........................................................

6

1.2

ProjectSummary.............................................................

7

1.3

FindingsSummary............................................................

8

1.4

RecommendationsSummary...................................................

9

2

EngagementStructure.....................................................

11

2.1

InternalandExternalTeams...................................................

11

3

DetailedFindings..........................................................

12

3.1

Classi?cations................................................................

12

3.2

Vulnerabilities...............................................................

14

3.3

DetailedVulnerabilityList—iOSClient.........................................

15

3.4

DetailedVulnerabilityList—OtherComponents.................................

26

Appendices....................................................................

32

A

XMPPStartTLSstripping..................................................

32

A.1 Screenshot...................................................................

32

A.2Pythonscript................................................................

32

B

InvisibleChatRoomMember..............................................

34

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page5of35

1

ExecutiveSummary

ApplicationName

CryptoCat

ApplicationType

iOSapplication

Platform

iOS

Dates

January27,2014–February7,2014

ConsultantsEngaged

3

TotalEngagementE?ort

3personweeks

EngagementType

ApplicationPenetrationTest

TestingMethodology

WhiteBox

TotalHighseverityissues

6

TotalMediumseverityissues

6

TotalLowseverityissues

3

TotalInformationalseverityissues

2

Totalvulnerabilitiesidenti?ed:

17

Seesection3.1onpage12fordescriptionsoftheseclassi?cations.

CategoryBreakdown:

AccessControlsAuditingandLoggingAuthenticationCon?gurationCryptography

DataExposureDataValidationDenialofServiceErrorReportingPatching

SessionManagement

Timing

0

0

3

2

1

8

0

1

0

2

0

0

February7,2014

OpenTechnologyFund

Version1.1

VulnerabilitySummary

EngagementSummary

ApplicationSummary

iSECPartnersFinalReport

CryptoCatiOS

Page6of35

1.1

iSECRiskSummary

TheiSECPartnersRiskSummarychartevaluatesdiscoveredvulnerabilitiesaccordingtoestimateduser

risk.Theimpactofthevulnerabilityincreasestowardsthebottomofthechart.Thesophisticationrequiredforanattackerto?ndandexploitthe?awdecreasestowardstheleftofthechart.Thecloser

avulnerabilityistothechartorigin,thegreatertherisktotheuser.

iOSclient-Publickeydataloggedlocally

iOSclient-Autocorrectionleaksinformationtodisk

iOSclient-Crashestriggeredbymalformedmulti-partymessages

iOSclient-HMACvalidationtimingattack

iOSclient-InformationleakingfromiOSscreenshots

WeakSSL/TLSversionsandciphersuitessupportedbyXMPPservice

Browserclients-ChatroomeavesdroppingusingaregularXMPPclient

iOSclient-Lackofreturnvaluecheckingforsensitivefunctioncalls

CryptoCatchatroomslogencryptedmessagesandcanbemadepersistent

Browserclients-MisleadingsecurityUIforSMPidentitychecking

iOSclient-Privatemessagesareloggedinplaintext

iOSclient-Privatekeystoredinplaintextonlocalstorage

iOSclient-XMPPconnectionvulnerabletoStartTLSstripping

CryptoCatOTRimplementationvulnerabletoman-in-the-middleattacks

CryptoCat’ssecuritymodelreliesonunrealisticuserrequirements

Simple

AttackSophistication

Difficult

February7,2014

OpenTechnologyFund

Version1.1

High

UserRisk

Low

iSECPartnersFinalReport

CryptoCatiOS

Page7of35

1.2

ProjectSummary

TheOpenTechnologyFund(OTF)engagediSECPartnerstoperformasource-codeassistedsecurity

reviewoftheCryptoCatiOSapplication.AtotalofthreeconsultantsworkedontheprojectbetweenJanuary27thandFebruary7th,2014foratotalofthreeperson-weeksofwork.Thissecurityanalysis

wasstructuredas``beste?ort''withinthegiventimeframe.

