Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: iphone

Playing with iPhone profiles

It’s not often that I talk about a GOOD feature of the iPhone. Don’t get me wrong, I love my iPhone and it’s really changed the way I work and communicate, however Apple really only want you to use the device they want, not how you want. Still, I’ve recently been fighting with a few issues while traveling. The largest of these is the need to constantly change my APN settings whenever I fly somewhere. I usually travel with a small collection of pay as you go sim cards so that I can just touchdown, plug in the sim and charge enough credit to cover a few days, weeks of data transfer. You’d be surprised at the prices you can find even on pay as you go nowadays. Anyway, this is all well and good, but wouldn’t it be nice if the APN settings (APN name, username and password) was automatically detected. Some sim cards do this, however most don’t (my O² sim card even fills it in with incorrect info). Today I finally had a chance to look at the iPhone configuration tool offered by Apple.

The iPhone configuration tool gives you a range of options to configure a single or multiple iPhones. It also offers the chance to do some security related configurations that you can’t achieve directly on the iPhone itself. The 2 things I was particularly  interested in where the Passcode and APN (advanced) settings.

Wether you’re using this in a corporate of home environment, the configuration tool can help improve the security of your iPhone, as well as making it easier to turn settings on/of as required.

Passcode

By default the iPhone allows for a 4 character passcode to lock down your phone. This is great, but I’ve lost count the amount of times I’ve seen people type in their passwords. It’s not hard to remember a 4 digit passcode, and as iPhone doesn’t randomize the layout of the numbers on the screen, it’s easy enough to figure out the password even without seeing which numbers are selected. Luckily the iPhone configuration tool gives you the chance to correct this.

Through the configuration tool you can set the advanced settings not possible to do directly on the iPhone itself. These settings include the complexity (including the number of non-alphanumeric characters required), minimum length, maximum password age, password history and failed attempts.

Alongside these typical settings you can also set the auto-lock and grace period times. Most importantly, from my perspective, you can enable the device erase function (this can also be enabled on the device directly).

When it comes to mobile devices, password enforcement is becoming more and more important. With the limited keyboard functionality and repetition of password entry (how many times a day do you type in your iPhone passcode ?) it’s important to make sure users (whether enterprise or home) don’t simplify the passcode too much. It’s very convenient to use 9999 as your passcode, but it’s not hard to shoulder-surf.

The above images show the default 4 character PIN style password, and the more extensive passcode options you can enable through iPhone configuration tool. The more security conscious may have noticed there are 3 images and not just 2. If you allow users to set digit only passcodes (i.e. an 8 character passcode like 12345678) then your users will be prompted ONLY to enter numeric values. If the user sets a more complex alphanumeric password, then they will be given a full keyboard for entry. This isn’t a BIG security issue, but it does tell you what kind of passcode they’ve selected without you needing to know the passcode itself. Still, it’s better than a 4 digit passcode 😉

APN (advanced)

The second feature that interest me is the advanced page, which allows you to set the APN and Proxy information. For me this is really handy. I can go into the configuration tool and create a profile for each APN setting combination that I need. When going between countries I can simply pull up the .mobileconfig file from my email (make sure you’ve got it cached) and apply it to the iPhone.

The advanced settings page also allows you to set a proxy for your communications. I’ve not had a chance to play with this setting yet to see what kind of security enhancement can be gained from this. In theory it would be nice to force ALL communications over an SSL secured proxy. This could then connect back to a trusted system to give you an extra layer of protection between your phone and home base. When travelling to a possibly dangerous environment (I’m thinking China, Russia, Ukraine, etc…) it would be nice to feel just a little bit more secure.

The good thing about profiles is that you can add and remove them at will. You can also have more than 1 profile active on the iPhone at once (as you can see I’ve got 4 currently). This allows you to add and remove them whenever you need to. It also means you can have a profile that applies your security settings and separate ones that apply just the APN info (as it’s likely to change more often than you security configuration). I’ve not had a chance yet to look at what happens when you set multiple profiles to contain settings that clash. I get the feeling that the LAST profile applied will override the earlier ones, but at the moment that’s just speculation on my part.

