NowSecure dynamic analysis: Password Leaked to Device Logs

[lcimeni]

Finding Description

Password has been found within Apple System Logs.

Data written to device system logs can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust relationship. Attackers can also access this data via another app if that app is able to view the device system logs. This vulnerability is common on various OEM devices.

Steps to Reproduce

Examine iOS device logs associated with the app by using Xcode's console log reader. https://developer.apple.com/documentation/os/logging/viewing_log_messages

In NowSecure's testing, a probe identifies which log writing methods are observed during static binary analysis.

Business Impact

The app is insecurely storing sensitive data on the device which can lead to unauthorized access to the user's account and data by anyone with access to the device. Reuse of passwords can lead to further compromise of a user's accounts and additional exposure to risk for the organization.

Remediation Resources

Recommended Fix

Applications in production should not output logging information. If logs must be generated, they should not include sensitive information. More details and code snippets can be found at https://developer.apple.com/documentation/os/logging/generating_log_messages_from_your_code

The evidence table identifies the logging messages that were observed containing the data specified.

Please note that certain hybrid frameworks may have custom log functionality that needs to be disabled before app compilation.

Code Samples

Bad Code Sample (.swift)

let userAge : Int = getUserAge()
Logger().info("User's age: \(userAge, privacy: .public)")

Good Code Sample (.swift)

let userAge : Int = getUserAge()
// Hide the user's age.
Logger().info("User's age: \(userAge, privacy: .private)")

Additional Guidance

• This Apple Developer article discusses best practices for logging: https://developer.apple.com/documentation/os/logging/generating_log_messages_from_your_code
• The 3rd party tool Swifty Beaver can help remove logging code. Ensure that any 3rd party tools or libraries meet the organization's development and security standards prior to use. NowSecure's testing can evaluate the 3rd party tools or libraries as a part of our automated app testing processes. https://github.com/SwiftyBeaver/SwiftyBeaver

Risk and Regulatory Information

Severity: medium CVSS: 5.5

• CWE: 312, 532
• FISMA MED: SC-28 PROTECTION OF INFORMATION AT REST
• Risk OWASP: Mobile Top 10: M2-Insecure Data Storage, MASVS 2.3
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Am.A.1
• PCI: May violate requirement 3.1 through 3.4
• HIPAA: May violate §164.312(a)(1): Standard: Access control.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2021 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: ios
• Package: com.nowsecure.iOSTestApp7

See more detail in the NowSecure Report