ThegoalofthisengagementwastoreviewtheCryptoCatiOSapplicationwithafocusonmisuse

ofcommoniOSAPIs,?awsinimplementationofcryptographicprotocols,andremotelyexploitablevulnerabilitiesthatcouldimpactthecon?dentialityorintegrityofCryptoCatchatsessions.

TheiSECteamperformedthetestingoftheiOSclientusingboththeiOSsimulatorandphysical

iDevices.iSECalsousedCryptoCatbrowserclientsandathird-partyXMPP/OTRclient1toreviewcross-platforminteractionswithinaCryptoCatchatroom.

Itemsthatwereoutofscopeforthisengagementinclude:

Areviewofthemulti-partycryptographicprotocol.

TheCryptoCatbrowser,desktopandAndroidclients.

Addendum(3/15/14):TheiOSapplicationwasin-developmentcodethatattimeoftestingwasavailable

onlyinapre-productionformonGitHubandnotdistributedviatheAppStore.TheCryptoCatteamhadtimetoreviewthevulnerabilitiespriortopublicationintheAppStoreandclaimstohaveaddressedthem;however,iSEChasnotvalidatedany?xesandcannotmakeanyclaimstothecurrentstatusofany

vulnerabilities.

Whilenotinscopefortheengagement,iSECalsoidenti?edvulnerabilitiesthatpertaintothereleased

anddeployedbrowserextensionandservercon?guration.TheseissueswerefoundwhiletestingtheiOSclient'sintegrationwithotherCryptoCatcomponents.

1iSECusedtheAdiumchatclient-https://adium.im/

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page8of35

1.3

FindingsSummary

CryptoCat'sgoalofprovidingamessagingsystemthatisbotheasy-to-useandsecureisimportantand

challenging.Theissuesidenti?edinthisreportdemonstrateseveralinstancesinwhichthedesignandimplementationofCryptoCatfailtomeetthisgoal.Infact,duetovulnerabilitiesidenti?ed,thepracticalsecurityofCryptoCatonallplatforms,attimeofreview,iscurrentlyequivalenttoastandard

XMPPclientwithoutOTRandfallsshortofthesecurityprovidedbyanXMPPclientwithOTR.

CryptoCatDesignFlaws

Themostseriousproblemsa?ectingCryptoCataredesignissuesthatdiminishthesecurityofall

CryptoCatcommunications.

CryptoCat'sOTRimplementationonallplatformsallowsachatpeertochangetheirOTRkeyduring

achatsessionwithoutusernoti?cation.Anattackerperformingaman-in-the-middleattackagainsttheclient'sXMPPorHTTPSstreamcaninjecttheirownOTRkeyinthediscussionafterauserhasauthenticatedtheirpeer'sOTR?ngerprint.Thispermitstheattackertodecryptallmessagesthatfollow,andnouserwouldhavereasontosuspectthecompromise.Groupmulti-partydiscussionsdo

notseemtosu?erfromthesamevulnerability.

Anotherissueisthatthesecurityofusers'communicationsreliessolelyonmanualveri?cationofpeers'

key?ngerprintsthroughasecurechannel.Furthermore,CryptoCatclientsgeneratenewencryptionkeysoneverychatsession,placingtheburdenofrepeatedauthenticationtasksonusers.iSECbelievesthisisnotapracticalsecuritymodel-requiringuserstoestablishsecurechannelsinordertoverifyeachindividualchatsessionnegatesthepromiseofCryptoCat.Afterall,thereisnoneedforCryptoCat

ifonemust?rstcommunicatesecurelyinordertouseitwithcon?dence.

iOS-Speci?cVulnerabilities

AsthefocusofthisengagementwastheCryptoCatiOSclient,theiSECteamspentmostofitstime

reviewingthisapplicationanddiscoveredseveralvulnerabilities.

