We went behind the scenes of the biggest investigation into iOS app safety so far. We easily gained access to our colleague chats – imagine what threat actors could do.
Our team reviewed eight terabytes of apps from the App Store to conduct the first-of-its-kind investigation into how safe iOS apps are. The results showed an inconvenient truth – your secrets are getting leaked at a mind-blowing rate.
The lead researcher behind this large-scale investigation, Aras Nazarovas, revealed a secret about how the team tested 156,080 randomly selected apps over the course of six months.
“It turned out that it was quite easy,” he said in the interview. While the scope of the investigation is overwhelming, iOS apps are distributed in compressed .ipa files that could be extracted.
“You just check every text file for a password,” explained Nazarovas.
To find out everything about how we did the research, watch our newly released video for a full story about the investigation.
How did everything start?
There is no centralized list of all the apps on the App Store, so our team wrote a script through the App Store’s API to create a list of randomly selected apps, ranging from small apps to big corporate applications.
“We had a word list, like apple leg, children, sports, and so on. We would run a search of each of those keywords,” tells Nazarovas.
“It only took like a couple of hours to have a list of like half a million. “
While conducting such an investigation goes against Apple’s terms of service, checking publicly accessible app code is not outlawed. If the passwords are simply left in the code, that’s no one's fault – apart from lousy developers.
How to download and scan 150,000 apps?
The most challenging part of the research was actually downloading 150,000 apps into the researcher's device.
To download eight terabytes of data, researchers first tried plugging an iPhone into the USB Rubber Ducky. This hacker tool looks like a flash drive with a hidden exploit that allows it to mimic a keyboard.
The team set up the tool to automatically go to the App Store, download an app, upload it to a cloud drive, delete it, and then download another.
“We did find 19 apps that leaked, like Stripe credentials. Those could be used to obtain credit card information and authorize payments without user consent even.”
However, the method ultimately proved to be slow and unreliable. So, in the end, the team figured out a different solution that worked at scale and was way faster: uploading the apps from the App Store directly to their cloud storage.
After the download, the apps can be unarchived and scanned. Researchers used a script to go through every file inside an app and check for over a thousand different keywords.
These keywords included password, endpoint, API, password key, or partial words like “pass.” Once one app is scanned, it's deleted from the cloud. The same process was repeated 150,000 times with all the tested apps.
A researcher hacked a colleague’s phone in five minutes
The investigation results stunned the team.
“Out of a sample size of 150,000 apps, including some of the App Store’s most popular, our team was able to extract sensitive private user secrets from 70% of them,” said Nazarovas.
The impact on an average iPhone user varies greatly depending on the application. However, some of the leaked secrets enabled access to extremely sensitive data.
“We did find 19 apps that leaked, like Stripe credentials. Those could be used to obtain credit card information and authorize payments without user consent even,” said Nazarovas.
“Could also get private messages from people. Also, you could get private photos that you saved in the cloud,” he pointed out.
This was proven right at our Cybernews office. One of our colleagues used a tested chatting app. Researchers found they could access the chat app and message a colleague in real time.
“I am jealous of Aras’ hair,” the message read. Explaining how challenging it was to access the chat logs by exploiting the leaked secret, Nazarovas smiles: “Literally, like two lines of code and five minutes.”
It's deeply concerning that there's no way to know how many iPhone apps might be compromising user security, and it’s unsettling to realize that this risk even exists.
You can read about all the findings in our freshly published research article. Two years ago, the team conducted a similar investigation into Android apps on Google Play.
Your email address will not be published. Required fields are markedmarked