Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] json, iphone, objectivec

W
WebAppSec@CoreForm
Thu, Mar 10, 2011 1:45 AM

hello, im looking about best oractices regarding consuming json via
fat mobile application and especially iphone/ipad application
developed with objectiveC.

thanks

That's a rather broad question. Given you've posted on this mailing
list, I'll answer purely from a security perspective and also only
from the perspective of your App:

Also assuming your App (the fat client) is running on a phone that is
not jailbroken and the App has been obtained via the App Store (and
thus has been analysed and allowed by Apple, so it "shouldn't" allow
easter eggs)...

To mitigate potential man-in-the-middle attacks, pull the JSON data
over a secure channel (HTTP + SSL/TLS = https). iOS won't allow
connections using self-signed certificates, unless you add other
authorities.

The fat client should not trust data from the cloud, so it would be
best to validate data before using it within logic. That's to help
prevent logic attacks.

Then, depending on the context in which the data is to be used you may
need to ensure there's no chance of, say, SQL injection within a SQL
query or XSS in a UIWebView, for examples.

Beyond that, you certainly shouldn't store any sensitive data in
keychains as that data will persist beyond the lifetime of your App
(if your App is ever uninstalled).

Hope that helps,

Linden

> hello, im looking about best oractices regarding consuming json via > fat mobile application and especially iphone/ipad application > developed with objectiveC. > > thanks That's a rather broad question. Given you've posted on this mailing list, I'll answer purely from a security perspective and also only from the perspective of your App: Also assuming your App (the fat client) is running on a phone that is not jailbroken and the App has been obtained via the App Store (and thus has been analysed and allowed by Apple, so it "shouldn't" allow easter eggs)... To mitigate potential man-in-the-middle attacks, pull the JSON data over a secure channel (HTTP + SSL/TLS = https). iOS won't allow connections using self-signed certificates, unless you add other authorities. The fat client should not trust data from the cloud, so it would be best to validate data before using it within logic. That's to help prevent logic attacks. Then, depending on the context in which the data is to be used you may need to ensure there's no chance of, say, SQL injection within a SQL query or XSS in a UIWebView, for examples. Beyond that, you certainly shouldn't store any sensitive data in keychains as that data will persist beyond the lifetime of your App (if your App is ever uninstalled). Hope that helps, Linden
DR
David Rajchenbach-Teller
Thu, Mar 10, 2011 9:40 AM

Still from a broad security perspective.

The fact that you're writing the application in Objective-C plays for you. Indeed, while JSON by itself is neither safe/secure nor unsafe/unsecure, JSON-manipulation libraries in JavaScript often rely on an [eval()] as a fallback for compatibility with older browsers, and this is a very good place to attack an application. Many JSON-manipulation libraries in other dynamic languages rely on the same kind of tricks ([setattr()], etc.), providing the same kind of attack vector, but without the JavaScript sandbox, which makes them even better candidates for attacks.

Now, afaik, there is no such unsafe/unsecure JSON-manipulation library in Objective-C. However, the usual precautions still apply: don't use [char*] (good candidate for attack), only [NSString] (much more robust, not to mention more convenient), etc. – and ensure that your JSON library does the same.

Hope this helps,
David

On Mar 10, 2011, at 2:45 AM, WebAppSec@CoreForm wrote:

hello, im looking about best oractices regarding consuming json via
fat mobile application and especially iphone/ipad application
developed with objectiveC.

thanks

That's a rather broad question. Given you've posted on this mailing list, I'll answer purely from a security perspective and also only from the perspective of your App:

