Subscribe

iPhone hacking made easy

Alex Kayle
By Alex Kayle, Senior portals journalist
Johannesburg, 11 May 2011

iPhone users presume their phones' applications are impervious to attack and consequently do not add security software to their devices.

Absa security consultant Dr Frans Lategan demonstrated at the ITWeb Security Summit, in Sandton, how easy it is to hack into an iPhone with no anti-virus.

Lategan provided a step-by-step demonstration on how to extract the contents of an iPhone backup file, modify the contents, and restore it back to the device.

He explained how iPhone applications have been designed by Apple to be sandboxed, and how they cannot be modified by a developer in any way they want. However, in a 20-minute presentation, he showed how easy it is to crack an application.

Using an example of a freemium game for iPhone, Lategan extracted the application and put the files onto SQL Lite Browser. Once he found the file he was looking for, he then changed it, replaced it and restored the changes onto the application.

The zookeeper game required the user to collect a number of 'stars' as a currency. Lategan hacked into the application and altered the number of stars he had from four to 20 000.

Lategan said the lesson derived from this is that it is extremely simple to crack an iPhone application.

“Securing a mobile application requires in-depth defence. Just because the application is in a sandbox, does not mean the user can trust the data. This data can be rewritten and modified,” he pointed out.

“The application connects back to the main Apple server, so it's important to add an extra check to see whether the data is still in the perimeters it should have been.

“Clearly, we can modify the data in the application. But it's not just the data that can be modified. As soon as you have a SQL database, you can add a trigger that says for overtime you reduce the number of stars, and it just updates back to 20 000.

“This means you can start writing code that bypasses the whole process. Also, all the iPhone system files are in there, including SMS history, deleted SMSes and SMS drafts.”

A hacker can gain access to important information such as geolocation data, IP addresses, passwords and encrypted user credentials. Lategan said this could assist a hacker to create a denial-of-service attack.

Share