Flex AIR iPad App security concerns

[Deepak MS <me...@gmail.com>]

Hello,
We have developed some apps specifically for iPads and there have been
rigorous testing from security team using some hacking tools. What these
tools do is they display all the code variables and their values from the
ipa file that we provide to them. Due to this, our app db locations(sqlite
files for offline app) and passwords used(to unzip a secured zip file, that
gets downloaded, using ANEZipFile native extension) are clearly exposed. It
literally shows all the coding that has been done (still wondering how can
this be possible from swf and then from ipa).

I'm new to security thingie and have no idea. Can anyone who have worked on
this kindly  share best practices?

Some screenshots from the tool which shows the variables and values used in
the app:

http://pbrd.co/1M69vES
http://pbrd.co/1M69MYB

App is built using Flex 4.13FP15AIR15.

Appreciate your help.

Re: Flex AIR iPad App security concerns

[Greg Dove <gr...@gmail.com>]

I don't think that technique will work on iOS, because I am pretty sure
that Loader.loadBytes does not work for content with actionscript bytecode.
You can only load external swfs which have been processed during AIR
packaging



On Thu, Mar 5, 2015 at 4:01 AM, Deepak MS <me...@gmail.com> wrote:

> Hi Erik,
> I tried that. But it gives me a blank screen. I'm using native extensions.
> Will that be an issue here? I tried wrapping it both in the main shell and
> also in the child application.
>
> On Wed, Mar 4, 2015 at 3:19 PM, Erik de Bruin <er...@ixsoftware.nl> wrote:
>
> > You may want to check out this technique:
> >
> >
> >
> http://www.ghostwire.com/blog/archives/as3-hiding-assets-and-code-by-embedding-swf-within-another-swf/
> >
> > EdB
> >
>

Re: Flex AIR iPad App security concerns

[Deepak MS <me...@gmail.com>]

Hi Erik,
I tried that. But it gives me a blank screen. I'm using native extensions.
Will that be an issue here? I tried wrapping it both in the main shell and
also in the child application.

On Wed, Mar 4, 2015 at 3:19 PM, Erik de Bruin <er...@ixsoftware.nl> wrote:

> You may want to check out this technique:
>
>
> http://www.ghostwire.com/blog/archives/as3-hiding-assets-and-code-by-embedding-swf-within-another-swf/
>
> EdB
>

Re: Flex AIR iPad App security concerns

[Tomislav Pokrajcic <to...@svemir.net>]

Also have in mind that Base64 encoding will increase the file size 
(maybe around 30%).