TheiOSclient'sXMPPimplementationallowsanattackertoforcetheclienttocommunicateover

plaintextXMPPinsteadofSSL/TLS,resultinginallXMPPtra?cbeingvulnerabletoman-in-the-

middleattacks.Exploitingthis?awtogetherwithCryptoCat'svulnerableOTRimplementationallowsanattackertodecryptallOTRmessagessentorreceivedbytheiOSApp.

TheiSECteamalsoidenti?edmultipleinstancesofsensitivedatabeingleakedbytheiOSAppto

thedevice'slogsor?lesystem,includingOTRmessagesandtheuser'sprivatekey;such?lescanbe

retrievedbyanattackerwithphysicalaccesstothedevice.

IssuesA?ectingOtherComponents

iSECdiscoveredissuesa?ectingotherCryptoCatcomponentsincludingthebrowserextensionsand

CryptoCat'sXMPPserver.Theseissues,foundwhiletestingtheiOSclientitsintegrationwiththeotherCryptoCatcomponents,allowanattackertocollectencryptedlogsofgroupmessagesexchanged

withinaCryptoCatchatroomusingvarioustechniques.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page9of35

1.4

RecommendationsSummary

Thissummaryprovideshigh-levelrecommendationsdesignedtoaddressthemostpressingissues

a?ectingCryptoCat.IndividualrecommendationsdescribedinSection3.3onpage15ofthisreportshouldbereviewedandimplementedinordertoaddresseveryvulnerabilitydescribedinthisreport.

CryptoCatfacesseveralchallengesifitistoprovideatrulysecuremessagingplatform.Implementation

?awsarerelativelyeasyto?x,butaddressinglimitationsinthedesignofCryptoCatrequiresigni?cant

changestoitscryptographicprotocols.Thelargestchallengeiscreatingauserexperiencethatisbothsimpleandsecure-agoalsodauntingfewdevelopersfullyembraceit.

ShortTerm

Shorttermrecommendationsaremeanttoberelativelyeasilyexecutedactions,suchascon?guration

changesor?ledeletionsthatresolvesecurityvulnerabilities.Thesemayalsoincludemoredi?cult

actionsthatshouldbetakenimmediatelytoresolvehigh-riskvulnerabilities.Thisareaisasummaryofshorttermrecommendations;additionalrecommendationscanbefoundinthevulnerabilitiessection.

EnforcetheusageofStartTLSforallXMPPconnectionsoniOS.TheCryptoCatiOSapplication

shouldterminateanyXMPPconnectiontoaserverdoesnotadvertisesupportforStartTLS.

PreventinformationleakageoniOS.TheCryptoCatiOSapplicationleakssensitivedatasuchasthe

user'sprivatekeythroughvariousmechanismsincludingdebuglogsandapplicationbackgrounding.Topreventthisdatafrombeingexposed,recommendationsdescribedinthisdocumentshouldbeimplemented.

Provideuserswithinstructionsonhowtocheck?ngerprints.UponinstallingaCryptoCatclient,

usersshouldbepromptedwithguidelinesonhowtoproperlychecktheirpeers'?ngerprintsinorder

toestablishasecurechatsession.

OnlyacceptasingleOTRkeyexchangepercontact.Topreventman-in-the-middleattacks,Cryp-

toCatclientsshouldrejectOTRkeyexchangestriggeredafterthepeeralreadysuppliedtheirOTRpublickeyduringachatsession.

HardentheXMPPserver'scon?guration.Disablechatroomhistoryloggingandpersistentrooms;

improvetheserver'sSSL/TLScon?gurationbydisablingweakcryptographicciphers.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page10of35

LongTerm

Longtermrecommendationsaremorecomplexandsystematicchangesthatshouldbetakentosecure

thesystem.Thesemayincludesigni?cantchangestothearchitectureorcodeandmaytherefore

requirein-depthplanning,complextesting,signi?cantdevelopmenttime,orchangestotheuser

experiencethatrequireretraining.

