Project 13: "Ask A Lawyer" iOS App Plaintext Password Storage (10 pts.)

What You Need for This Project

A Mac with iTunes. There is a Windows version of iExpolorer but it didn't work when we tried it on 4-17-17 on Windows 10--the Apps folders won't open.
An iPhone (the iPhone 4's in S214 work). The iPhone does not need to be jailbroken, but it must be old -- iOS 8.4 or earlier.

Summary

The "Ask a Lawyer" iOS and Android apps store the user's password locally without encryption. Both the Android and iOS apps also transmit the password over the Internet without encryption.

This project only finds the local storage flaw in the iOS app, because earlier projects already covered the techniques needed to find the other three flaws.

Responsible Disclosure

I notified the developer of the Android flaws on 1-2-17 and got no response.

I tested several other apps from that developer and found that they all had similar flaws. I notified the developer on 1-7-17 and got no response.

I see no reason to bother notifying them again about the iOS vulnerabilities--it's obvious that they don't care.

Installing the App on the iPhone

On your iPhone, open the App Store and install this app:

Registering an Account

On the iPhone, launch the app and click Register.

Register an account with the password

topsecret3-YOURNAME

Relace "YOURNAME" with a version of your name that doesn't contain any spaces.

Installing iExplorer

On your computer (not the iPhone), go here:

https://macroplant.com/iexplorer/tutorials/how-to-browse-files-on-iphone-ipad-ipod

Download and install iExplorer.

Auditing Local Storage

Connect your phone to the computer with a USB cable.

On your computer, launch iExplorer.

Click "Continue with Demo".

iExplorer shows the contents of your phone, as shown below.

In iExplorer, click Files, Apps.

In the Apps page, expand these items, as shown below.

AskLawyer
Library
WebKit
LocalStorage

Drag the file__0.localstorage file out and drop it on your desktop.

Open the file with a hex editor. If you don't have one, install one of these:

For Windows: HxD
For Mac OS X: Hex Fiend

Scroll through the file to see your stored password, which should contain your name, as shown below.

Saving a Screen Image

Make sure YOURNAME is visible, as shown above.

Capture a full-screen image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 13", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 13 from YOUR NAME

Posted 4-17-17 8:37 pm by Sam Bowne