alibaba releases 2015 mobile security vulnerability annual report

Posted by punzalan at 2020-03-29

*The relevant loopholes involved in this article have been reported to the manufacturer and repaired. This article is only for technical research and discussion, and is strictly prohibited to be used for illegal purposes, otherwise, all consequences will be borne by yourself.

Chapter I application vulnerability in 2015

1.1 types and distribution of open application vulnerabilities in the industry

2015 is an extraordinary year. The media from all walks of life pay more and more attention to the vulnerabilities of mobile applications. The generation of vulnerabilities not only brings the security impact of user devices and information, but also brings business or reputation losses to enterprises.

Aliju security analyzes the situation of 50 famous security companies, media and vulnerability platforms at home and abroad every week. The focus of mobile security events and information at home and abroad is still around the technical risks of the operating system and mobile applications, among which the domestic focus is more on the vulnerability risks of mobile applications. The following data conclusions are from the statistics of risk situation of aliju security in the industry.

1. Industry distribution

According to the statistics of open vulnerability data, the proportion of applications that generate vulnerabilities in the industry is similar to that installed in the user's equipment, and the proportion of application tools app is the highest, accounting for 54%; the proportion of game application vulnerabilities is the lowest, accounting for 2%, because most users have fewer game applications installed in their mobile phones, and the update iteration speed of game applications is fast, and the vulnerabilities are not easy to be deepened Excavate.

Figure 1 industry distribution of open application vulnerabilities in 2015

2. Vulnerability type

Mobile application is a bridge connecting users and services. It interacts with users directly in intelligent devices and transmits service requests to back-end servers through communication links. Security researchers take mobile applications as the entry point, and conduct vulnerability mining and business security analysis on applications. The data shows that most of the high-risk vulnerabilities break out in the server.

In 2015, 71% of the vulnerability data was published on the mobile service gateway and server side. The attacker analyzed the mobile application as the entry, and the vulnerability generation and repair need to be completed on the server side. At this stage, a large number of services are extended from the traditional PC end to the mobile end. Running business logic on the server is also a relatively safe and low-cost way to achieve, which also confirms the above data. But just because the business logic is handled in the server, if the client as the entry is not subject to strong and effective security verification, the client is easy to be used as a breakthrough by hackers to exploit the business risk vulnerability of the server. Aliju's security components provide signature and encryption functions for mobile applications to access the network, which can prevent hackers from tampering with data packets and exploiting vulnerabilities on the server side.

The vulnerabilities caused by mobile applications account for 25% of the total, of which the denial of service vulnerabilities account for a quarter of the client vulnerabilities. From the details of the vulnerability, the code execution vulnerability has more interpretations than last year's single WebView remote command execution, such as the reserved instructions in the code are executed. For example, the above logic vulnerabilities often need to consider the risk of being bypassed and attacked in specific business scenarios. Integrating security process into software development life cycle is the best way to avoid such vulnerabilities. Before the code realizes the function, the security review ensures that the business logic will not be bypassed, and ensures the accuracy and security of user data flow.

Figure 2 distribution of application vulnerability types in 2015

1.2 mobile application vulnerability analysis

In order to analyze the vulnerabilities in various industries of mobile applications, we downloaded 180 top 10 applications in 18 industries in the third-party application market, and used aliju security vulnerability scanning engine to scan these samples. Of the top 10 applications in 18 industries, 97% have vulnerabilities, with a total vulnerability of 15159, with an average of 87 vulnerabilities per application, and 23% of the top 10 applications have high-risk vulnerabilities.

1. Vulnerabilities of TOP10 applications in 18 industries

WebView Remote Code Execution Vulnerability accounts for the highest proportion, accounting for 21%. The main reason for WebView remote code execution vulnerability is that WebView's addjavascript interface method is called. The security risk of this method is only fixed by Google in Android API 17 and later. Because the models below API 17 still account for 20% of the market, many developers set the minimum version supported by Android applications below API 17 for compatibility, resulting in the number of vulnerabilities not falling but rising.