ReviewtheCryptoCatAndroidapplication.Issuesdescribedinthisdocumentanda?ectingthe

iOSclientshouldbeveri?edontheAndroidclient.

Re-architecttheCryptoCatclientstouselong-livedcryptographickeysandaTrustonFirstUse

securitymodel.ConsiderrelyingonasecuritymodelsimilartothatusedbySSH.Speci?cally,storetheuser'scryptographickeysandtheircontacts'nicknameand?ngerprintspairsintheclient.Notifytheuserwhentheyneedtomakeatrustdecisionon?rstuseanddisplayanerrortotheuserifapeer's

?ngerprintchanges.

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page11of35

2

EngagementStructure

2.1

InternalandExternalTeams

TheiSECteamhasthefollowingprimarymembers:

?

AlbanDiquet—SecurityEngineer

alban@

?

DavidThiel—SecurityEngineer

david@

?

ScottStender—SecurityEngineer

scott@

?

AaronGratta?ori—AccountManager

aaron@

?

TomRitter—AccountManager

tritter@

TheOpenTechnologyFundteamhasthefollowingprimarymembers:

DanMeredith—OpenTechnologyFund

meredithd@

TheCryptoCatteamhasthefollowingprimarymembers:

?

NadimKobeissi—CryptoCatProject

nadim@crypto.cat

February7,2014

OpenTechnologyFund

Version1.1

iSECPartnersFinalReport

CryptoCatiOS

Page12of35

3

DetailedFindings

3.1

Classi?cations

Thefollowingsectiondescribestheclasses,severities,andexploitationdi?cultyratingassignedto

eachidenti?edissuebyiSEC.

AccessControls

Relatedtoauthorizationofusers,andassessmentofrights

Authentication

Relatedtotheidenti?cationofusers

Cryptography

Relatedtomathematicalprotectionsfordata

DataValidation

Relatedtoimproperrelianceonthestructureorvaluesofdata

ErrorReporting

Relatedtothereportingoferrorconditionsinasecurefashion

SessionManagement

Relatedtotheidenti?cationofauthenticatedusers

Theissuedoesnotposeanimmediaterisk,butisrelevanttosecu-

ritybestpracticesorDefenseinDepth

Informational

Theriskisrelativelysmall,orisnotariskthecustomerhasindicated

isimportant

Low

Largenumbersofusers,verybadforclient'sreputationorserious

legalimplications.

High

February7,2014

OpenTechnologyFund

Version1.1

Individualuser'sinformationisatrisk,exploitationwouldbebad

Medium forclient'sreputation,ofmoderate?nancialimpact,possiblelegalimplicationsforclient

Undetermined Theextentoftheriskwasnotdeterminedduringthisengagement

SeverityCategories

Severity Description

Timing Relatedtotheraceconditions,locking,ororderofoperations

Patching Relatedtokeepingsoftwareuptodate

DenialofService Relatedtocausingsystemfailure

DataExposure Relatedtounintendedexposureofsensitiveinformation

Con?guration Relatedtosecuritycon?gurationsofservers,devices,orsoftware

AuditingandLogging Relatedtoauditingofactions,orloggingofproblems

VulnerabilityClasses

Class Description

iSECPartnersFinalReport

CryptoCatiOS

Page13of35

Undetermined

Thedi?cultyofexploitwasnotdeterminedduringthisengagement

Attackersmustwriteanexploit,orneedanindepthknowledgeof

acomplexsystem

Medium

February7,2014

OpenTechnologyFund

Version1.1

Theattackermusthaveprivilegedinsideraccesstothesystem,may

High needtoknowextremelycomplextechnicaldetailsormustdiscoverotherweaknessesinordertoexploitthisissue

Commonlyexploited,publictoolsexistorcanbescriptedthatex-

Low

ploitthis?aw

Di?cultyLevels

Di?culty Description

iSECPartnersFinalReport

CryptoCatiOS

Page14of35

3.2

Vulnerabilities

ThefollowingtableisasummaryofiSEC'sidenti?edvulnerabilities.Subsequentpagesofthisreport

detaileachofthevulnerabilities,alongwithshortandlongtermremediationadvice.

