Voice Authentication
Marc Ruef
Source code analyses are used to identify vulnerabilities in software. The traditional approach here is to concentrate on sequential procedures initiated by specific user input. But this ignores the logic of the graphical user interface (GUI), which means that vulnerabilities can easily be overlooked.
On August 31, 2017, we discovered a vulnerability in Mirmay’s popular Secure Private Browser app. We alerted the developer team straight away.
The app can be used to run a secure browser. It functions as a dedicated app which can be secured with authentication (PIN or Touch ID), but as soon as the user exits the app, all open pages are closed. This means that when the app is re-opened, the user has to complete the local authentication process on the device once again before they can access content. Even when the app is shown in the preview of the multitasking switcher, only the login screen is visible. This means that once the user closes the app, third parties can no longer see the last site accessed – a feature already widespread in mobile banking apps.
A race condition opens up the possibility of inadvertently creating a situation in which this automatic lock fails to function properly.
The following steps are required to exploit this vulnerability:
A few criteria must be met for this vulnerability to occur and be exploited. Basically, a certain degree of incorrect use is required. Still, it is possible to inadvertently create this situation and thus nullify the core security function of the app.
Without access to the code, it is difficult to reconstruct the technical conditions behind this vulnerability with complete accuracy.
However, there is an indication that the app doesn’t correctly follow the sequence of actions at this specific point. When the video minimizes and the app opens again, LocalAuthentication should be used to close the video or display an overlay before the initial authentication. Only then should the modal dialog box for authentication be displayed.
let myContext = LAContext() let myLocalizedReasonString = <#String explaining why app needs authentication#> var authError: NSError? = nil if #available(iOS 8.0, OSX 10.12, *) { if myContext.canEvaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, error: &authError) { myContext.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: myLocalizedReasonString) { (success, evaluateError) in if (success) { // User authenticated successfully, take appropriate action } else { // User did not authenticate successfully, look at error and take appropriate action } } } else { // Could not evaluate policy; look at authError and present an appropriate message to user } } else { // Fallback on earlier versions }
Developing secure software is not easy, especially when parallelization, multi-threading and multi-tasking are involved. In concrete terms, this is due to a deviation from purely sequential executions, which introduces the problem of complex race conditions. Discovering, analyzing and correcting this class of vulnerability is difficult and, therefore, highly unpopular (this may well be why the manufacturer has not responded at all since we notified them of the vulnerability).
Yet this is precisely why intensive, focused examination of software at this level is so important. With modern GUIs there are numerous different events which can be executed through the various controls. Anyone who wishes to develop secure software with GUIs must have a handle on all of this. And that is certainly no easy task.
Our experts will get in contact with you!
Marc Ruef
Marc Ruef
Marc Ruef
Marc Ruef
Our experts will get in contact with you!