Mobile App Vulnerabilities Exposed: Getting Our Hands Dirty Part 2

Mobile App Vulnerabilities Exposed: Getting Our Hands Dirty Part 2

In Part 2 of the “Getting Our Hands Dirty” mobile app vulnerabilities series, Brian Robison and Steven Smiley explored the iOS version of Corellium Café, using reverse engineering and other techniques to find vulnerabilities within the app.

Watch the entire on-demand webinar for all the tricks and tips, or keep reading for a preview.

What is Corellium Café?

Corellium Cafe is a faux coffee shop app allowing users to purchase imaginary beverages. Corellium developed the app with intentional vulnerabilities to help developers and security researchers identify and mitigate mobile app risks. The app has many flaws, including insecure data storage, network communications, security, and misconfigurations in app development.

Exploring Corellium Café for iOS

The app acts just like a coffee shop app where you can purchase drinks and pick them up. You can add items to the cart, click on payment, and enter a fake credit card, CVV code, and zip code.

Don’t worry; it doesn’t process anything, and no actual payments are made. You can even enter a promo code if you can find one for free coffee. On the surface, it looks legitimate. Lurking beneath the surface, however, are dozens of mobile device vulnerabilities. Corellium challenges you to find them all. You can also use the answer key to find solutions if you need help.

Get the app and try for yourself by navigating through the Corellium Café Guided Scenario.

Techniques and Tactics for Finding Vulnerabilities with Corellium

Corellium’s primary goal is to help developers and DevSecOps teams identify vulnerabilities more quickly and efficiently. Below are three techniques for finding vulnerabilities within Corellium Café.

1. Insecure Data Storage

The first demo showed how to use Corellium Café to detect insecure data storage. The iOS keychain stores passwords, personal information, credit card numbers, etc. Sometimes, developers store data in the keychain that hackers could access if they dump it. Here are some tips to ensure secure data include:

  • Always encrypt the data in the keychain or use keychain security controls (limiting access) to keep it safe. Even if someone can view it, they will only see random text.

  • Use Objection Framework (runtime exploration tool found on GitHub) to dump the entire keychain in one command and look for exposed data.

  • Running this on Corellium Café, you can see a credit card number exposed in plain text and the promo code to use for free drinks.

2. Use Corellium's Network Monitor to Explore Insecure Communications.

Corellium’s Network Monitor observes and reports network traffic (HTTP and HTTPS) automatically stripping SSL/TLS encryption and certificate pinning. It shows what servers the app connects to, what requests are being sent, and the responses. The second demo in the webinar walked through placing an order on Corellium Café and watching the Network Monitor to see leaked information (credit cards, account numbers, etc.).

One tip for securing vulnerabilities like those in Corellium Café is to store keys to unlock data on the server side, not the client side.

You can also use Burp Suite to gain further insight into network traffic and insecure communications. Burp Suite is an excellent tool because it works seamlessly with Corellium.

Using Burp Suite, Steven identified two additional vulnerabilities. One is the web view, which allows you to easily change the website and redirect it anywhere. Bad actors could easily exploit this vulnerability, taking users to a malicious website.

3. Detect Common Misconfigurations in info.plist

The Info.plist file contains information about the app, such as the package name, application version, supported device models, and sometimes API keys or security settings. During the third demo, Steven illustrated how easy it is to access and view the info.plist file. The instructions include:

  • Unzip the IPA binary.
  • Navigate to the payload folder.
  • Review everything that is in there.
  • Look for hard-coded data.
  • Pay close attention to “app transport security.”
  • With Corellium Café, too much is allowed - a major misconfiguration.

Always check for any debugging code, like stored credentials during testing that the developer forgot to remove. Use Xcode to examine those types of misconfigurations and others.

Using Corellium to Identify Mobile App Vulnerabilities 

The three vulnerabilities above are only a tiny fraction of the potential exploits you can detect using the Corellium platform combined with some third-party tools. 

For more details and additional techniques, watch the entire on-demand webinar.