Figure 3 number of vulnerabilities in industry TOP10 applications

Of the 15159 risk vulnerabilities in the industry's top 10 Android applications, 23% are high-risk vulnerabilities, 64% are medium risk vulnerabilities, and only 13% are low-risk vulnerabilities.

Figure 4 risk distribution of top 10 Android application vulnerability

26% of all vulnerabilities touch the red line of security, which is easy to be exploited by attackers. Aliju security recommends that developers repair as soon as possible to avoid affecting the security of mobile services.

Among the high-risk, medium and low-risk vulnerabilities, 17%, 16% and 88% of them touch the red line. Among the low-risk vulnerabilities, those that touch the red line account for the largest proportion. For example, the denial of service vulnerability will cause application denial of service after being exploited, but its repair cost is low. It is recommended that developers scan, verify and repair as soon as possible.

Figure 5 vulnerability of TOP10 touching the security red line

2. Analysis of loopholes in key industries

Among the 18 industries, tourism applications have the largest number of vulnerabilities, accounting for 13% of the total number of vulnerabilities in all industries. E-commerce, games, finance and other industries closely related to user property have a relatively small number of vulnerabilities, accounting for 6%, 5%, and 4% of the total number of vulnerabilities in all industries respectively.

Although the total number of vulnerabilities of financial TOP10 Android applications ranked lower, the high-risk vulnerabilities accounted for 34%, ranking the first in the industry, which deserves attention.


Figure 6 number of vulnerabilities of top 10 Android applications in 18 industries

1) Top 10 Android application vulnerability in e-commerce industry

There are 851 vulnerabilities in e-commerce TOP10 applications, with an average of 85 vulnerabilities in each application, of which about 27% are high-risk vulnerabilities in WebView remote code execution, which can lead to serious consequences such as malicious applications being implanted, address books and SMS being stolen, and mobile phones being remotely controlled.

About 27% of the 851 vulnerabilities of e-commerce top10android applications are high-risk vulnerabilities, which is 17% higher than the average of high-risk vulnerabilities in 18 industries. Moreover, e-commerce applications are closely related to user funds. Developers can refer to multiple schemes provided by aliju security to repair them, so as to ensure that user interests and corporate reputation are not affected.

Figure 7 distribution of vulnerability categories of e-commerce TOP10 applications

2) Top 10 Android application vulnerability in the game industry

Game TOP10 android app has 788 vulnerabilities, with an average of 79 vulnerabilities per app. 29% of them are high-risk vulnerabilities of WebView remote code execution.

About 19% of the 788 vulnerabilities in game TOP10 Android applications are high-risk vulnerabilities, 17% lower than the average of the high-risk vulnerabilities in 18 industries, and relatively fewer high-risk vulnerabilities in 18 app industries. The frequency of update and iteration of game applications is high, the amount of funds and user downloads is large, and the risk of loopholes can not be ignored.

Figure 8 distribution of vulnerability categories of game TOP10 applications

3) Top 10 Android application vulnerability in financial industry

There are 669 vulnerabilities in financial TOP10 Android applications, with an average of 67 vulnerabilities, 22% of which are high-risk vulnerabilities in WebView remote code execution.

Of the 669 vulnerabilities in financial TOP10 Android applications, 34% are high-risk vulnerabilities, 48% higher than the average of 18 industries, accounting for the highest proportion of high-risk vulnerabilities in 18 app industries. Because the financial applications are closely related to the user property, the potential loopholes bring huge risks to the user property.

Figure 9 vulnerability category distribution of financial TOP10 Android Application

1.3 typical application vulnerabilities

Due to the openness of Android system itself, compared with the WebView remote command execution vulnerability in 2014, in 2015, researchers found more new types of general vulnerability of Android applications by studying the operation mechanism of mobile applications in the system, and these vulnerabilities can be found and matched through code rules and circumvented in the development stage.