On 4.3.2015. 15:43, Deepak MS wrote:
> Thanks Tomislav, I'll try that as well. File size would be quite big,
> around 200 - 250MB. May be I need to decode it back in chunks.
>
> On Wed, Mar 4, 2015 at 5:34 PM, Tomislav Pokrajcic <to...@svemir.net>
> wrote:
>
>> If your system works with user accounts, you can use them to restrict
>> access to sensitive data (like contents of a zip file).
>> E.g. don't serve zip file from an open URL but make it available only
>> through protected server side call accessible to users with existing
>> accounts.
>> Easy way to do it is to encode zip to Base64 and serve it to the client as
>> a string within AMF, JSON, XML or whatever data structure.
>> That way there's no need to hardcode any passwords.
>> Cheers,
>>
>> Tomislav
>>
>>
>>
>> On 4.3.2015. 11:40, Deepak MS wrote:
>>
>>> Hi Tom,
>>> Ok. This is how it's all setup:
>>> Firstly db file gets downloaded on the device which is a password
>>> protected
>>> zip file. I'm using ANEZipFile ANE to unzip this zip file(
>>> https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
>>> it [ unzip(zipfile : File, destination : File, overwrite : Boolean =
>>> false,
>>> password : String = "") : void;) ]
>>>
>>> I need to pass the password while calling unzip method. Whether I pass a
>>> variable to 'password' parameter here or even if I directly pass the
>>> password value, it shows up in that console. Whether I store the password
>>> in my code or whether I get it from a service from backend, ultimately I
>>> need to pass it to this method and it might show up again on that console.
>>> I'm not sure how else I can pass the password to unzip method. For that
>>> matter, I reckon the tool can hack the native extension's code too?
>>>
>>> That's one part and as you said, the db location is something like this
>>> https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
>>> download the zip file. We are not able to restrict it. If we restrict it
>>> we
>>> get stream error in the app and app cannot download the file. ;( Hence I
>>> wondered, if atleast password can be hidden, there can be some relief.
>>>
>>> Hi Erik,
>>> Thanks for the link. I'll give that too a try.
>>>
>>> On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc...@extravision.com> wrote:
>>>
>>>   There are also dedicated .swf obfuscating products I suppose.
>>>> Tom
>>>>
>>>>
>>>> On 04/03/15 09:49, Erik de Bruin wrote:
>>>>
>>>>   You may want to check out this technique:
>>>>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>>>>> and-code-by-embedding-swf-within-another-swf/
>>>>>
>>>>> EdB
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>   Hello,
>>>>>> We have developed some apps specifically for iPads and there have been
>>>>>> rigorous testing from security team using some hacking tools. What
>>>>>> these
>>>>>> tools do is they display all the code variables and their values from
>>>>>> the
>>>>>> ipa file that we provide to them. Due to this, our app db
>>>>>> locations(sqlite
>>>>>> files for offline app) and passwords used(to unzip a secured zip file,
>>>>>> that
>>>>>> gets downloaded, using ANEZipFile native extension) are clearly
>>>>>> exposed.
>>>>>> It
>>>>>> literally shows all the coding that has been done (still wondering how
>>>>>> can
>>>>>> this be possible from swf and then from ipa).
>>>>>>
>>>>>> I'm new to security thingie and have no idea. Can anyone who have
>>>>>> worked
>>>>>> on
>>>>>> this kindly  share best practices?
>>>>>>
>>>>>> Some screenshots from the tool which shows the variables and values
>>>>>> used
>>>>>> in
>>>>>> the app:
>>>>>>
>>>>>> http://pbrd.co/1M69vES
>>>>>> http://pbrd.co/1M69MYB
>>>>>>
>>>>>> App is built using Flex 4.13FP15AIR15.
>>>>>>
>>>>>> Appreciate your help.
>>>>>>
>>>>>>
>>>>>
>> ---
>> This email is free from viruses and malware because avast! Antivirus
>> protection is active.
>> http://www.avast.com
>>
>>


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

Re: Flex AIR iPad App security concerns

[Deepak MS <me...@gmail.com>]

Thanks Tomislav, I'll try that as well. File size would be quite big,
around 200 - 250MB. May be I need to decode it back in chunks.

On Wed, Mar 4, 2015 at 5:34 PM, Tomislav Pokrajcic <to...@svemir.net>
wrote:

> If your system works with user accounts, you can use them to restrict
> access to sensitive data (like contents of a zip file).
> E.g. don't serve zip file from an open URL but make it available only
> through protected server side call accessible to users with existing
> accounts.
> Easy way to do it is to encode zip to Base64 and serve it to the client as
> a string within AMF, JSON, XML or whatever data structure.
> That way there's no need to hardcode any passwords.
> Cheers,
>
> Tomislav
>
>
>
> On 4.3.2015. 11:40, Deepak MS wrote:
>
>> Hi Tom,
>> Ok. This is how it's all setup:
>> Firstly db file gets downloaded on the device which is a password
>> protected
>> zip file. I'm using ANEZipFile ANE to unzip this zip file(
>> https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
>> it [ unzip(zipfile : File, destination : File, overwrite : Boolean =
>> false,
>> password : String = "") : void;) ]
>>
>> I need to pass the password while calling unzip method. Whether I pass a
>> variable to 'password' parameter here or even if I directly pass the
>> password value, it shows up in that console. Whether I store the password
>> in my code or whether I get it from a service from backend, ultimately I
>> need to pass it to this method and it might show up again on that console.
>> I'm not sure how else I can pass the password to unzip method. For that
>> matter, I reckon the tool can hack the native extension's code too?
>>
>> That's one part and as you said, the db location is something like this
>> https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
>> download the zip file. We are not able to restrict it. If we restrict it
>> we
>> get stream error in the app and app cannot download the file. ;( Hence I
>> wondered, if atleast password can be hidden, there can be some relief.
>>
>> Hi Erik,
>> Thanks for the link. I'll give that too a try.
>>
>> On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc...@extravision.com> wrote:
>>
>>  There are also dedicated .swf obfuscating products I suppose.
>>>
>>> Tom
>>>
>>>
>>> On 04/03/15 09:49, Erik de Bruin wrote:
>>>
>>>  You may want to check out this technique:
>>>>
>>>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>>>> and-code-by-embedding-swf-within-another-swf/
>>>>
>>>> EdB
>>>>
>>>>
>>>>
>>>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com>
>>>> wrote:
>>>>
>>>>  Hello,
>>>>> We have developed some apps specifically for iPads and there have been
>>>>> rigorous testing from security team using some hacking tools. What
>>>>> these
>>>>> tools do is they display all the code variables and their values from
>>>>> the
>>>>> ipa file that we provide to them. Due to this, our app db
>>>>> locations(sqlite
>>>>> files for offline app) and passwords used(to unzip a secured zip file,
>>>>> that
>>>>> gets downloaded, using ANEZipFile native extension) are clearly
>>>>> exposed.
>>>>> It
>>>>> literally shows all the coding that has been done (still wondering how
>>>>> can
>>>>> this be possible from swf and then from ipa).
>>>>>
>>>>> I'm new to security thingie and have no idea. Can anyone who have
>>>>> worked
>>>>> on
>>>>> this kindly  share best practices?
>>>>>
>>>>> Some screenshots from the tool which shows the variables and values
>>>>> used
>>>>> in
>>>>> the app:
>>>>>
>>>>> http://pbrd.co/1M69vES
>>>>> http://pbrd.co/1M69MYB
>>>>>
>>>>> App is built using Flex 4.13FP15AIR15.
>>>>>
>>>>> Appreciate your help.
>>>>>
>>>>>
>>>>
>>>>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
>

