By Werner Ruotsalainen on Sat, 09/29/2012
With the recent Pwn2Own mobile challenge results (more info; I particularly recommend Joost Pol's advice: “The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It’s simple as that. There are a lot of people taking photos on their phones that they shouldn’t be taking”), the restrictions introduced to the address book access (more info), and with the recent Cydia release of a brand new, excellent security app which I immediately purchased, "tsProtector P", I, as a serious iOS programmer and lecturer, have decided to do some serious testing of official (except for some examples like VLC and AVPlayerHD), non-pirated(!) AppStore apps. Among other things, I've tested all(!) the currently available video player apps and most PDF viewers.
(WARNING: As with most of my articles, this one, which can also be pretty technical, is meant more for advanced users / geeks / programmers / serious iFans, not necessarily for casual users! Nevertheless, the latter can also learn some tips and tricks from the text - just don't expect to understand everything.)
Basically, I've found out the following:
1,) several of these AppStore apps access the file system outside their home directory (their so-called “sandbox”). A few of these are remnants of earlier code, for example,
- yxPlayer's access to /Applications/yxflash.app/key.txt – this is a leftover from the pre-AppStore days, when the player only existed in Cydiaand was indeed installed under /Applications/yxflash.app/
- AcePlayer's access to /etc/mplayer/codecs.conf and mplayer.conf - AcePlayer being based on the well-known media player “mplayer” has introduced this: the AcePlayer developers simply didn't remove these, now, non-working references.
2, none of the (tested) apps accessed sensitive info. Most, apart from the code remnants from the open-source libraries used by the app / previous Cydia versions, just checked for the existence of Cydia.app - but, interestingly, none of them refused to work after (surely) learning they are running on a jailbroken (JB'n for short) iPad. Not even the ones having exceedingly long lists of jailbreaking tools (first screenshot below, in the next section; check out Photon's (a great Flash browser - see my comments and comparisons HERE) log, which checks for every kind of blackra1n, redsn0w etc.) or even dynamically iterate over all the dynamic libraries I've installed from Cydia (third screenshot; WebDAV Nav) present on the actual device. I don't know if they're explicitly looking for pirating tools like A**S*** (I'm not propagating piracy; hence the asterisks not to give any hint to anyone what tool to look for) and would have refused running when detecting it being present – after all, I don't pirate apps at all and, consequently, there are no pirating libraries on my JB'n iDevices.
How can you find this out yourself and security check your AppStore apps?
Sandbox testing will only work on a jailbroken iDevice. Search for “tsProtector P” and purchase ($1.40) it. A Cydia screenshot of the current version, also showing I've purchased it:
Then, after the respring, just start any AppStore / Xcode-deployed app you'd like to test. You'll be immediately shown a message upon accessing a non-allowed path in the file system. An example showing this with AcePlayer:
If you deny access, the app won't be able to access the file.
After having tested your apps for unwanted file system access, you can review the results on both the device itself under Settings > Extensions > tsProtector P > View Logs or, if you transfer the log file to your desktop computer with a plist reader / editor (on a Mac, it's already present; for Windows, you'll want to use plist Editor for Windows (see THIS for more info on plist editing)), you can check it there too.
An example of presenting the results on my iPad (click the thumbnails for the original, large versions so that you can read what path has been accessed etc; they're in order from top to bottom of the list):
I've uploaded the log file (based on which the above list is presented) HERE (see below). Note that, as has been explained, I've tested ALL the multimedia apps present in the work-in-progress version of the chart of my forthcoming Multimedia bible and a lot of PDF readers – and some VNC, LogMeIn etc. clients and games in addition.
Additional previously non-published tricks and tips
1.) tsProtector P stores the list of the filesystem access log under /private/var/mobile/Library/Preferences/kr.typostudio.tsprotector.log.plist. The plist array items are, of course, Dictionary entries, “path” being the accessed file / directory and “appname” being the human-readable app name (the full identifier is also stored as “identifier”). An example:
(again, click the thumbnail image for a readable one!)
As you can see at the bottom half of the list, when a given app uses the same name (e.g., AcePlayer), you can still know which is which based on “identifier” (com.ranysoft.aceplayer vs. com.ranysoft.acemusic). Also, when an app accesses more than one files in the file system, a separate dictionary record will be created for each individual access; hence the separate records for AcePlayer's codecs.conf and mplayer.conf accesses.
2.) once you decline / allow access in an app, you can change the setting under Settings > Extensions > tsProtector P > Non-allowed App List as you won't be asked again (unless you physically delete /private/var/mobile/Library/Preferences/kr.typostudio.tsprotector.list.plist, after which it starts asking permission for all apps). Just toggle the switch.
Can it be used to make apps work that refuse starting on a JB'n device?
Some people state TiVo (link; current version: 2.0.2) and Bloomberg had protection (current versions: 1.1.3 for iPad and 2.11.7 for non-iPads), of which the latter could be fixed by this app (but not the former). In my test, all the three app run just fine without any file access denying.
DIRECTV (current version: 2.2.0), one of the apps that indeed don't run on JB'n devices (see for example THIS), can't be made work by denying access to the file system. The reason for this might be the fact that DIRECTV uses a special, advanced anti-jailbreak method. For apps like it, you'll need to use xCon. Note that the latter page also lists other apps having special anti-jailbreaking code.
Don't deny everything!
If you play a bit with “offending” apps, you'll soon find out some of them won't start (exits at once) if you deny access. For example, the great card game Spectromancer is one of them, which accesses /etc/timezone.
If you run into the problem of denying something you should have to, just do what I've explained above: enable the app under Settings > Extensions > tsProtector P > Non-allowed App List.
No, you don't need to be afraid of your data being stolen by AppStore apps. They are pretty harmless. Not even on a jailbroken device need you be afraid of them accessing sensitive information: accessing the Camera Roll and contacts is restricted on a JB'n device too (the OS displays a confirmation dialog) and filesystem-level access, as we've seen, don't try to read sensitive information (notes, audio / video recordings, Safari history / cookies / favorites, photos etc.)
A successful attack through your Web browser is far more probable.
Addendum: Improving your safety when jailbroken
Basically, you're unlikely to become victim of a data theft attack – if you only use well-established, popular tweaks and apps used and, security-wise, tested by thousands of users. HOWEVER:
1,) you shouldn't install OpenSSH on your device unless you really need it. (For example, to gain terminal access via SSH, which can be useful to, say, quickly check the CPU usage of your apps (article)). If you do install it, make sure you also install (the absolutely great) SBSettings and, using it, disable OpenSSH when you don't actively use it. And, of course, change the default root password (alpine). BTW, you can quickly en/disable tsProtector P from SBSettings too.
2,) if you really want to know everything about the communication your apps do, purchase and install one of the best Cydia apps, FirewallIP, which also allow for denying an app to connect to a certain server on the Net. (More info) FirewallIP is, of couse, only available for jailbroken devices – that is, it can't be used to track the network access of your AppStore apps on a non-jailbroken iDevice.
3,) wait before you install just-released, new apps and tweaks. While old, popular Cydia apps are absolutely safe, new, relatively unknown ones aren't necessarily so. Let other people find out whether a new app is safe or not.