1. Android universal denial of Service Vulnerability

In January 2015, researchers from domestic security manufacturers found a general-purpose denial of Service Vulnerability in Android, which can be used by malicious attackers to crash the application and make it unable to run normally. Almost all Android applications in the market are affected when the vulnerability is announced. At the beginning of the vulnerability announcement, each application has more than 10 vulnerabilities on average.

The reason for the vulnerability is that when getxxxextra class functions such as getstringextra of Android API get the value, if they get the custom serialization class, they will throw an undefined exception, causing the application to crash. However, the repair of the vulnerability is relatively simple and almost does not affect the business code logic. Only try catch needs to be added to catch exceptions.

Aliju security vulnerability scanning engine has dynamic fuzzy function, which can accurately detect the vulnerability.

2. Remote control risks caused by port opening

Nowadays, more and more mobile applications in the market, in order to meet the business needs, such as exchange of location information, or receive the business instructions transmitted by other applications and servers, open the accessible port when the application is running, and receive the data to the local through the port. Once the port access control is not strict and is maliciously used by the attacker, the application may receive the forged protocol instructions, and the reserved business functions may be further maliciously used. For example, among all kinds of SDK backdoor events in 2015, open port is an important way of remote control.

In October 2015, wormhole vulnerability found by domestic security researchers pointed out that Baidu's moplus SDK has sensitive function codes such as collecting user and device information, adding contacts, making phone calls and sending SMS. Because the local TCP port (40310) is opened when the application is running, the attacker can obtain sensitive information and execute sensitive functions reserved in the code by sending a request to the port.

3. Parasite leak

The "parasite" vulnerability is a code hijacking vulnerability, but because of its harsh exploitation conditions, its impact is very limited. Under the conditions of hijacking network download environment, tampering application public storage area, or file decompression without legal verification, the purpose of hijacking code and executing malicious programs can be achieved. Once exploited successfully, it is a high-risk vulnerability.

The vulnerability principle is that Android applications use dexclassloader to dynamically load and reflect individual APK or jar files with some specific functions at runtime to realize plug-in mechanism to achieve seamless upgrade and function expansion. The second parameter of function dexclassloader is the target ODEX path. If the application does not protect the cache file under the ODEX path, it may attack and replace files in the middle Code executed in agent environment.

By analyzing the execution environment and conditions of malicious code, aliju security vulnerability scanning engine finds out whether the vulnerability exists in the application from the perspective of attack path. According to the scanning results, there are few applications affected by the vulnerability in the market at present.

1.4 application security events

1. Xcodeghost -- compiler backdoor

On September 14, 2015, domestic security researchers found that a large number of well-known IOS applications sent a large number of requests to a third-party server at the same time, and hundreds of millions of user information was at risk of disclosure. By analyzing the samples of such IOS applications, Alibaba Mobile Security issued an emergency security notice to developers on September 17, naming the virus xcodeghost, which contains sample details, inspection and repair measures. Due to the use of unofficial download, malicious tampering with the IOS application compiler Xcode. After the release of the security notice, the third-party server receiving the sensitive information has been shut down. However, Alibaba mobile security researchers found that there are still attackers hijacking the sensitive information of the "hijacking Hu" users through the network, and the impact has not stopped.

According to statistics, the number of IOS applications developed with this malicious Xcode is 4300 +, even including the top ten applications in the market, including but not limited to wechat, Netease cloud music, railway 12306 and other daily tool software, even bank applications. Then Apple officially released a notice confirming the adverse effect of xcodeghost, and removed all affected applications from the official app store. The event is the largest known number of users affected and has been recorded in the history of mobile security.

The root cause of the event is that developers download Xcode, a development tool for IOS applications, through unofficial channels or P2P download tools. This behavior gives malicious attackers the opportunity to insert malicious code into the compilation Library of Xcode, resulting in the cultivation of backdoor programs (xcodeghost) for IOS applications compiled by them. The backdoor program has the functions of uploading sensitive information to the attacker's server, receiving control instructions, executing opening web pages, sending SMS, making phone calls, etc.

