Titanium JIRA Archive
Appcelerator Community (AC)

[AC-6334] App executable in backup

GitHub Issuen/a
TypeBug
Priorityn/a
StatusClosed
ResolutionInvalid
Resolution Date2019-08-13T13:50:32.000+0000
Affected Version/sn/a
Fix Version/sn/a
ComponentsAppcelerator CLI
Labelsn/a
ReporterThomas Lemaitre
AssigneeShak Hossain
Created2019-08-13T05:20:17.000+0000
Updated2019-08-13T13:50:32.000+0000

Description

For one of my application, a company fo a penetration test. They discovered that app Executables is present in Backup. NOTE : the application app name is replace by [APP NAME] +This is the technical detail :+ The backup of the mobile phone contained the apps main executable. An attacker can use this file to reverse-engineer the functionalities of the mobile app. Backups are a common procedure, in order to guarantee the availability of information. It’s not only a critical process in many business-related contexts, but also in private life. Therefore, iOS gives the user the ability to create a local or a cloud based (iCloud) backup of the data present on the mobile phone. Several mechanisms can be applied by an iOS developer, to prevent a user from backing up data from the app’s context. iOS executables are usually delivered encrypted by Apple’s iOS app store. In order to prevent users from reverse-engineering the program flow and other functionalities. Thus, a user without a rooted phone wouldn’t be able to get an unencrypted version of the executable. During the observation of the created backup, several executables were discovered in the Documents folder as can be seen on the following screenshot. (see Figure 13) Figure 13 - Screenshot showing the content of the backed-up Documents folder https://drive.google.com/file/d/1_EDkPB_jfBAwJyHv0L8Hi6BUKmt2yyCP/view?usp=sharing The green marked file on the above screenshot marks the file [APP NAME].fid. This file was identified as a Mach-O 64-bit executable for arm64 processor as can be seen on the following output, issuing the file command:
$ file [APP NAME].fid
[APP NAME].fid: Mach-O 64-bit executable arm64
Since the main executable of the mobile app had a similar name, we performed a SHA message digest calculation in order to check if the files are identical.
$ shasum -a 256 [APP NAME].fid 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME].fid
$ shasum -a 256 [APP NAME] 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME]
When comparing the output of the above commands it was observed that indeed the files are identical. That means, that the main executable of the app is present unencrypted in the backup. The following screenshot shows exemplary an extract from Objective-C classes and methods retrieved during analysis of the decompiled binary. (see Figure 14) https://drive.google.com/file/d/1wA9suNKsNN5eIgAjdIYEWyWsOtqif8qU/view?usp=sharing Figure 14 - Exemplary screenshot objective-c classes and methods from decompiled Gluci-Chek.fid binary It is very uncommon that the apps executables are stored in the Documents directory. Therefore, we assumes that the reason is a misconfiguration. As can be seen on the previous example, giving the user the ability to backup the app’s executables, also empowers the user to reverse-engineer the program flow and maybe its secret functionalities and information. Recommendations we recommends checking the configuration in order to prevent the apps executables from being backed-up. + END OF technical detail :+ In native, this behavior is not present. Can we exclude the app executable with some configuration ? If it's not possible because of the way that Titanium works, can you confirm us this the technical detail please ? Thank you.

Comments

  1. Jan Vennemann 2019-08-13

    Could they provide reproduction steps? About what kind of backup are we talking here? ITunes device backup? Local? iCloud? Something else? The text description is very general and has no instruction how we could reproduce the behavior.
  2. Thomas Lemaitre 2019-08-13

    Sorry for this task, it's a false positive coming to the pen test team. I will only appears on one jailbreak iPhone. We can close it.

JSON Source