Source code analyses are used to identify vulnerabilities in software. The traditional approach here is to concentrate on sequential procedures initiated by specific user input. But this ignores the logic of the graphical user interface (GUI), which means that vulnerabilities can easily be overlooked.

0-day Vulnerability in iPad App

On August 31, 2017, we discovered a vulnerability in Mirmay’s popular Secure Private Browser app. We alerted the developer team straight away.

The app can be used to run a secure browser. It functions as a dedicated app which can be secured with authentication (PIN or Touch ID), but as soon as the user exits the app, all open pages are closed. This means that when the app is re-opened, the user has to complete the local authentication process on the device once again before they can access content. Even when the app is shown in the preview of the multitasking switcher, only the login screen is visible. This means that once the user closes the app, third parties can no longer see the last site accessed – a feature already widespread in mobile banking apps.

A race condition opens up the possibility of inadvertently creating a situation in which this automatic lock fails to function properly.

The Exploit

The following steps are required to exploit this vulnerability:

1. Open the Secure Private Browser app
2. Authenticate within the app
3. Play a video (e.g. on YouTube)
4. Minimize the video
5. Close the Secure Private Browser app (video now plays in minimized format)
6. Maximize the video
7. Cancel the iOS authentication
8. Close the Secure Private Browser app
9. Open the multitasking switcher by double-clicking on the home button ⇒ video appears in preview (vulnerability 1)
10. Cancel the authentication ⇒ video can be played (vulnerability 2)

A few criteria must be met for this vulnerability to occur and be exploited. Basically, a certain degree of incorrect use is required. Still, it is possible to inadvertently create this situation and thus nullify the core security function of the app.

Technical Background

Without access to the code, it is difficult to reconstruct the technical conditions behind this vulnerability with complete accuracy.

However, there is an indication that the app doesn’t correctly follow the sequence of actions at this specific point. When the video minimizes and the app opens again, LocalAuthentication should be used to close the video or display an overlay before the initial authentication. Only then should the modal dialog box for authentication be displayed.

let myContext = LAContext()
let myLocalizedReasonString = <#String explaining why app needs authentication#>

var authError: NSError? = nil
if #available(iOS 8.0, OSX 10.12, *) {
    if myContext.canEvaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, error: &authError) {
        myContext.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: myLocalizedReasonString) { (success, evaluateError) in
            if (success) {
                // User authenticated successfully, take appropriate action
            } else {
                // User did not authenticate successfully, look at error and take appropriate action
            }
        }
    } else {
        // Could not evaluate policy; look at authError and present an appropriate message to user
    }
} else {
    // Fallback on earlier versions
}

Conclusion

Developing secure software is not easy, especially when parallelization, multi-threading and multi-tasking are involved. In concrete terms, this is due to a deviation from purely sequential executions, which introduces the problem of complex race conditions. Discovering, analyzing and correcting this class of vulnerability is difficult and, therefore, highly unpopular (this may well be why the manufacturer has not responded at all since we notified them of the vulnerability).

Yet this is precisely why intensive, focused examination of software at this level is so important. With modern GUIs there are numerous different events which can be executed through the various controls. Anyone who wishes to develop secure software with GUIs must have a handle on all of this. And that is certainly no easy task.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• http://pinkstone.co.uk/how-to-control-the-preview-screenshot-in-the-ios-multitasking-switcher/
• https://developer.apple.com/documentation/localauthentication
• https://itunes.apple.com/us/app/secure-private-browser-file-manager/id625458492
• https://vuldb.com/?id.106056
• https://www.scip.ch/?labs.20140424