Figure 10 the harm of xcodeghost

2. SDK security incident - SDK back door

In 2015, the security incidents caused by the third-party SDK emerged in endlessly, which caused the industry shock and attention to the mobile application security.

On September 22, security researchers found that unity3d and cocos2d-x, commonly used game graphics rendering components in mobile games, were also found to have similar functions with xcodeghost in the version of unofficial download channels. In addition, some SDKs, such as MI, DuoMeng, idexci, and Wanpu, were also pointed out to collect user privacy information, and were removed from the apple store, affecting thousands of applications. Some of the SDKs even affect Android and IOS at the same time, with full platform compatibility. Some SDKs turn off the function of data collection before they are released to Apple mall "On / off", so the audit evaded the inspection of Apple mall auditors. After the app store was successfully put on the shelf and the user installed and operated, the "on / off" was opened remotely to collect the user's privacy data in real time or execute other business instructions - "on / off" behavior was also blacklisted by Apple mall auditors.

3. Wormhole vulnerability - "Baidu family bucket"

In November 2015, baidu series applications were exposed to "wormhole" vulnerability, which can be used to perform remote sensitive operations: making phone calls, sending SMS, obtaining user privacy information, etc. The source is Baidu's moplus SDK. Baidu and most of its products are integrated, so it is called "Baidu family bucket" by netizens. Wormhole vulnerability is actually based on the existence of authentication and permission control defects in Baidu's advertising port, which was originally used for advertising web pages, upgrading and downloading, and promoting applications. However, all kinds of sensitive codes reserved in moplus code (operating address book, phone, SMS, etc.) make wormhole have a huge impact once it is used, because the number of users of these apps covers hundreds of millions.

1.5 development trend of application vulnerability

1. The concern of vulnerability gradually changes from application vulnerability to business logic vulnerability

The top 10 apps in Android Market have 87 vulnerabilities on average. A large number of applications still contain many types of vulnerabilities, which remain high due to the lack of security awareness of developers: for example, it is considered that mobile vulnerabilities are more difficult to affect normal business operations, or it is considered that vulnerability utilization costs are high, hijacking is required or certain triggering conditions are available.

However, from the information collected by the industry, most of the high-risk vulnerabilities focus on the types of logical vulnerabilities such as design defects, authentication and authorization that need human research and analysis. Once triggered, this kind of vulnerability can directly affect the normal operation process of user data and business server, resulting in a large number of information loss and information leakage events. Although the cost of vulnerability analysis is high, but the effect of exploitation is better. From the perspective of balancing the cost and benefit of attack, more business logic vulnerabilities will be discovered and even security events will occur in the future.

2. Users' privacy information disclosure will be the biggest risk of business mobility

Aliju security scans the application vulnerabilities in domestic and foreign markets, and finds that there are countless vulnerabilities in foreign markets, but foreign mobile application businesses pay more attention to information disclosure. From the reports of foreign media in 2015, both Apple App store and Google play will be very concerned about the storage and transmission of user's privacy data, but the market will not directly punish the off shelf due to the application loopholes, but once touching the privacy data, it is to blame.

Foreign media also pay close attention to the storage and transmission of information in plaintext. For example, the afnetworking network library SDK was criticized by the media for failing to verify the HTTPS certificate of the server. Nowadays, users' usage habits have been mobile, and information leakage will be the biggest risk of mobile, which will be a long-term topic in the future.

3. Developers need to consider the potential risks of the development environment

In the great event of application security in 2015, problems caused by development environment such as development software and third-party SDK have caused a large number of users to suffer and caused public opinion in the industry. Mobile application developers need to pay more attention to the potential risks of the development environment while paying attention to whether their applications have security risk vulnerabilities. Due to the slow release speed and long repair cycle of mobile applications, how to quickly cut off and repair, and dynamically update their own security will be a problem that needs continuous attention in the future. Developers can use aliju security reinforcement services to improve the analysis cost of malicious attackers and protect application security.

