lcimeni / tiktok-ios

0 stars 0 forks source link

NowSecure dynamic analysis: ZIP Code Stored Insecurely On Device #61

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

The ZIP Code specified in the Findings Evidence table has been found within local application folders or external storage locations on the device. Data written to device storage can be accessed through several attack vectors. An attacker who is able to access the charging port may be able to access this data if the user acknowledges the trust or if the device is rooted. Data backup utilities are often able to export local files and, if not encrypted, can be accessed by an attacker in possession of the backup file(s). While malware is also a concern, it is less common than attacks concerning physical device access. If sensitive data is exposed, the data can be used by an adversary to track and phish users, access their account, or circumvent protections within the app.

Steps to Reproduce

Using a jailbroken iOS device, data can be extracted and analyzed from the file paths mentioned in the Findings Evidence table. The extraction can be performed using SSH or other file transfer protocols. These will need to be installed through the jailbreak APT (Cydia or Sileo). Another option is to use the simulator tool that is included with Xcode to extract data from the file storage container. NowSecure's automated testing for this finding examines local application files and storage locations for sensitive data after the app is exercised.

Business Impact

The app is storing a ZIP Code insecurely in local app files. If these local files are not protected by sufficient data protection levels or the device is rooted, anyone with access to the device could gain access to this information. The sensitive information could be used by an attacker to gain unauthorized access to information or services as well as be used to conduct follow-on attacks.

Remediation Resources

Recommended Fix

Sensitive data should not be stored unencrypted in local app files and without the right data protection level. It is highly recommended to encrypt all locally stored sensitive data using a strong encryption algorithm. It is also recommended to set the strongest possible data protection level on the file containing the sensitive data. Review the data protection level(s) set on the file(s) listed in the Findings Evidence section and ensure that they are either NSFileProtectionComplete for complete protection or NSFileProtectionCompleteUntilFirstUserAuthentication to be protected until the user first authenticates to the device. Details and code snippets can be found at https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/encrypting_your_app_s_files. In addition to applying security controls like encryption, it may be necessary to evaluate for uses of cache data, as they may be required to be cleared programmatically. The Findings Evidence table gives the location for the specified sensitive information that was stored insecurely on the device.

Code Samples

Good Code Sample (.swift)

let str = get_currently_logged_in_username()
let filename = getDocumentsDirectory().appendingPathComponent(("output.txt"))

//for first write
do {
try str.write(to:filename , options: .completeFileProtection)
}
catch {
// Handle errors.
}
//for existing file
do {
try (filename as NSURL).setResourceValue( 
URLFileProtection.complete,
forKey: .fileProtectionKey)
}
catch {
// Handle errors.
}

Additional Guidance

Risk and Regulatory Information

Severity: low CVSS: 2.3

Application

See more detail in the NowSecure Report