CryptoCatiOS

Addendum(3/15/14):TheiOSapplicationwasin-developmentcodethatattimeoftestingwasavailable

onlyinapre-productionformonGitHubandnotdistributedviatheAppStore.TheCryptoCatteamhadtimetoreviewthevulnerabilitiespriortopublicationintheAppStoreandclaimstohaveaddressedthem;however,iSEChasnotvalidatedany?xesandcannotmakeanyclaimstothecurrentstatusofany

vulnerabilities.

1.XMPPconnectionvulnerabletoStartTLSstripping

DataExposure

High

2.Privatemessagesareloggedinplaintext

DataExposure

High

3.Privatekeystoredinplaintextonlocalstorage

DataExposure

High

4.InformationleakingfromiOSscreenshots

DataExposure

Medium

5.Lackofreturnvaluecheckingforsensitivefunctioncalls

Con?guration

Medium

6.HMACvalidationtimingattack

Cryptography

Medium

7.Crashestriggeredbymalformedmulti-partymessages

DenialofService

Low

8.Publickeydataloggedlocally

DataExposure

Low

9.Autocorrectionleaksinformationtodisk

DataExposure

Low

10.PrecompiledOpenSSLbinariesin

TBMultipartyProtocolManager

Patching

Informational

11.Outdatedcurve25519-donnaimplementation

Patching

Informational

OtherCryptoCatComponents

12.CryptoCat'ssecuritymodelreliesonunrealisticuser

requirements

Authentication

High

13.CryptoCatOTRimplementationvulnerableto

man-in-the-middleattacks

Authentication

High

14.Browserclients—MisleadingsecurityUIforSMP

identitychecking

Authentication

High

15.CryptoCatchatroomslogencryptedmessagesand

canbemadepersistent

DataExposure

Medium

16.Browserclients—Chatroomeavesdroppingusinga

regularXMPPclient

DataExposure

Medium

17.WeakSSL/TLSversionsandciphersuitessupported

byXMPPservice

Con?guration

Medium

February7,2014

OpenTechnologyFund

Version1.1

Vulnerability Class Severity

Vulnerability Class Severity

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page15of35

3.3

DetailedVulnerabilityList—iOSClient

FINDINGID:iSEC-RFACC0114-5

TARGETS:TheCryptoCatiOSapplication,astestedbetweenJan27andFeb7.

DESCRIPTION:WhenconnectingtotheXMPPserveratcrypto.cat:5222,theiOSclientdoesnotre-

quireStartTLStobeusedtoencrypttheXMPPstreamusingSSL/TLS.

Speci?cally,duringtheinitialXMPPhandshake,theserveradvertisesforStartTLSwithinitslistof

supportedJabberfeaturesandtheiOSclientperformsaStartTLShandshakewiththeserver.Sub-sequentXMPPtra?cisthenencryptedusingSSL/TLS.However,iftheserverdoesnotadvertisesupportforStartTLS,theiOSclientwillcontinuecommunicatingwiththeserveroverplaintextXMPP.Consequently,anattackeronthenetworkcanmodifytheinitialXMPPhandshaketoremoveStartTLSfromtheserver'sadvertisedfeatures,inordertopreventtheiOSclientfromswitchingtoSSL/TLS.DoingsowillresultintheclientsendingsubsequentXMPPmessagessuchasencryptedmulti-partymessagesinplaintext,therebydisclosingthemtotheattacker.