Chapter II Android system vulnerabilities in 2015

2.1 overview of Android system vulnerabilities

In 2015, Android system vulnerabilities showed explosive growth as a whole. Among them, the total number of application framework & Libraries vulnerabilities reached 130, up 1082% year on year. Both in terms of absolute number and vulnerability growth rate, it ranks first since 2009. At the same time, there are still many rights raising vulnerabilities that affect the security of Android system in Linux kernel, such as general-purpose rights raising vulnerability cve-2015-3636 and many rights raising vulnerabilities in device drivers, such as cve-2015-8307 / cve-2015-8680.

In 2015, the number of Android system vulnerabilities increased rapidly, mainly due to the increasing number of researchers focusing on mobile security. With the increasing importance of mobile security, we believe that the number of Android system vulnerabilities will remain at a high level in 2016.

Figure 11 application framework & Libraries vulnerability growth trend

Among the application framework & Libraries vulnerabilities in 2015, the top three are code execution, overflow and denial of service vulnerabilities, accounting for 26%, 23% and 20% respectively. Among them, the number of code execution vulnerabilities caused by the media library is the largest, accounting for about 40% of all code execution vulnerabilities. In Linux kernel, in addition to the vulnerability in kernel common code, device driver is still the disaster area of security vulnerability.

Figure 12 percentage of application framework & Libraries vulnerability categories

2.2 typical Android system vulnerabilities

1. Code Execution Vulnerability

Ordinary users often think that as long as the application is downloaded from the regular channel, it will not be threatened by security. However, after the explosive growth of Android system security vulnerabilities in 2015, this recognition has become obsolete. Taking stagefright vulnerability as an example, as long as the attacker knows the mobile phone number of the target, he can actively launch a remote attack through MMS under the condition that the user is not aware.

Stagefright is a core component of Android multimedia framework. It was introduced in Android 2.2 and has become a part of Android's default multimedia framework since Android 2.3. Stagefright vulnerability exists in all versions prior to Android 5.1. Stagefright is a very complex system library, which supports the analysis of MPEG4 / MP3 and other multimedia file formats. As the core component of Android multimedia framework, there are more than 11 attack vectors against stagefright, including browser / MMS and so on.

Because the stagefright library runs in the MediaServer process, once an attacker successfully uses the stagefright vulnerability to launch an attack, he can obtain the permissions of the MediaServer process; furthermore, the attacker can combine other vulnerabilities to raise the permissions to root, so as to completely control the object of attack. In fact, since the PC era, complex file format parsing, such as multimedia files, has been a disaster area of security vulnerabilities. Since stagefright vulnerability, a series of system security vulnerabilities related to multimedia file parsing were disclosed in 2015, accounting for about 40% of all code execution vulnerabilities.

The vulnerability related to multimedia file parsing is not the only high-risk remote attack vulnerability in 2015. In April 2015, Alibaba security researchers also found a buffer overflow vulnerability in the wpa_supplicant component and named it "WiFi killer". When the WLAN direct connection function is enabled on the mobile phone, the attacker may obtain the execution authority on the user's mobile phone by sending malicious code remotely under the condition that the user is not aware as long as the attacker is within the coverage of the mobile wifi.

WiFi killer vulnerability has a wide range of impacts. All WPA ﹣ supplicant components between 1.0 and 2.4 with the config ﹣ P2P option configured by default are affected. As an important function of users' daily use, many manufacturers turn on the WLAN direct connection function by default when they leave the factory, which further increases the harm of WiFi killer.

2. Loopholes in local rights

From the put Uuser vulnerability in 2013, to the general vulnerability used by towelroot in 2014, to the pingpong vulnerability in 2015, at least one general-purpose vulnerability to "kill" all Android models will pop up every year.

Pingpong is a kernel vulnerability proposed by domestic security researchers, which affects all system versions after Android 4.3. In fact, the vulnerable code also exists in Android versions under 4.3. However, in Android before 4.3, ordinary applications did not have permission to create the socket necessary to trigger the vulnerability, so they were spared.