.mobileconfig

The files you export from the iPhone configuration tool are simple XML files. So if you find yourself out and about without the tool, you can still open the file up in a text editor and change the settings as required. If you do a Google search for “mobileconfig iphone” you’ll find a number of sites discussing the format. You can also checkout the enterprise deployment documentation HERE for more hints. You can also download the configuration tool from the same location (Windows / OSX only).

Edit: After posting I did a little followup on the contents of the .mobileconfig file. When looking at the files created to implement specific APN settings, I noticed the following string s in the XML :

 <key>apns</key>
 <array>
   <dict>
     <key>apn</key>
     <string>payandgo.o2.co.uk</string>
     <key>password</key>
     <data>
     cGFzc3dvcmQ=
     </data>
     <key>username</key>
     <string>vertigo</string>
  </dict>
</array>

I can almost see people holding their heads in their hands. Yes, the password is stored Base64 encoded. I can understand why Apple have done this (to avoid issues with special characters corrupting the XML). However Base64 isn’t encryption. Luckily the APN settings are usually publicly available. However the .mobileconfig file can also contain data such as WPA keys, mail account passwords, and even LDAP and Exchange server settings. Surely these are protected in the XML by default right ?

<key>LDAPAccountDescription</key>
 <string>LDAP Account</string>
 <key>LDAPAccountHostName</key>
 <string>server</string>
 <key>LDAPAccountPassword</key>
 <string>SecretLDAPpassword</string>
 <key>LDAPAccountUseSSL</key>
 <true/>

That’s what we like to see. Clear text passwords… However it’s not all bad, there is a solution, even if it’s not the default. When exporting the .mobileconfig file from the iPhone configuration tool, you can select to sign and encrypt the file. The downside of this, is that you need to tie the .mobileconfig to an iPhone that has been registered in the iPhone configuration tool. This may not always be convenient, especially when your CFO is shouting that his wireless settings are wrong as he’s waiting for the 9th hole at the local golf club. Still, at least Apple have thought about the security risks. When creating a single profile for your entire corporation however, you’ll either need to register each iPhone in the configuration tool before exporting the file, or use the less secure, unencrypted, option.

So, if you’re a corporate using this feature for your CEO’s iPhone, remember to store the .mobileconfig in a safe place and use the sign and encrypt option (not the default, at least in my testing). If you’re a penetration tester, add this filetype to your list of files to look for next time you exploit a users system. You never know what you might find. If you want to know how bad it really is, try the following Googledork “filetype:mobileconfig”.

Advertisements

Fixing Cydia

At some point in the last 24 hours Saurik released a couple of updates to Mobilesubstrate through Cydia. Usually I try to keep updated with the latest and greatest (I’m a technology junkie) so I ran the upgrade will I grabbed my morning cup of tea (I’m also English after all). Normally after an upgrade you’ll see a prompt to restart springboard, however with this update the phone rebooted part way through the install. A worrying signal. After the reboot everything seemed to be fine, except Cydia refused to start fully. After showing the default Cydia screen fir a few seconds, Cydia would disappear.

After a couple of reboots to make sure the issue wasn’t going to solve itself, I had a quick look on Saurik’s twitterfeed but he had no mention of the issue. Several followers however were having the same issue. Time to find a solution.

I dropped to the terminal (although making an SSH connection would also have done the trick) and su’d to root. For those new to this the default password for root is alpine and if you’ve upgraded to version 3.0 this WILL have been reset. So change the root and mobile users passwords using ‘passwd’ before somebody else connects and does 😉 Anyway, I digress.