Re: Flex AIR iPad App security concerns

[Tomislav Pokrajcic <to...@svemir.net>]

If your system works with user accounts, you can use them to restrict 
access to sensitive data (like contents of a zip file).
E.g. don't serve zip file from an open URL but make it available only 
through protected server side call accessible to users with existing 
accounts.
Easy way to do it is to encode zip to Base64 and serve it to the client 
as a string within AMF, JSON, XML or whatever data structure.
That way there's no need to hardcode any passwords.
Cheers,

Tomislav


On 4.3.2015. 11:40, Deepak MS wrote:
> Hi Tom,
> Ok. This is how it's all setup:
> Firstly db file gets downloaded on the device which is a password protected
> zip file. I'm using ANEZipFile ANE to unzip this zip file(
> https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
> it [ unzip(zipfile : File, destination : File, overwrite : Boolean = false,
> password : String = "") : void;) ]
>
> I need to pass the password while calling unzip method. Whether I pass a
> variable to 'password' parameter here or even if I directly pass the
> password value, it shows up in that console. Whether I store the password
> in my code or whether I get it from a service from backend, ultimately I
> need to pass it to this method and it might show up again on that console.
> I'm not sure how else I can pass the password to unzip method. For that
> matter, I reckon the tool can hack the native extension's code too?
>
> That's one part and as you said, the db location is something like this
> https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
> download the zip file. We are not able to restrict it. If we restrict it we
> get stream error in the app and app cannot download the file. ;( Hence I
> wondered, if atleast password can be hidden, there can be some relief.
>
> Hi Erik,
> Thanks for the link. I'll give that too a try.
>
> On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc...@extravision.com> wrote:
>
>> There are also dedicated .swf obfuscating products I suppose.
>>
>> Tom
>>
>>
>> On 04/03/15 09:49, Erik de Bruin wrote:
>>
>>> You may want to check out this technique:
>>>
>>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>>> and-code-by-embedding-swf-within-another-swf/
>>>
>>> EdB
>>>
>>>
>>>
>>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>> We have developed some apps specifically for iPads and there have been
>>>> rigorous testing from security team using some hacking tools. What these
>>>> tools do is they display all the code variables and their values from the
>>>> ipa file that we provide to them. Due to this, our app db
>>>> locations(sqlite
>>>> files for offline app) and passwords used(to unzip a secured zip file,
>>>> that
>>>> gets downloaded, using ANEZipFile native extension) are clearly exposed.
>>>> It
>>>> literally shows all the coding that has been done (still wondering how
>>>> can
>>>> this be possible from swf and then from ipa).
>>>>
>>>> I'm new to security thingie and have no idea. Can anyone who have worked
>>>> on
>>>> this kindly  share best practices?
>>>>
>>>> Some screenshots from the tool which shows the variables and values used
>>>> in
>>>> the app:
>>>>
>>>> http://pbrd.co/1M69vES
>>>> http://pbrd.co/1M69MYB
>>>>
>>>> App is built using Flex 4.13FP15AIR15.
>>>>
>>>> Appreciate your help.
>>>>
>>>
>>>