It is worth mentioning that the evolution of Android system as a whole is moving towards more and more strict permission control, and the permission release related to pingpong vulnerability is a few "counter examples". From Android 4.3 (including to the latest Android 6.0), init.rc changed the value of / proc / sys / net / IPv4 / ping_group_range, which changed the kernel configuration from "10" to "0 2147483647".

Interestingly, the main purpose of this change is to realize a ping program that does not need privileges. In essence, it is also to strengthen the authority control of the system, but in the end, it creates conditions for the exploitation of pingpong vulnerability. Correspondingly, some Linux Desktop / server distributions with the same vulnerability code, like Android before 4.3, are protected from pingpong vulnerability because they do not release the corresponding socket permissions.

Pingpong vulnerability, which is rooted in Linux kernel, has a wide coverage. In addition, device driver is also a common area which is easy to generate the right raising vulnerability in recent years. We also found many such vulnerabilities in the process of auditing the 2015 mobile phone kernel of a manufacturer. This kind of vulnerability is also an important factor that causes Android system to be "one click root" in recent years.

On the other hand, since 2014, the user state vulnerabilities of Android system have shown an outbreak trend under the attention of a large number of researchers. Taking cve-2015-1528 as an example, this is a system privilege raising vulnerability found and reported by domestic security researchers to Google, through which attackers can obtain system privileges.

Specifically, when a graphicbuffer object receives a specific cross process instruction through binder, the validity of the instruction is not verified, resulting in an integer overflow vulnerability in heap allocation. After that, when operating on this block of memory area, it will cause heap memory to be destroyed. Restricted by the permission control of Android system, you need to repeatedly exploit this vulnerability. After three steps, you can finally raise the permission to the system, as shown in the figure below.

Figure 13 flow of granting authority to system authority

This vulnerability is not the first one on Android system due to the undetected command parameters passed by binder. In 2014, it also disclosed a vulnerability related to binder. Due to the impact of user state vulnerability mitigation technology, the exploitation of these vulnerabilities is often more complex, which requires the use of ROP and other exploitation technologies. At present, most malware and one click root tools directly use kernel vulnerabilities to improve their rights. However, with the continuous narrowing of Android system permissions, in the future, Android system will need to cooperate with multiple vulnerabilities to complete the root's power lifting work.

2.3 Android security ecology and vulnerability outlook

Under the leadership of Google, Android system has been keeping the pace of rapid update. After the official launch of Android 5.0 at the end of 2014, Android 6.0 was launched in September 2015. The application of the new Android system in permission control and vulnerability mitigation technology is more perfect, which is of positive significance for protecting the mobile phone security of end users.

Specifically, since version 4.3, Android has introduced SELinux as an important supplement to the whole system permission control. On Android 4.3, it is permission mode. It only records the logs that violate the permission control. It does not really block the operations that violate the permission control. Since Android 4.4, SELinux has been changed to the force mode, and the system partition has removed the local program containing the "s" bit, which also led to the root persistence tool after version 4.4 being forced to adopt the daemon mode. On Android 5.0, SELinux's control over permissions is further tightened, which results in that root persistence tool must take effect after the system is started and patch SELinux policy. With the gradual popularity of 64 bit Android models, the new version of Android system kernel integrates Pxn features, and the code located in the user state address space can not run in the privileged mode, which greatly increases the difficulty of kernel vulnerability.

Figure 14 permission control of Android system version

However, compared with Apple's IOS system, the popularity of the new Android system is slow. In 2015, few users in China actually used Android 6.0 system. This is closely related to the long Android industry chain to a large extent. After a new version of Android is officially released, it needs to be adapted by chip manufacturers and terminal manufacturers to reach users. Under the restriction of some objective factors (such as the limitation of R & D cost), users need to wait a long time to get new system push, and some models will not even be updated after release.

Figure 15 proportion of users of Android system versions

This situation has a great negative impact on the system security of users. On the one hand, users can't enjoy the more perfect security mechanism in the new system; more importantly, the delayed repair of system vulnerabilities will make users exposed to dangerous and vulnerable conditions for a long time.