--
David Rajchenbach-Teller
Head of R&D
MLstate

Still from a broad security perspective. The fact that you're writing the application in Objective-C plays for you. Indeed, while JSON by itself is neither safe/secure nor unsafe/unsecure, JSON-manipulation libraries in JavaScript often rely on an [eval()] as a fallback for compatibility with older browsers, and this is a very good place to attack an application. Many JSON-manipulation libraries in other dynamic languages rely on the same kind of tricks ([setattr()], etc.), providing the same kind of attack vector, but without the JavaScript sandbox, which makes them even better candidates for attacks. Now, afaik, there is no such unsafe/unsecure JSON-manipulation library in Objective-C. However, the usual precautions still apply: don't use [char*] (good candidate for attack), only [NSString] (much more robust, not to mention more convenient), etc. – and ensure that your JSON library does the same. Hope this helps, David On Mar 10, 2011, at 2:45 AM, WebAppSec@CoreForm wrote: > > > hello, im looking about best oractices regarding consuming json via > > fat mobile application and especially iphone/ipad application > > developed with objectiveC. > > > > thanks > > That's a rather broad question. Given you've posted on this mailing list, I'll answer purely from a security perspective and also only from the perspective of your App: -- David Rajchenbach-Teller Head of R&D MLstate
NT
Neaves, Tom
Fri, Mar 11, 2011 2:20 PM

Linden,

I agree with everything you said except the comment you made about
mitigating mobile MiTM attacks by using SSL and the "iOS won't allow
connections using self-signed certificates, unless you add other
authorities" statement.  I have successfully MiTM'd a number of iOS
applications pulling JSON data over HTTPS simply by using a transparent
proxy (e.g. Mallory*).  If you want to stop this then you need to hard
code the certificate check into your iOS application like a number of
banking iOS applications already do so.

*<plug>
http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-t
o-mitm-mobile </plug>

Cheers,
Tom

From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of
WebAppSec@CoreForm
Sent: 10 March 2011 01:45
To: application.secure@gmail.com; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] json, iphone, objectivec

hello, im looking about best oractices regarding consuming json via
fat mobile application and especially iphone/ipad application
developed with objectiveC.

thanks

That's a rather broad question. Given you've posted on this mailing
list, I'll answer purely from a security perspective and also only from
the perspective of your App:

Also assuming your App (the fat client) is running on a phone that is
not jailbroken and the App has been obtained via the App Store (and thus
has been analysed and allowed by Apple, so it "shouldn't" allow easter
eggs)...

To mitigate potential man-in-the-middle attacks, pull the JSON data over
a secure channel (HTTP + SSL/TLS = https). iOS won't allow connections
using self-signed certificates, unless you add other authorities.

The fat client should not trust data from the cloud, so it would be best
to validate data before using it within logic. That's to help prevent
logic attacks.

Then, depending on the context in which the data is to be used you may
need to ensure there's no chance of, say, SQL injection within a SQL
query or XSS in a UIWebView, for examples.

Beyond that, you certainly shouldn't store any sensitive data in
keychains as that data will persist beyond the lifetime of your App (if
your App is ever uninstalled).

Hope that helps,

Linden

Verizon UK Limited - registered in England & Wales - registered number 2776038 - registered office at Reading International Business Park, Basingstoke Road, Reading, Berkshire, UK RG2 6DA - VAT number 823 8170 33

