Guided Access Mode Bypass

As a penetration tester who specialises in mobile apps, I get good visibility of how the enterprise is adopting/using/misusing various iOS capabilities and MDM features. One trend I’ve seen increasingly, is the use of ‘Guided Access Mode‘ to lock down devices.

Guided-Access Mode (GAM), for the unfamiliar, locks the device into a single app. It’s typically considered a handy feature for parental guidance, but the official documentation also suggests its effectively the same as the more enterprisey ‘Single App Mode‘; which is true. ‘Single App Mode’ (SAM) does exactly the same thing, but can only be enabled via MDM on a device which is in ‘Supervised’ mode. So it makes sense that organisations which cant easily manage devices use GAM instead. Although many just don’t know that Single App Mode exists.

I’ve seen GAM in the medical, financial, industrial, and retail sectors now. I know that it’s being used to protect highly sensitive data from prying eyes and, in certain scenarios (industrial), I would not be surprised to hear that GAM is defending against life-threatening incidents. That’s a lot of pressure for a parental guidance feature.

I recently performed a penetration test for a prototype self-checkout kiosk/POS solution which used an iPad as the kiosk’s display. Long story short, the solution used Guided Access Mode and, yet again, I was foiled in my attempts to get around it.¬†The test finished a few weeks ago and, not one to give up, i’ve been testing Guided Access mode in my own time. Here’s the bypass ūüėČ:

Continue Reading “Guided Access Mode Bypass”

The Happn’ing

Years ago, one of the first posts I ever wrote was about my experience scripting a bot for the dating site OKCupid. It was just a PoC bashed together over a few beers with a friend.
Since then (and becoming single) I’ve scripted bits and bobs¬†for virtually every major dating site/app… its become a bit of a weird hobby.
A while ago I wrote a reasonably feature-filled script¬†for managing a user account on the dating app Happn,¬†imaginatively called¬†Happn.py”.¬†It was immediately spotted by a few Happn employees on my github, who starred the project, but then prevented it from actually working by blocking the python user-agent on the Happn servers. I made the repo¬†private and updated it to work again, with the intention of spending some more time developing it. That time never really came and I stopped using Happn a while ago, so I made the tool public and this is just a quick post to share it.

Continue Reading “The Happn’ing”

Ready the Anti-BEAM Beam! Breaking the Virgin BEAM app in 12 minutes

I’ve been travelling on Virgin trains a lot recently and finally decided to take a look at their free movie-streaming app “BEAM”.
Super-excited to ¬†be about to watch¬†Forest Gump on my journey, I found that whenever I hit play, the app’s custom video-player decided to freeze and eventually crash the app on my device of choice; an iPhone 6s.
Determined to watch Hanks’ award-winning performance, this is how I figured out the problem and patched it in 12 minutes.

Continue Reading “Ready the Anti-BEAM Beam! Breaking the Virgin BEAM app in 12 minutes”

SQL Injection using System Variables in MySQL

For¬†BSides Manchester 2015, the UK pen-testing company aptly named ‘Pentest Ltd’ held a SQL injection challenge where the injection point required structuring¬†the payload in a specific manner with MySQL voodoo to keep the payload under 90 characters, and bypass a basic WAF.
I was fairly certain the lab could also be accomplished using MySQL variables, but was unable to get the job done. Low and behold, it totally was possible and it turned out I overcomplicated the solution which they revealed could be achieved with the following:

This was something I’d never looked at before, and it just¬†didn’t cross my mind to store the query result and retrieve¬†it using¬†a variable with¬†one hit using a UNION. I was trying to do this over two queries and therefore¬†my variable would always be empty/null when i tried to retrieve it, as MySQL variables are scoped to a SESSION ( a single database connection ), and are emptied after the first query completes and the application closes its connection.
This lead me to going completely down the wrong rabbit hole trying to solve the challenge, but also into discovering something reasonably interesting:¬†SQLi¬†with System Variables. Continue Reading “SQL Injection using System Variables in MySQL”

The OkBot.py

For a while I was trying to do the whole online dating lark. I had some fun with it but¬†the problem with a site like OkCupid (my poison of choice) is that you can never really tell how ‘well’ you are doing. Obviously you are doing well if you are meeting people and having fun in the process or happen to meet the love of your life, but for a competitive narcissist like me; I just¬†wanted to know how i stacked up against other people on the site.
…scratch that. I wanted to be ‘better’ than everyone else ūüėõ
After a few drinks with my very talented programmer buddy david¬†we got talking about this wondered how hard it would be to script something in a few hours to play the online dating game for us,¬†and give us¬†the George Clooney appeal we knew we deserved. The became ‘The OkBot’.

Continue Reading “The OkBot.py”