In a positive sense, at present, some domestic and foreign manufacturers with strong R & D strength can quickly respond to system vulnerabilities and timely release updated versions. Unfortunately, considering the huge number of smart phones in China, there are still a large number of users who are directly exposed to danger.

In fact, in 2015, the number of Android system vulnerabilities broke out on a large scale, the absolute number and the growth number are the most over the years, and it is expected that the number of Android system vulnerabilities will remain at a high level in 2016. The core reason for this situation is not that Android system itself has become worse, but that a large number of security personnel have focused on Android system. In the long run, more and more researchers will pay more attention to the overall security of the system. However, in the short and medium term, the mass outbreak of system vulnerabilities and the failure of some users to get security updates in time will also improve the security risk of the entire Android ecosystem.

Chapter 3 IOS system vulnerabilities in 2015

2015 is destined to be an extraordinary year in the history of iOS security. In addition to the XcodeGhost event in the application layer, many unforgettable events have taken place in the system security.

3.1 overview of IOS system vulnerabilities

In 2015, IOS system vulnerabilities showed explosive growth, with the total number of vulnerabilities reaching 654, up 128% year on year. Both in terms of absolute number and vulnerability growth rate, it ranks first since 2009.

In 2015, the main reason for the increase in the number of IOS system vulnerabilities is that more and more researchers are focusing on mobile security. Many previously ignored system attacks have been found and the vulnerabilities have been found and submitted to apple for repair. I believe that the number of IOS system vulnerabilities will remain at a high level in 2016.

Figure 16 IOS system vulnerability number trend

In IOS system vulnerabilities, denial of service, code execution and information disclosure account for the highest proportion, 18%, 17% and 16% respectively.

Figure 17 percentage of IOS system vulnerability categories

In 2015, in addition to IOS jailbreak related vulnerabilities, the number of vulnerabilities in Apple's operating system increased a lot compared with previous years. In particular, the number of CVE (general vulnerability disclosure) exceeded that of many IT companies, so many media began to criticize the security of Apple's system. In fact, apple pays more attention to security issues than other manufacturers, and will carefully review, repair and help declare CVE for vulnerabilities submitted by security researchers. IOS users do not need to panic about the security issues of IOS. As long as they upgrade the IOS system to the latest version in time, they can defend against most of the vulnerability attacks. On the other hand, due to the layered security mechanism of Apple's operating system, there are fewer vulnerabilities that can directly threaten the user's security.

3.2 typical IOS system vulnerabilities

At present, IOS system vulnerabilities are mainly used in jailbreak. However, due to the security mechanism of Apple's operating system, it needs the cooperation of multiple vulnerabilities to complete the untethered jailbreak (perfect jailbreak). The typical combined utilization process of jailbreak vulnerabilities is: sandbox escape completes file injection, signature bypass, and finally completes the kernel code modification by using kernel vulnerabilities to completely close the IOS security mechanism.

1. File injection vulnerability

Before escaping from prison, the target file needs to be loaded into iPhone device through file injection vulnerability. DDI (developer disk image race condition, by Comex) is widely used in recent perfect prison break. This vulnerability mainly uses race condition to replace the normal DMG after checking the signature and before mounting, so as to realize the file injection. On the latest IOS 9 perfect jailbreak, a new file injection method is used, which directly completes the file injection to any directory through IPC in the sandbox.

2. Sandbox Arbitrary Code Execution Vulnerability

In 2015, cve-2014-4492 vulnerability details disclosed that its server exists in the networkd process, through which sandbox communicates with the process through IPC. The communication processing function in the service does not perform type verification on xPC ﹣ data object, and then directly calls XPC ﹣ data ﹣ get ﹣ bytes ﹣ pointer, which is confused by passing in other types of data, and fake The object structure can finally control the PC and execute arbitrary code.