Additionally,whiletheserveratcrypto.cat:5222requiresclientstouseStartTLSandwillcloseany

XMPPstreamthatdoesnotswitchtoSSL/TLS,anattackercouldstillperformtheman-in-the-middleattackdescribedabove;afterpreventingtheclientfromusingStartTLS,theattacker'sscriptcouldperformtheStartTLShandshakewiththeserverandforwardtheclient'sunencryptedtra?ctotheserveroverSSL/TLS.

Asaproofofconcept,aPythonscripttoperformthefullattackisavailableinAppendixAonpage32.

EXPLOITSCENARIO:AnattackercompromisedthepublicWiFiaccesspointatapopularco?eeshop.

ACryptoCatuserconnectstheiriOSdevicetotheaccesspointtogetInternetconnectivityandthenlaunchestheCryptoCatapplicationtojoinachatroom.TheattackerusesascripttostripStartTLSandimpersonatetheXMPPservertothevictim'sCryptoCatclient,inordertoman-in-the-middletheXMPPtra?c.Theattackerthenperformsaman-in-the-middleattackagainstthemulti-partyprotocolkeyexchangebyswappingthevictim'spublickeywiththeattacker'spublickeys.Thechatparticipantsforgettovalidatethe?ngerprintsusingasidechannelandstartchatting,therebyallowingtheattackertodecryptallmessagesexchanged.

SHORTTERMSOLUTION:ModifythecodewithintheiOSclientresponsibleforXMPPconnections

inordertohaveitenforcetheusageofStartTLSforallconnections.TheclientshouldterminateanyXMPPconnectiontoaserverdoesnotadvertisesupportforStartTLS.

LONGTERMSOLUTION:ForXMPPconnectionstothedefaultCryptoCatXMPPserverhostedat

crypto.cat:5222,implementcerti?catepinningwithintheiOSclienttovalidatetheserver'sSSLcerti?-cateduringtheStartTLShandshake.Thiscanbeachievedbyembeddingtheserver'sSSLcerti?cateintheiOSclientandcomparingitagainsttheSSLcerti?catesentbytheserveruponconnection.

February7,2014

OpenTechnologyFund

Version1.1

1.XMPPconnectionvulnerabletoStartTLSstripping

Class:DataExposure Severity:High Di?culty:Medium

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page16of35

FINDINGID:iSEC-RFACC0114-1

TARGETS:TheencodeMessagemethodinTBOTRManager.m,astestedbetweenJan27andFeb7.

DESCRIPTION:TheiOSapplicationlogstheencryptedandunencryptedcontentsofdirectmessages,

alongwiththeusernamesofthosesendingthem,totheAppleSystemLog.Thiscanexposetheinformationtoamaliciousthird-partyapplicationoraphysicalattacker.

1000

1001

1002

1003

1004

1005

1006

1007

1008

1009

1010

1011

Listing1:TBOTRManager/TBOTRManager.m

2014-01-2813:19:48.664Cryptocat[27655:70b]!!!executingthecompletionblock,(1)pending

2014-01-2813:19:48.664Cryptocat[27655:70b]--willencodemessagefromtestisec4@conference.crypto.cat/fakedavidtotestisec4@conference.crypto.cat/simu

2014-01-28

2014-01-28

2014-01-28

2014-01-28

13:19:48.665Cryptocat[27655:70b]policy_cb

13:19:48.665Cryptocat[27655:70b]convert_data_cb

13:19:48.665Cryptocat[27655:70b]--orgmessage:Ihopenobodyreadsmysecretmessage!13:19:48.666Cryptocat[27655:70b]--encryptedmessage:

?OTR:AAMD/Wku/

Ks2Ls0AAAAAAQAAAAEAAADAhfttytd4iXxc7BRfacEajOMLLNEssNstEaj7g9vMVYCVzKvpcfS9K9Ub8kaggIsXBTZ9fhZHQ3tgWOsQOjtotoCGRrpo

/ByZGSiEfye0NGrLwAsVesV0AYPAr8JtzoB5xXanVU6FHyQ+qAVUKSsHhy70+X9iGgBZU+KUqrlFLwVN73mcRp9q4HIy+huiNEXnCgJBHnXRhWpFVc7cOglioz+Z8InpAvQGZqzOQ/jJcGP5zaL8l1gUgvPcuexJGF+5AAAAAAAAAAIAAAAn3SMntmZaPzlKFs5+kkpz2skCy5gpq6vNkfr6Fvdi1qSowaicEYKKUpphJfte+DsNax/rwlF1JRP4FaYAAAAA.