After getting root access it’s time to see what state the mobilesubstrate and cydia packages were in. After an ‘apt-get update’ (to get the updated package lists) and and ‘apt-get install cydia’ it looks like the package is corrupted, as I’m prompted to run the dpkg configure

dpkg –-configure -a

After this is completed, I reran the ‘apt-get install cydia’, and then an ‘apt-get upgrade’ to reinstall the failed mobilesubstrate and  in my case the new VoIP 3G app. After another reboot (type reboot at the prompt or whatever your preferred method is) things seem to be running fine again.

For those with short attention spans .:

  • Shell access (terminal or ssh)
  • Su to root
  • dpkg –-configure -a
  • apt-get update
  • apt-get install cydia (if this fails add –fix-missing)
  • apt-get upgrade (to install mobilesubstrate correctly)
  • reboot

I hope this solves your issues as easily as it did mine. Let me know if you have any issues.

Update: There are a few other guides going around telling you to connect the iphone to your system (or useiFile) and then delete specific files. I’ve not tested these fixes, but the chance of deleting files you need are always there. I’d suggest using the easy fix using apt-get before trying the file deletion route. However it’s a personal choice.

Update: As a few comments have noted, the nice people at wordpress reformed the –– into a single – when displaying the page. This should now be fixed using the magic trickery of HTML comments to split the two characters ;)–>

Protecting your browsing with iPhone SSH tunnels

Note: This post is from 2009 and should be considered depreciated… things move quickly in IT!

Most of the time I feel relatively secure when I’m browsing the web or checking twitter on my iPhone. That said, I rarely use the built in wireless for these purposes, and rely instead on the reasonably good 3G network in Austria. When I’m out of the country I usually try to buy a pay-as-you-go sim card and pay for the daily data transfer. This isn’t as expensive as you’d think. For example in the Netherlands it costs around €3.50 per day of data transfer. Not cheap if you’re using it long-term, but if you’re only there for a couple of days it’s a lot cheaper than paying for a hotel WLAN that’s insecure and only works inside the hotel. Still, this solution doesn’t work everywhere and isn’t for everyone. The fallback is to use whatever wireless you can find, insecure or not. This is something I’ve been fighting with for a while now. Stemming (mostly) from my unwillingness to setup a VPN server (my home ADSL isn’t good enough quality, and doesn’t have a fixed IP) or pay a huge price for a VPN solution through my existing hosting provider (thanks for the cheap hosting Dreamhost).

iphone_http_proxyThe iPhone (at least version 2.2.1) supports the use of HTTP proxies when connecting via a wireless connection. This is great. Surely I can setup an SSH Tunnel to my server and tell the iPhone to use this as a SOCKS proxy. As with everything on the iPhone however, simple always turns into complicated very quickly. I experimented with this solution and found that the HTTP proxy support was really just that, HTTP proxy support and nothing else. So back to the drawing board. I searched for another solution and settled on using the 3proxy application (in cydia for those lucky enough to have a jailbroken iPhone) to setup a local HTTP proxy.

A few requirements to get this up and running on your iPhone.

  • A Jailbroken iPhone (or iPod Touch)
  • SSH Client installed
  • 3proxy (available in cydia)
  • terminal application
  • An SSH server (setup for either password or certificate access)
  • Backgrounder (or some other way to run commands and have them running in the background)
  • OPTIONAL: iFile (easy file editing)

Starting off we’ll take a look at the configuration of 3proxy. By using the following configuration you tell 3proxy to forward all traffic to a second proxy server, this time a SOCKS proxy (in this case my SSH tunnel).

#!/usr/bin/3proxy
daemon
auth iponly
log /var/log/3proxy.log D
rotate 5
fakeresolve
internal 127.0.0.1
allow * * 127.0.0.1
parent 1000 socks5+ 127.0.0.1 8081
proxy -p8080 -a -i127.0.0.1

The quick rundown on the above configuration.