Linden, I agree with everything you said except the comment you made about mitigating mobile MiTM attacks by using SSL and the "iOS won't allow connections using self-signed certificates, unless you add other authorities" statement. I have successfully MiTM'd a number of iOS applications pulling JSON data over HTTPS simply by using a transparent proxy (e.g. Mallory*). If you want to stop this then you need to hard code the certificate check into your iOS application like a number of banking iOS applications already do so. *<plug> http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-t o-mitm-mobile </plug> Cheers, Tom ________________________________ From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of WebAppSec@CoreForm Sent: 10 March 2011 01:45 To: application.secure@gmail.com; websecurity@webappsec.org Subject: Re: [WEB SECURITY] json, iphone, objectivec > hello, im looking about best oractices regarding consuming json via > fat mobile application and especially iphone/ipad application > developed with objectiveC. > > thanks That's a rather broad question. Given you've posted on this mailing list, I'll answer purely from a security perspective and also only from the perspective of your App: Also assuming your App (the fat client) is running on a phone that is not jailbroken and the App has been obtained via the App Store (and thus has been analysed and allowed by Apple, so it "shouldn't" allow easter eggs)... To mitigate potential man-in-the-middle attacks, pull the JSON data over a secure channel (HTTP + SSL/TLS = https). iOS won't allow connections using self-signed certificates, unless you add other authorities. The fat client should not trust data from the cloud, so it would be best to validate data before using it within logic. That's to help prevent logic attacks. Then, depending on the context in which the data is to be used you may need to ensure there's no chance of, say, SQL injection within a SQL query or XSS in a UIWebView, for examples. Beyond that, you certainly shouldn't store any sensitive data in keychains as that data will persist beyond the lifetime of your App (if your App is ever uninstalled). Hope that helps, Linden Verizon UK Limited - registered in England & Wales - registered number 2776038 - registered office at Reading International Business Park, Basingstoke Road, Reading, Berkshire, UK RG2 6DA - VAT number 823 8170 33
TB
Tim Brown
Fri, Mar 11, 2011 8:51 PM

On Friday 11 March 2011 14:20:14 Neaves, Tom wrote:

Linden,

I agree with everything you said except the comment you made about
mitigating mobile MiTM attacks by using SSL and the "iOS won't allow
connections using self-signed certificates, unless you add other
authorities" statement.  I have successfully MiTM'd a number of iOS
applications pulling JSON data over HTTPS simply by using a transparent
proxy (e.g. Mallory*).  If you want to stop this then you need to hard
code the certificate check into your iOS application like a number of
banking iOS applications already do so.

*<plug>
http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-t
o-mitm-mobile </plug>

<braindump> Totally agree, I've reported exactly this issue in the past on code reviews. You also need to watch out for format string bugs. Also the use of web controls to render client content. You have apps which communicate between web content and the native iOS with developers injecting code into the web view and triggering alerts which the native code traps base on the content of the alert. How about the use of "legacy APIs". Whilst most developers will use the ObjectiveC string routines, keep an eye out for malloc() and friends. The comment about JSON is also true and something that deserves scrutiny if developers are doing funny things to parse it. Use of sqlite? URL handlers? Both worth looking at. On a tangent, don't dismiss the traditional flaws, I've seen problems in business logic, things like whether the app locks out if the session is idle, registration systems that allow the user to submit a telephone number as part of an SMS based registration system (think premium rate SMS scams). </braindump>

Tim

Tim Brown
mailto:tmb@65535.com

On Friday 11 March 2011 14:20:14 Neaves, Tom wrote: > Linden, > > I agree with everything you said except the comment you made about > mitigating mobile MiTM attacks by using SSL and the "iOS won't allow > connections using self-signed certificates, unless you add other > authorities" statement. I have successfully MiTM'd a number of iOS > applications pulling JSON data over HTTPS simply by using a transparent > proxy (e.g. Mallory*). If you want to stop this then you need to hard > code the certificate check into your iOS application like a number of > banking iOS applications already do so. > > *<plug> > http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-t > o-mitm-mobile </plug> <braindump> Totally agree, I've reported exactly this issue in the past on code reviews. You also need to watch out for format string bugs. Also the use of web controls to render client content. You have apps which communicate between web content and the native iOS with developers injecting code into the web view and triggering alerts which the native code traps base on the content of the alert. How about the use of "legacy APIs". Whilst most developers will use the ObjectiveC string routines, keep an eye out for malloc() and friends. The comment about JSON is also true and something that deserves scrutiny if developers are doing funny things to parse it. Use of sqlite? URL handlers? Both worth looking at. On a tangent, don't dismiss the traditional flaws, I've seen problems in business logic, things like whether the app locks out if the session is idle, registration systems that allow the user to submit a telephone number as part of an SMS based registration system (think premium rate SMS scams). </braindump> Tim -- Tim Brown <mailto:tmb@65535.com>
signature.asc (836 bytes)
Empathy v1.0   2024 ©Harmonylists.com