EXPLOITSCENARIO:AmaliciousapplicationonadevicerunningiOS6directlyreadsusermessages

outoftheAppleSystemLog,constitutingabreachofcon?dentiality.OniOS7,asimilarattackispossiblebutcurrentlywouldrequirephysicalpossessionofthedeviceorthatthedevicebejailbroken.

SHORTTERMSOLUTION:Useade?netoenableNSLogstatementsfordevelopmentanddebugging,

anddisablethesebeforeshippingthesoftware.ThiscanbedonebyputtingthefollowingcodeintotheappropriatePREFIX_HEADER(*.pch)?le:

LONGTERMSOLUTION:Considerusingbreakpointactions2todologging;thesecanbemoreconve-nientinsomecircumstances,anddonotresultindatabeingwrittentothesystemlogwhendeployed.

2

/questions/558568/how-do-i-debug-with-nsloginside-of-the-iphone-

simulator

February7,2014

OpenTechnologyFund

Version1.1

#ifdefDEBUG

# defineNSLog(...)NSLog(VA_ARGS)#else

# defineNSLog(...)#endif

NSString*newMessage=@"";if(newMessageC){

newMessage=[NSStringstringWithUTF8String:newMessageC];

}

otrl_message_free(newMessageC);

NSLog(@"--orgmessage:%@",message);

NSLog(@"--encryptedmessage:%@",newMessage);

completionBlock(newMessage);

}];

2.Privatemessagesareloggedinplaintext

Class:DataExposure Severity:High Di?culty:Medium

iSECPartnersFinalReport

CryptoCatiOS(Pre-Distribution)

Page17of35

FINDINGID:iSEC-RFACC0114-2

TARGETS:TheCryptoCatiOSapplication,astestedbetweenJan27andFeb7.

DESCRIPTION:UponreceivingarequestforgenerationofanOTRprivatekey,theapplicationcalcu-

latesthekeyandwritesittothelocal?lesysteminplaintext.Thisallowsforrecoveryofthekeyfromthedeviceitself,aswellasfromdevicebackupsonthedesktopandfromApple'siCloudservice(asallcontentsoftheDocumentsfolderaresyncedtoiCloud).

915

916

917

918

919

920

921

922

923

924

925

926

927

928

929

930

931

Listing2:TBOTRManager/TBOTRManager.m

Listing3:Logsfromtheapplicationupongeneratingtheprivatekey

13:11:07.168Cryptocat[27655:1303]!!!willgeneratetheprivatekeyonbgthread13:11:10.698Cryptocat[27655:1303]!!!privatekeycalculated

13:11:10.699Cryptocat[27655:70b]!!!privatekeypath:/Users/dthiel/Library/Application

2014-01-28

2014-01-28

2014-01-28

Support

/iPhone

Simulator/7.0/Applications/300D6DAB-9120-4C14-8C3B-7B53352B4743/Documents/private-key

2014-01-2813:11:10.700Cryptocat[27655:70b]!!!finishingtheprivatekeygenerationonmainthread

EXPLOITSCENARIO:AgovernmentcompelsAppletodisclosesomeorallCryptoCatprivatekeys

storedontheiriCloudservice,usingthesekeystodecryptpastcommunications.Alternatively,lawenforcementforensicallyanalyzesthedeviceitselftoextractthekey.

SHORTTERMSOLUTION:StorethisprivatekeyintheKeychain,withaccessibilityattributesthatpre-

vent