  • #!/usr/bin/3proxy – Tells the script what interpreter program to use
  • daemon –  Tells 3proxy to run as a background process
  • auth iponly – sets the authorization to be ip restricted
  • log – Setup a log that rotates daily (the D option)
  • rotate 5 – Sets the number of log files to keep before rotating
  • fakeresolve – Tells 3proxy to route DNS lookups through the proxy
  • internal – Listen in the internal interface only
  • allow – Currently set to * for all (you can limit this by username/password or IP, however this caused issues in testing)
  • parent – This is where we’re setting the next proxy in the chain (1000 is always use this parent, SOCKS5+ is the type and then the SSH tunnel listening ip and port)
  • proxy – this final command tells 3proxy to start a proxy on port 8080 using anonymous proxy mode (-a) and listen only in internal loopback

You can find more configuration information on the 3proxy website. Although leaving the allow set to * (all) is a concern, remember that the proxy is only listening on the localhost address and from outside the port is blocked.

iphone_portscan

Now that we’ve got the 3proxy.cfg file saved (mines stored in /usr/bin with the 3proxy executable) you’ll need to run chmod +x to make it executable. Next up is the SSH Tunnel, and doing this on an iPhone isn’t much different to a normal linux system (just harder to type for obvious reasons). I opted to add a certificate for quick easy access and restricted access to the certificate to the root user on the iPhone (you have changed your root password right ???). I added the private key to ~/.ssh/id_dsa (or id_rsa, your choice) and setup a bash script to kick off the SSH tunnel (typing that command each time gets boring fast).

ssh -D 8081 -N -C username@remotehost.your.domain -2 -p 64000 -i /home/root/.ssh/id_dsa

The above command is a simple SSH tunnel setup to connect to port 64000 on remotehost.your.domain and logon as the user username using the certificate file stored in /home/root/.ssh/id_dsa. It will then setup a local listener on port 8081 and dynamically route all traffic coming to this port through the SSH tunnel. As we’re treating the tunnel as a SOCKS proxy we don’t need to have anything else setup at the other end (no other proxy server waiting to route the requests) although you could setup privoxy or any other kind of proxy if you wanted more control.

So, now that we have the two parts of our configuration ready we just need to drop to the shell and kickoff the SSH Tunnel (using your bash script), and then startup the 3proxy using the /usr/bin/3proxy.cfg command. I’ve linked it all into a single bash script to make things a little quicker.

In testing Safari works pretty well (minor decrease in performance as you’d expect). Twitterfon was the second application I tested. Although this follows the HTTP proxy rule, it still insists on doing DNS lookups for advertising outside of the proxy. This is also the case for a couple of other applications. Mail doesn’t follow the HTTP rules, however you can easily setup additional 3proxy ports for these, or use SSL and make sure your DNS is all piped over the local listener and through the SSH tunnel (3proxy supports a DNS caching proxy, tcp and udp forwarding proxies also).

Safari No Proxy

Supported:

  • Safari
  • Twitterfon (partially: Advert DNS lookups are still a possible concern/attack vector)
  • Cydia
  • AppStore
  • iTunes
  • Youtube
  • Weather
  • GRiS
  • WordPress (partially: As with the Twitterfon issue, the DNS appears to ignore the HTTP proxy settings)

Obviously these were just the applications I tested. I’d suggest running your own tests to ensure that you’re seeing the same results.

Not-Supported:

  • Mail (setup a port forwarder to achieve support for email)
  • Siphon (This is a real disappointment)
  • F-Stream
  • … probably more, so your mileage may vary

If you test any other applications please let me know and I’ll add it to my list.

Once you’ve finished using the SSH Tunnel and proxy, remember to kill -9 them using the console.

TODO:

  • Test with alternative “allow” settings to restrict access further (username/password too easy)
  • Prevent initial DNS lookup on SSH Tunnel (i.e. dyndns service)
  • Log Bug with Twitterfon regardin DNs lookups
  • Find an easier way to trigger the tunnel & 3proxy build-up/tear-down
  • Resolve issue of tunnel disconnecting when screen gets locked (FOR loop ???)
  • Use the tunnel for 3G connections (paranoid much !!!)