{
	"id": "174010",
	"key": "AC-6334",
	"fields": {
		"issuetype": {
			"id": "1",
			"description": "A problem which impairs or prevents the functions of the product.",
			"name": "Bug",
			"subtask": false
		},
		"project": {
			"id": "12217",
			"key": "AC",
			"name": "Appcelerator - INBOX",
			"projectCategory": {
				"id": "10000",
				"description": "",
				"name": "Customer Service"
			}
		},
		"resolution": {
			"id": "7",
			"description": "",
			"name": "Invalid"
		},
		"resolutiondate": "2019-08-13T13:50:32.000+0000",
		"created": "2019-08-13T05:20:17.000+0000",
		"labels": [],
		"versions": [],
		"issuelinks": [
			{
				"id": "57809",
				"type": {
					"id": "10003",
					"name": "Relates",
					"inward": "relates to",
					"outward": "relates to"
				},
				"outwardIssue": {
					"id": "174001",
					"key": "TIMOB-27326",
					"fields": {
						"summary": "iOS: three different issues regarding caching for an iOS device and others",
						"status": {
							"description": "A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.",
							"name": "Resolved",
							"id": "5",
							"statusCategory": {
								"id": 3,
								"key": "done",
								"colorName": "green",
								"name": "Done"
							}
						},
						"priority": {
							"name": "None",
							"id": "6"
						},
						"issuetype": {
							"id": "7",
							"description": "gh.issue.story.desc",
							"name": "Story",
							"subtask": false
						}
					}
				}
			}
		],
		"assignee": {
			"name": "shossain",
			"key": "shossain",
			"displayName": "Shak Hossain",
			"active": false,
			"timeZone": "America/Los_Angeles"
		},
		"updated": "2019-08-13T13:50:32.000+0000",
		"status": {
			"description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.",
			"name": "Closed",
			"id": "6",
			"statusCategory": {
				"id": 3,
				"key": "done",
				"colorName": "green",
				"name": "Done"
			}
		},
		"components": [
			{
				"id": "14552",
				"name": "Appcelerator CLI",
				"description": "Please enter tickets related to Tooling and the CLI here"
			}
		],
		"description": "For one of my application, a company fo a penetration test. They discovered that app Executables is present in Backup.\r\n\r\nNOTE : the application app name is replace by [APP NAME]\r\n\r\n+This is the technical detail :+\r\n\r\nThe backup of the mobile phone contained the apps main executable. An attacker can use this file to reverse-engineer the functionalities of the mobile app.\r\n\r\nBackups are a common procedure, in order to guarantee the availability of information. It’s not only a critical process in many business-related contexts, but also in private life. Therefore, iOS gives the user the ability to create a local or a cloud based (iCloud) backup of the data present on the mobile phone. Several mechanisms can be applied by an iOS developer, to prevent a user from backing up data from the app’s context.\r\n\r\niOS executables are usually delivered encrypted by Apple’s iOS app store. In order to prevent users from reverse-engineering the program flow and other functionalities. Thus, a user without a rooted phone wouldn’t be able to get an unencrypted version of the executable.\r\n\r\nDuring the observation of the created backup, several executables were discovered in the Documents folder as can be seen on the following screenshot. (see Figure 13)\r\n\r\nFigure 13 - Screenshot showing the content of the backed-up Documents folder\r\nhttps://drive.google.com/file/d/1_EDkPB_jfBAwJyHv0L8Hi6BUKmt2yyCP/view?usp=sharing\r\n\r\nThe green marked file on the above screenshot marks the file [APP NAME].fid. This\r\nfile was identified as a Mach-O 64-bit executable for arm64 processor as can be\r\nseen on the following output, issuing the file command:\r\n\r\n\r\n{code:java}\r\n$ file [APP NAME].fid\r\n[APP NAME].fid: Mach-O 64-bit executable arm64\r\n{code}\r\n\r\nSince the main executable of the mobile app had a similar name, we performed a SHA message digest calculation in order to check if the files are identical.