Description of my Presentation at OWASP AppSec Africa 2017

I was invited to talk at OWASP AppSec Africa 2017 in Casablanca, Morocco on Wednesday, February 1st, 2017. My presentation was entitled:”How Did I Hack Twitter and WhatsApp for iOS?”. I had the honor to present in front of well-educated people about cyber security. I hope this made a change or opened a path for people who want to pursue their careers in cyber security especially in iOS platform.

In this presentation,  I talked about two of my discoveries as a security researcher in Twitter (2014) and WhatsApp (2015) applications for iOS. The first one was an open authentication flaw which allowed me to hijack the active session in Twitter application. The second one was an encryption problem in WhatsApp which allowed me to steal the conversations and contacts that were in that device. After reporting that vulnerability, WhatsApp applied end-to-end encryption which has been leading to the protection of millions of users. These discoveries were considered as achievements because they were the first Moroccan discoveries in iOS platform.

As an introduction to these discoveries, I talked about iOS security architecture which is a rare field in the Moroccan cyber security community . I threw light on the system vulnerabilities that allowed me to access some important files in the installed applications in addition to an overview of iOS security system. I mentioned also some design patters in operating systems design that differ the system, kernel, and user modes called GDT entries or global descriptor tables entries.

One of the famous bugs in iOS is the lock bypass from the device itself or from a computer. At this point, We have 3 main paths to follow: Ubuntu (or another Linux-based distribution), Mac OS X, or Windows. I tried them all. I noticed that they were dealing with the iDevice in different manner. Ubuntu was trying to access it as a physical hard drive while the others were treating it as an iDevice (trying to connect it with iTunes). For WhatsApp, the bug was in iOS 9. I could access the system files including the files of the applications themselves. At this level, I would like to describe how an iOS application works based of the general files hierarchy in iOS. In other words, I would like to explain the role of “.plist” files in iOS system.

Concerning Twitter’s bug, I threw light on the multiple authentication levels in mobile applications. For instance, the access token method which was the main factor in the bug that I discovered in Twitter. Moreover, I would like to talk briefly about the 3rd parties applications that are used largely today and security risks that treat the users. This bug would lead us to explain more the difference between authorization and authentication. This point would explain in depth the real role of the access token.

As a motivation,  I shared the responses of the two Security Teams of the companies which confirmed the vulnerabilities. In addition, I want to share some tips that I used to find those vulnerabilities which would help the interested security researchers in iOS. They will change their minds because the majority of the security researchers consider iOS as a monster. It is known by it is high security mechanisms. However, it has some flows that might be used to discover serious security issues in some well known applications. I hope that this presentation will throw light on the problematic of authentication in cyber security and bring the question of the password as a good or bad authentication factor to the Moroccan cyber security community.

With love,

Image Copyright: https://www.law.georgetown.edu/continuing-legal-education/programs/cle/cybersecurity/images/shutterstock_165303932.jpg

Steganography: The Art of Hiding Secrets

Steganography is one of the complex fields in computer security. Its complexity comes from the limited resources that explain it because it is rare to find a course about it. However, steganography was always with the human beings. We just do not pay attention to it.

Steganography is the art and science of embedding secret messages in cover message in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. It is a combination of two Greek words which are steganos that means covered and graphia that means writing.

Historically speaking, it has been always with with human beings. For instance, messages between empires tend to be hide in messengers’ heads. In addition, human beings used invisible ink to write their messages in order to hide them. So, steganography is not related by definition to computer science. It has historic roots, and it played an important role in human communication and security.

If you read this definition, you might be confused about the difference between steganography and cryptography. Basically they have almost the same goal which is protecting a message or information from third parties. However, they have different mechanism to protect the information. Cryptography changes the information to unreadable piece of data which cannot be understood without an encryption key. So, it involves another concept which is keys for encryption and decryption. On the other hand, steganography does not change the format of the information. It just hide it from the third parties. It can be used anywhere and anytime just by telling to the other involved part in the communication process how to read or extract the information.

Technically, steganography conceals the existence of the message. It does not alter the structure of the secret messages , but hides it inside a cover-file so it cannot be seen to make the secret message unseen.  Cryptography tends to hide the contents of a secret message from malicious people. So, the structure of a message is scrambled to make it meaningless and unintelligible unless the decryption key is provided. Thus, cryptography encrypts the message but it can be seen.

In this article, I will mention two applications of steganography in two different filetypes. The first one is audio steganography where we will take an audio file which contains a secret message behind it, and we will try to analyze it. It can be seen as meaningless track, but it has an invisible meaning. It can be used in many application mainly in military and governments’ digital security. The second one is image steganography where we will hide a text file inside a picture. And then, we will do the reverse operation to extract the message.

The process of analyzing a modified audio, image or any filetype is called steganography analysis or steganalysis. Technically, it can be linked to another concept which is reverse engineering. It is the process of extracting a hidden piece of data in a different form of filetype. I made the comparison between steganalysis and reverse engineering because they have a common point which is seeing things from the back-end. In other words, it can be defined as breaking the encapsulation layer that is hidden from the end user.

Let’s take a look at an audio file which is basically a .wav file. You can download it it from here: https://www.dropbox.com/s/n4o3hdp9mfkadqf/WAVFile.wav?dl=0 .

It was a challenge in a CTF. You can find another audio file in one of root-me.org steganography challenges that can be solved with the same technique. If you listen to it, you will just hear some noise which is meaningless for us. However, if you use audacity or another audio analyzer software, you will notice that it is not the case. In my experience, I used an old program called gram. You can download it from here if you want to do the experiment: https://www.dropbox.com/sh/x29xyo2vyjv1e8e/AACSTHW_x2pxHpZ4C9caZWska?dl=0 . The environment in which I am running the experiment is Ubuntu Xenial Xerus with installed wine1.6 to run windows programs in Linux-based environment. When you analyze the audio file, you will see the secret messages which is “HackThis!!” in our case.

16176463_1639096633060956_773022007_n

So, you can see a hidden message in a meaningless audio file.

For the image part, a steganography challenge was detecting the used program in hiding a text inside an image. It was quite funny image.

16176958_1639099046394048_1787378066_n

The problem was to analyze two identical images. At this level, we will not talk about file signatures and file extensions. I believe I will talk about them in another article because they are involved in other fields. However, at this stage, I used winhex to analyze the Hexadecimal part of the image. You can use a text editor as well like gedit or notepad just to see the image from another perspective. I found a weird signature at the end of the modified image. This is the original image.

16145509_1639098339727452_1812386025_o

And this is the modified one. You can notice “CDN” at the end of the image.

16145878_1639098073060812_1357068692_o

I looked at this “weird” signature, and I found that it is the appropriate signature of a program called Hiderman which can hide a text file into an image. I used the same program to extract the message.

This was just an overview about steganography. I will try to talk about it in more depth in the upcoming articles. I believe it is an important field to know about since it is rarely covered in universities. It can change your way of seeing files as “cute” piece of data. On the other hand, they can contain secret messages or information.

Image Copyright: WonderHowTo http://img.wonderhowto.com/img/05/12/63537824039022/0/introduction-steganography-its-uses.1280×600.jpg