Archive

Archive for the ‘iPhone Apps’ Category

Breaking Enterprise iPhone Application Security ?

October 17, 2011 1 comment

There are a couple of enterprise iPhone applications out there that promises over the air and device encryption. (e.g. MS Exchange email sandbox apps).

However, there is a fundamental issue. Some of these iPhone applications are built upon the iOS frameworks like UIViewController which provides the layout of the applications.

It is possible to hook onto these classes on a jailbroken iPhone to perform screen captures of confidential emails in your so called sandbox applications. When used together with a iPhone keyboard logger (https://github.com/milo2012/iPhone-Espionage/tree/master/kbhook2) which hooks on the UIKeyboardImpl class and captures all keystrokes that you have entered, including any passwords.

In this case, if your jailbroken device is compromised, there is only so much you can do even if you are using an iPhone application that provides encryption or security.

Should you allow jailbroken iPhones in your organization?

Should your enterprise application detect if the device is a jailbroken iPhone and exit the application if a jailbroken iPhone is detected ?

Please let me know what you think.

Source code can be found at the below link
https://github.com/milo2012/iPhone-Espionage/tree/master/demoScreenCapture1

Vulnerability for Harry’s Bar iPhone App

September 2, 2011 Leave a comment

Harry’s Bar made this iPhone app which allows its customers to win prizes when patronizing its premises.

It is possible to win the grand prize of a bucket of Harry’s Beer by doing a MITM using Burp or another other proxy tool.

The server name is exhost.se.  As you can see here, they did not prevent directory browsing.

Venues.xml looks interesting, it shows the probability for winning a certain prize as well as the ID for the prizes.

By doing a MITM and change the incoming ID to 6, you will be able to win a bucket of Harry’s Beer every single time.

Categories: iPhone Apps
Follow

Get every new post delivered to your Inbox.