\r\n\r\n\r\n{code:java}\r\n$ shasum -a 256 [APP NAME].fid 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME].fid\r\n{code}\r\n\r\n{code:java}\r\n$ shasum -a 256 [APP NAME] 36c4062bb3918818a87d08616ec742526693079ea40e32946534a387403f488b [APP NAME]\r\n{code}\r\n\r\nWhen comparing the output of the above commands it was observed that indeed the files are identical. That means, that the main executable of the app is present unencrypted in the backup.\r\n\r\nThe following screenshot shows exemplary an extract from Objective-C classes and methods retrieved during analysis of the decompiled binary. (see Figure 14)\r\nhttps://drive.google.com/file/d/1wA9suNKsNN5eIgAjdIYEWyWsOtqif8qU/view?usp=sharing\r\n\r\nFigure 14 - Exemplary screenshot objective-c classes and methods from decompiled Gluci-Chek.fid binary\r\n\r\nIt is very uncommon that the apps executables are stored in the Documents directory. Therefore, we assumes that the reason is a misconfiguration.\r\n\r\nAs can be seen on the previous example, giving the user the ability to backup the app’s executables, also empowers the user to reverse-engineer the program flow and maybe its secret functionalities and information.\r\n\r\nRecommendations\r\n\r\nwe recommends checking the configuration in order to prevent the apps executables from being backed-up.\r\n\r\n+ END OF technical detail :+\r\n\r\nIn native, this behavior is not present. Can we exclude the app executable with some configuration ? If it's not possible because of the way that Titanium works, can you confirm us this the technical detail please ?\r\n\r\nThank you.",
		"attachment": [],
		"flagged": false,
		"summary": "App executable in backup",
		"creator": {
			"name": "thomas.webgo@gmail.com",
			"key": "thomas.webgo@gmail.com",
			"displayName": "Thomas Lemaitre",
			"active": true,
			"timeZone": "Indian/Reunion"
		},
		"subtasks": [],
		"reporter": {
			"name": "thomas.webgo@gmail.com",
			"key": "thomas.webgo@gmail.com",
			"displayName": "Thomas Lemaitre",
			"active": true,
			"timeZone": "Indian/Reunion"
		},
		"environment": null,
		"comment": {
			"comments": [
				{
					"id": "450421",
					"author": {
						"name": "jvennemann",
						"key": "jvennemann",
						"displayName": "Jan Vennemann",
						"active": true,
						"timeZone": "Europe/Berlin"
					},
					"body": "Could they provide reproduction steps? About what kind of backup are we talking here? ITunes device backup? Local? iCloud? Something else? The text description is very general and has no instruction how we could reproduce the behavior.",
					"updateAuthor": {
						"name": "jvennemann",
						"key": "jvennemann",
						"displayName": "Jan Vennemann",
						"active": true,
						"timeZone": "Europe/Berlin"
					},
					"created": "2019-08-13T08:46:23.000+0000",
					"updated": "2019-08-13T08:47:28.000+0000"
				},
				{
					"id": "450433",
					"author": {
						"name": "thomas.webgo@gmail.com",
						"key": "thomas.webgo@gmail.com",
						"displayName": "Thomas Lemaitre",
						"active": true,
						"timeZone": "Indian/Reunion"
					},
					"body": "Sorry for this task, it's a false positive coming to the pen test team. I will only appears on one jailbreak iPhone.\r\n\r\nWe can close it.",
					"updateAuthor": {
						"name": "thomas.webgo@gmail.com",
						"key": "thomas.webgo@gmail.com",
						"displayName": "Thomas Lemaitre",
						"active": true,
						"timeZone": "Indian/Reunion"
					},
					"created": "2019-08-13T13:33:34.000+0000",
					"updated": "2019-08-13T13:33:34.000+0000"
				}
			],
			"maxResults": 4,
			"total": 4,
			"startAt": 0
		}
	}
}