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

Re: Flex AIR iPad App security concerns

[Deepak MS <me...@gmail.com>]

Hi Tom,
Ok. This is how it's all setup:
Firstly db file gets downloaded on the device which is a password protected
zip file. I'm using ANEZipFile ANE to unzip this zip file(
https://github.com/xperiments/ANEZipFile) and I'm using unzip method from
it [ unzip(zipfile : File, destination : File, overwrite : Boolean = false,
password : String = "") : void;) ]

I need to pass the password while calling unzip method. Whether I pass a
variable to 'password' parameter here or even if I directly pass the
password value, it shows up in that console. Whether I store the password
in my code or whether I get it from a service from backend, ultimately I
need to pass it to this method and it might show up again on that console.
I'm not sure how else I can pass the password to unzip method. For that
matter, I reckon the tool can hack the native extension's code too?

That's one part and as you said, the db location is something like this
https://myserver.com/ipaddata/dbfile.zip . We can easily browse this and
download the zip file. We are not able to restrict it. If we restrict it we
get stream error in the app and app cannot download the file. ;( Hence I
wondered, if atleast password can be hidden, there can be some relief.

Hi Erik,
Thanks for the link. I'll give that too a try.

On Wed, Mar 4, 2015 at 3:26 PM, Tom Chiverton <tc...@extravision.com> wrote:

> There are also dedicated .swf obfuscating products I suppose.
>
> Tom
>
>
> On 04/03/15 09:49, Erik de Bruin wrote:
>
>> You may want to check out this technique:
>>
>> http://www.ghostwire.com/blog/archives/as3-hiding-assets-
>> and-code-by-embedding-swf-within-another-swf/
>>
>> EdB
>>
>>
>>
>> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com>
>> wrote:
>>
>>> Hello,
>>> We have developed some apps specifically for iPads and there have been
>>> rigorous testing from security team using some hacking tools. What these
>>> tools do is they display all the code variables and their values from the
>>> ipa file that we provide to them. Due to this, our app db
>>> locations(sqlite
>>> files for offline app) and passwords used(to unzip a secured zip file,
>>> that
>>> gets downloaded, using ANEZipFile native extension) are clearly exposed.
>>> It
>>> literally shows all the coding that has been done (still wondering how
>>> can
>>> this be possible from swf and then from ipa).
>>>
>>> I'm new to security thingie and have no idea. Can anyone who have worked
>>> on
>>> this kindly  share best practices?
>>>
>>> Some screenshots from the tool which shows the variables and values used
>>> in
>>> the app:
>>>
>>> http://pbrd.co/1M69vES
>>> http://pbrd.co/1M69MYB
>>>
>>> App is built using Flex 4.13FP15AIR15.
>>>
>>> Appreciate your help.
>>>
>>
>>
>>
>

Re: Flex AIR iPad App security concerns

[Tom Chiverton <tc...@extravision.com>]

There are also dedicated .swf obfuscating products I suppose.

Tom

On 04/03/15 09:49, Erik de Bruin wrote:
> You may want to check out this technique:
>
> http://www.ghostwire.com/blog/archives/as3-hiding-assets-and-code-by-embedding-swf-within-another-swf/
>
> EdB
>
>
>
> On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com> wrote:
>> Hello,
>> We have developed some apps specifically for iPads and there have been
>> rigorous testing from security team using some hacking tools. What these
>> tools do is they display all the code variables and their values from the
>> ipa file that we provide to them. Due to this, our app db locations(sqlite
>> files for offline app) and passwords used(to unzip a secured zip file, that
>> gets downloaded, using ANEZipFile native extension) are clearly exposed. It
>> literally shows all the coding that has been done (still wondering how can
>> this be possible from swf and then from ipa).
>>
>> I'm new to security thingie and have no idea. Can anyone who have worked on
>> this kindly  share best practices?
>>
>> Some screenshots from the tool which shows the variables and values used in
>> the app:
>>
>> http://pbrd.co/1M69vES
>> http://pbrd.co/1M69MYB
>>
>> App is built using Flex 4.13FP15AIR15.
>>
>> Appreciate your help.
>
>

