FishNet Security Researchers To Release Testing Tool For iOS Apps


Researchers from FishNet Security are preparing to launch an automated security testing tool for iOS apps, and on Thursday they gave Black Hat security conference attendees a sneak preview.

Called SiRA, for Semi-Automated iOS Rapid Assessment, the iOS security testing tool performs forensics and analysis of mobile app components, automating much of the heavy lifting associated with manual application testing.

SiRA automates testing of iOS binaries, iOS keychain, file decoding and file system snapshots, Seth Law, senior security consultant at FishNet, Kansas City, Mo., said in a presentation at Black Hat. "SiRA grew from a bunch of scripts that we had to do these things," he said.

Testing iOS applications is important for many reasons. With more than 650,000 apps in the App Store and 1,100 news ones being added daily, it's fair to question how much attention developers are putting into security.

Apple does not talk about its testing methodology for third-party iOS apps, but given the ease with which vulnerabilities can be introduced in the development phases, users can't be sure that the third-party apps they download are completely safe.

"Apple is looking at how they can best enforce their rules and make their money. They are not necessarily looking at the security testing of these apps as they roll through the process," Law said in the presentation.

[Related: Apple Gets Philosophical About iOS Security In First Black Hat Appearance]

In a recent analysis of some 65,000 iOS apps, BitDefender found that 18.6 percent accessed users' contact data and calendar information, although there has been talk that Apple will limit this practice in iOS 6. BitDefender also found that just 57.5 percent of the apps were encrypting stored data.

SiRA is especially good at finding unintentional security holes in apps, such as SQL injection flaws and passwords being sent in plain text, according to Justin Engler, another FishNet senior security consultant involved in building the tool. Done manually, the typical mobile application assessment takes between 40 and 80 hours, he said.

SiRA speeds the process up significantly. The tool snapshots the iOS file system each step of the way, first installing an app and using it normally, and later by "abusing" it and decrypting its binaries, Engler explained.

"We are looking for malicious information in these binaries," he said. For example, "if it's not a messaging app, then why is it hooking into a messaging API?"

Using SiRA requires knowledge of network traffic analysis, the iOS file system, application reverse-engineering and iOS jailbreaking, Engler said.

"SiRA is relevant because it takes a lot of this and makes it accessible to people that have a good base understanding and applies it to apps," said Engler. "It gives them a way to deal with vulnerabilities in mobile applications."

FishNet is planning to release SiRA in the next few days, and it will be free for non-commercial use. FishNet is still figuring out how commercial licensing would work, although Engler said the company may eventually decide to release the tool to open source.

PUBLISHED JULY 27, 2012