I was invited to talk at OWASP AppSec Africa 2017 in Casablanca, Morocco on Wednesday, February 1st, 2017. My presentation was entitled:”How Did I Hack Twitter and WhatsApp for iOS?”. I had the honor to present in front of well-educated people about cyber security. I hope this made a change or opened a path for people who want to pursue their careers in cyber security especially in iOS platform.
In this presentation, I talked about two of my discoveries as a security researcher in Twitter (2014) and WhatsApp (2015) applications for iOS. The first one was an open authentication flaw which allowed me to hijack the active session in Twitter application. The second one was an encryption problem in WhatsApp which allowed me to steal the conversations and contacts that were in that device. After reporting that vulnerability, WhatsApp applied end-to-end encryption which has been leading to the protection of millions of users. These discoveries were considered as achievements because they were the first Moroccan discoveries in iOS platform.
As an introduction to these discoveries, I talked about iOS security architecture which is a rare field in the Moroccan cyber security community . I threw light on the system vulnerabilities that allowed me to access some important files in the installed applications in addition to an overview of iOS security system. I mentioned also some design patters in operating systems design that differ the system, kernel, and user modes called GDT entries or global descriptor tables entries.
One of the famous bugs in iOS is the lock bypass from the device itself or from a computer. At this point, We have 3 main paths to follow: Ubuntu (or another Linux-based distribution), Mac OS X, or Windows. I tried them all. I noticed that they were dealing with the iDevice in different manner. Ubuntu was trying to access it as a physical hard drive while the others were treating it as an iDevice (trying to connect it with iTunes). For WhatsApp, the bug was in iOS 9. I could access the system files including the files of the applications themselves. At this level, I would like to describe how an iOS application works based of the general files hierarchy in iOS. In other words, I would like to explain the role of “.plist” files in iOS system.
Concerning Twitter’s bug, I threw light on the multiple authentication levels in mobile applications. For instance, the access token method which was the main factor in the bug that I discovered in Twitter. Moreover, I would like to talk briefly about the 3rd parties applications that are used largely today and security risks that treat the users. This bug would lead us to explain more the difference between authorization and authentication. This point would explain in depth the real role of the access token.
As a motivation, I shared the responses of the two Security Teams of the companies which confirmed the vulnerabilities. In addition, I want to share some tips that I used to find those vulnerabilities which would help the interested security researchers in iOS. They will change their minds because the majority of the security researchers consider iOS as a monster. It is known by it is high security mechanisms. However, it has some flows that might be used to discover serious security issues in some well known applications. I hope that this presentation will throw light on the problematic of authentication in cyber security and bring the question of the password as a good or bad authentication factor to the Moroccan cyber security community.