The vulnerability can be exploited so smoothly, thanks to two other weaknesses of Apple system itself: one is that the address created by heap is relatively fixed, which allows attackers to create the attack content in an almost accurate location through heap spary; the other is that the image base of dyld_share_libray_cache in different processes is the same, so that attackers do not need to be taboo from ASLR to directly build the attack ROP garget.

It is worth mentioning that this kind of vulnerability can be triggered directly through sandbox app on non jailbreak devices, which brings great risk to users.

3. Kernel vulnerability

In the process of escaping from prison, the main goal of kernel vulnerability is to transform vulnerability utilization into stable arbitrary read-write ability, and then modify the kernel code to turn off the security mechanism of IOS from the kernel.

Although the IOS kernel has many security mechanisms: SMAP, DEP, kaslr, only a few heap overflow vulnerabilities can independently exploit and bypass these security mechanisms. The loopholes of prison break in 2015 all belong to this type, but these loopholes need to be triggered after the completion of sandbox escape and signature bypass, which will not directly cause security threats. The kernel vulnerabilities of the most recent perfect jailbreak (IOS 7.1.2-ios 9.0) are all found in the open source driver module iohidamily.

Cve-2014-4487 vulnerability for IOS 8.1.2 jailbreak exists in iohidamily - iohidlibuserclient, which is a typical heap overflow vulnerability. The vulnerability model is: it can create buffer of any size with iomalloc, and release it to of any size (IOS kernel heap memory quick allocation mechanism). IOS freelist is LIFO. In this way, it is released to which is larger than its original size, and then it uses the ool Mach msg to create a larger size kalloc zone, so that it can cover the elements in the original adjacent position of the smaller size, and complete the conversion of buffer overflow. In IOS 8, the kdata of VM map copy is modified by buffer overflow to realize arbitrary kernel reading. After getting the kernel kaslr image base, further convert the adjacent objects to iouserclient subclass to override the getexternaltrapforindex virtual function, and further convert to arbitrary read and write.

Cve-2015-6974 vulnerability for IOS 9 jailbreak exists in iohidamily - iohidlibuserclient. A typical UAF vulnerability does not leave the pointer empty after releasing ioservice subclass (c + + object). After the object is released, the user state can also call the virtual function of the function through the IOHIDResourceUserClient, and can control parameters. Then create the object through heap Feng Shui and release the address, further disclose the kernel foundation and control VTable to find the appropriate gadget and convert it into any read-write ability.  

Apple has made a lot of efforts to break the heap overflow series utilization: first, it shielded the Mach port object (cve-2014-4496) and the Mach port space info (cve-2015-3766). These two interfaces can be used to judge the page boundary in the utilization process, and the stability of heap feng shui will be affected after the shielding. Then in IOS 9.0, the VM map copy object is greatly modified, which makes it more difficult to construct any size release and any address reading. In addition, by adding KPP mechanism, the kernel becomes more and more secure.

3.3 IOS vulnerability outlook

In 2015, with the continuous growth of IOS system vulnerabilities and the fermentation of xcodeghost events, we can see that there are still many ignored attacks on IOS systems. For example, in the case of non jailbreak, Sandbox app can obtain root code execution permission through vulnerability, steal user privacy and other third-party app data, etc.

We can boldly predict that in 2016, IOS system security is bound to be an extraordinary year: there will be more IOS kernel vulnerabilities and IOS Jailbreak release of 9.2 and 9.3; similar to stagefright vulnerability on Android, it may also appear on IOS system, and we may see more disclosure of similar "airdrop eaque" attacks, allowing attackers to send and install malicious applications on arbitrary devices within a certain range.

But attack and defense are always relative. The new IOS 10 operating system will be launched at the 2016 Apple global Developers Conference, which will surely bring new and stronger security mechanisms. In the new year, security researchers will certainly devote more attention to the research of IOS system security. I believe that under the "interaction" with apple, the security of IOS system will also go to a higher level.

*Author: Alibaba Mobile Security (enterprise account), reprint please indicate that it comes from freebuf hackers and geeks (freebuf. Com)