Re: Flex AIR iPad App security concerns

[Erik de Bruin <er...@ixsoftware.nl>]

You may want to check out this technique:

http://www.ghostwire.com/blog/archives/as3-hiding-assets-and-code-by-embedding-swf-within-another-swf/

EdB



On Wed, Mar 4, 2015 at 9:17 AM, Deepak MS <me...@gmail.com> wrote:
> Hello,
> We have developed some apps specifically for iPads and there have been
> rigorous testing from security team using some hacking tools. What these
> tools do is they display all the code variables and their values from the
> ipa file that we provide to them. Due to this, our app db locations(sqlite
> files for offline app) and passwords used(to unzip a secured zip file, that
> gets downloaded, using ANEZipFile native extension) are clearly exposed. It
> literally shows all the coding that has been done (still wondering how can
> this be possible from swf and then from ipa).
>
> I'm new to security thingie and have no idea. Can anyone who have worked on
> this kindly  share best practices?
>
> Some screenshots from the tool which shows the variables and values used in
> the app:
>
> http://pbrd.co/1M69vES
> http://pbrd.co/1M69MYB
>
> App is built using Flex 4.13FP15AIR15.
>
> Appreciate your help.



-- 
Ix Multimedia Software

Jan Luykenstraat 27
3521 VB Utrecht

T. 06-51952295
I. www.ixsoftware.nl

Re: Flex AIR iPad App security concerns

[Tom Chiverton <tc...@extravision.com>]

On 04/03/15 09:16, Héctor A wrote:
> If this is about just looking for sensitive strings in the compiled binary
> then they could be stored obfuscted or maybe even as a simple array of
> bytes.
Possibly, but the next step after running strings is to check the 
entropy of parts of the file. Bits with different amounts correspond to 
code and data, and if I know I'm looking for a password...
So it depends if you are protecting against casual snoops, motived users 
or companies, maybe even governments ? And is that .zip file worth much ?

Tom

Re: Flex AIR iPad App security concerns

[Héctor A <ne...@gmail.com>]

If this is about just looking for sensitive strings in the compiled binary
then they could be stored obfuscted or maybe even as a simple array of
bytes.

2015年3月4日水曜日、Tom Chiverton<tc...@extravision.com>さんは書きました:

> It sounds like they used a combination of decompiling and static code
> analysis ? Or maybe as simple as 'strings' on the file.
> This is nothing special to AIR (or .swf) applications, and it's a huge
> topic.
>
> If you have sensitive data (like passwords) the general advice is
>
> * don't use the same password for every install
> For instance, generate a new password when the application registers
> * don't store the password in the app
> Have the app ask the server for the password when it starts up
>
> In your case, you are unzipping a password protected ZIP ? So you are
> making a server request anyway.
> I assume you are protecting against someone capturing the request and
> obtaining their own copy of your files ?
> I don't know your threat model, but you should be aware users can just
> browse the file system on the device to get the files after extraction, or
> brute force the .zip password (depending on the encryption scheme), for
> instance.
>
> We could talk all day about threat analysis, risk/reward and return on
> investment :-)
>
> Tom
>
> On 04/03/15 08:17, Deepak MS wrote:
>
>> I'm new to security thingie and have no idea. Can anyone who have worked
>> on
>> this kindly  share best practices?
>>
>
>

Re: Flex AIR iPad App security concerns

[Tom Chiverton <tc...@extravision.com>]

It sounds like they used a combination of decompiling and static code 
analysis ? Or maybe as simple as 'strings' on the file.
This is nothing special to AIR (or .swf) applications, and it's a huge 
topic.

If you have sensitive data (like passwords) the general advice is

* don't use the same password for every install
For instance, generate a new password when the application registers
* don't store the password in the app
Have the app ask the server for the password when it starts up

In your case, you are unzipping a password protected ZIP ? So you are 
making a server request anyway.
I assume you are protecting against someone capturing the request and 
obtaining their own copy of your files ?
I don't know your threat model, but you should be aware users can just 
browse the file system on the device to get the files after extraction, 
or brute force the .zip password (depending on the encryption scheme), 
for instance.

We could talk all day about threat analysis, risk/reward and return on 
investment :-)

Tom

On 04/03/15 08:17, Deepak MS wrote:
> I'm new to security thingie and have no idea. Can anyone who have worked on
> this kindly  share best practices?