My Weekly RoundUp #78

Interesting things in the last week! A stupid Facetime bug causes some privacy problems, Facebook facing a controversy with an iOS app and…apparently someone already knows Game Of Thrones finale!

Continue…

A bug in Apple’s WebView allow an attacker to initiate phone calls without user confirm

Twitter and LinkedIn iOS apps are vulnerable!

The security researcher Collin Mulliner has discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.

Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.

https://gist.github.com/andreafortuna/50d68e9d109c25bc2cb84abee42463fa

The risks to the user include calls to to premium numbers or denial-of-service against telephone numbers of public services:

About a week agoI read an news post about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn’t believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.

The researcher has also published two video demonstration of the exploit:

 


References

https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html

 

A DIY multi-platform solution for encrypt your DropBox files

For Linux, Windows, OSX, Android and iOs

Cloud storage is very useful, but for really important/private stuff, a best practice could be adding of a further encryption layer, perhaps with a cross-platform solution.

http://imgs.xkcd.com/comics/security.png

A simply method could be use Truecrypt (now Veracrypt), but having to create containers that store the encrypted information isn’t the best for Dropbox, which constantly syncs changes.

If you make, for example, a 500MB container and you changing a small text file in them, you have to entirely re-upload a 500MB file, then that is a little waste of time and resources.

Instead, the best is encrypt files individually, and ENCFS is the perfect solution for this kind of problem.

ENCFS encrypt every single file in a specified folder, and permits to mount an unencrypted version of the folder in a specified mount point.

The idea is to have the unencrypted folder mountpoint in the Home folder, while the encrypted folder should be inside Dropbox folder.

Whenever you put or change something into the unencrypted folder, ENCFS creates an encrypted version into the encrypted folder, which is syncronized by Dropbox.

In my case, the main system is a Debian, and the other systems that should access to the encrypted folder are Windows, OSX and Android.

So, let’s start with…

Linux configuration

First, install EncFS using APT (on Debian/Ubuntu/Mint):

# apt install encfs

or using yum on Fedora:

yum install fuse-encfs

Next, start the setup: to do this, you’ll need to run

encfs ~/Dropbox/.encrypted ~/Private

You can change the actual paths if you like.
Just know that the path represented by ~/Dropbox/.encrypted is the folder where the encrypted data goes, and ~/Private is the folder used as mountpoint for the unencrypted volume.

Say ‘yes’ to all folder creation requests (if you haven’t created first), and choose ‘p’ to start with the default configuration.

Then, insert the chosen password for encrypted folder and finally, you can create a couple of bash scripts to mount/unmount the encrypted folder:

Mount.sh

#!/bin/sh
encfs ~/Dropbox/.encrypted ~/Private

Umount.sh

#!/bin/sh
fusermount -u ~/Private

That’s it!


Windows/OSX configuration

On Windows and OSX systems, you can use Safe, a multi-platform application that supports EncFS:

Safe is cross-platform and currently runs on Windows and Mac OS X. It works with all applications and file types and can store encrypted files anywhere. It’s also compatible with EncFS volumes.

Safe is licensed under the GPLv3 and is based on free software.

Unlike EncFS, it does not use FUSE but hosts a localhost WebDAV server and uses the operating system’s existing WebDAV functionality to provide the native interface.

This makes Safe more portable and more stable than FUSE-based user-space file systems.

You can download safe from this link:

http://www.getsafe.org/about#download

UPDATE 02/12/2016

Some users have notified me that Safe has some problem with long file names and big files (related to webdav limitations).

So you can also use EncFSMP, another EncFS implmentation for Windows and OSX:

https://sourceforge.net/projects/encfsmp/


EncFS for Android?

Cryptonite is a useful EncFS tool for Android:

Cryptonite brings EncFS and TrueCrypt to Android. You can browse, export and open EncFS-encrypted directories and files on your Dropbox and on your phone. On rooted phones that support FUSE (e.g. CyanogenMod) you can also mount EncFS and TrueCrypt volumes. TrueCrypt is only available as a command-line version at this time.

You can download the stable release of Cryptonite from Google Play:

https://play.google.com/store/apps/details?id=csh.cryptonite

and the beta version from GitHub:

https://github.com/neurodroid/cryptonite/releases


Finally, iOs?

For iOS, the only reliable solution that I could find is a commercial application, BoxCryptor:

Boxcryptor is an easy-to-use encryption software optimized for the cloud. It allows the secure use of cloud storage services without sacrificing comfort. Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft OneDrive, or SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, or ownCloud).

Here the link for AppStore:

https://itunes.apple.com/app/boxcryptor-viewer/id649940870