As a penetration tester who specialises in mobile apps, I get good visibility of how the enterprise is adopting/using/misusing various iOS capabilities and MDM features. One trend I’ve seen increasingly, is the use of ‘Guided Access Mode‘ to lock down devices.
Guided-Access Mode (GAM), for the unfamiliar, locks the device into a single app. It’s typically considered a handy feature for parental guidance, but the official documentation also suggests its effectively the same as the more enterprisey ‘Single App Mode‘; which is true. ‘Single App Mode’ (SAM) does exactly the same thing, but can only be enabled via MDM on a device which is in ‘Supervised’ mode. So it makes sense that organisations which cant easily manage devices use GAM instead. Although many just don’t know that Single App Mode exists.
I’ve seen GAM in the medical, financial, industrial, and retail sectors now. I know that it’s being used to protect highly sensitive data from prying eyes and, in certain scenarios (industrial), I would not be surprised to hear that GAM is defending against life-threatening incidents. That’s a lot of pressure for a parental guidance feature.
I recently performed a penetration test for a prototype self-checkout kiosk/POS solution which used an iPad as the kiosk’s display. Long story short, the solution used Guided Access Mode and, yet again, I was foiled in my attempts to get around it. The test finished a few weeks ago and, not one to give up, i’ve been testing Guided Access mode in my own time. Here’s the bypass 😉:
Continue Reading “Guided Access Mode Bypass”
This is just a short post about toying with the Badoo app for iOS, but also touches on something ever-so-slightly useful about testing the app-upgrade mechanisms of mobile apps. “Urghh more dating app hacking” I hear you say. I know, I know, this is getting old. At some point i’ll get a real hobby, I promise.
Continue Reading “Much Badoo About Nothing”
In this (pretty long) post, I’m going to attempt to coin a name for an application vulnerability, most commonly found in mobile apps. This is “App Forgery”.
Continue Reading “‘App Forgery’”
I’ve been travelling on Virgin trains a lot recently and finally decided to take a look at their free movie-streaming app “BEAM”.
Super-excited to be about to watch Forest Gump on my journey, I found that whenever I hit play, the app’s custom video-player decided to freeze and eventually crash the app on my device of choice; an iPhone 6s.
Determined to watch Hanks’ award-winning performance, this is how I figured out the problem and patched it in 12 minutes.
Continue Reading “Ready the Anti-BEAM Beam! Breaking the Virgin BEAM app in 12 minutes”
So the Treema bug I found a few years ago was fairly cool in my opinion, something a bit different anyway. So it was disappointing that Threema didn’t respond to me at all and then released a patched/updated Threema to the AppStore with something like “general improvements’ in the change-log.. lovely.. very general.
Well, anyway… process this for a second “All UI exploits are vulnerabilities in code; but not all vulnerabilities in code are UI exploitable.”. This should be pretty obvious… but if you forget it and find a UI bug in an iOS app, you might be passing up a 2nd vulnerability if you’re faced against lazy devs. Here’s how the same attack looks today:
Continue Reading “Threema Revisited.”
I sent Threema an email disclosing this and got an auto-reply saying that they commonly take a week to reply to customer messages. Since I hate waiting for things and its not a total remote RCE flaw, lets just put it here for now.
The flaw allows gaining local access to a user’s Threema application, bypassing the local authentication (PIN), and the ‘delete data after 10 failed attempts’ setting. Continue Reading “Threema Local Authentication Bypass”