How-to make an iPad connect thru a ssh SOCKS proxy + iOS “spyware”

These days I’ve been messing around with Dtrace and the mach side of OS X kernel. I still have to figure out how to make Dtrace helpful in reversing protections and other stuff – I’m talking about efficiency in finding the right spots and gathering information. It’s a very powerful tool for system administration but has some shortcomings regarding reversing Today I was a bit tired due to lack of proper sleep time so I started messing with the iPad.

One thing that I was looking for since the beginning was a way to tunnel all connections via a ssh SOCKS proxy. The available ssh applications don’t support this option (only normal tunnels) so I went searching for a way to do it. This applies of course to jailbroken devices (while I understand Apple’s decision on making iOS sandboxes, the reverser side of me would request for a jailbreak on/off switch , meaning that Apple would allow you to run whatever you want, your responsibility – that would be fun, I love the iPad!). Back on track…

There are three major ways to create the tunnel:

1) Create the tunnel in a desktop/server/laptop machine. In this scenario you connect your computer to the remote host and create a dynamic forward available to the iPad (or the local network/world). After this you point the iPad to this local proxy and that’s it. The problem is that you need another computer to do this (besides the remote ssh server that will be the new gateway), so it’s rather incovenient if you are outside your local/home network. It has another disadvantage that will I show you later.

2) Open a terminal to the iPad, connect to the ssh server and create the dynamic forward (only for localhost). Now we just need to point the iPad to the localhost proxy. Much cleaner and much better on the road. For this you will need a terminal app. I have tried MobileTerminal and it does the job ( you need to add http://apt.macosmovil.com to Cydia sources/repos and download from there – the version available at Cydia default sources doesn’t work!). The app doesn’t seem to support multitask and when you change to other apps you lose the session (although the ssh process runs in background so it’s not a problem). You can install “screen” to solve this :-)

3) Use a ssh application to connect to your iPad (assuming you are running OpenSSH), then connect to the ssh server and create the dynamic forward. You should have a proxy also on localhost. I don’t like this method so much because I don’t use passwords for ssh access, only public/private keys. I still don’t trust the iPad apps enough to leave my private keys there.

The next step is to configure the proxy. You do this on the wireless definitions. There’s no direct support for SOCKS proxy, so one needs to configure this via an automatic proxy configuration file. To configure this, you create the file and put it somewhere in a webserver, either local or Internet networks (the Internet option is better since it’s available anywhere; you could run an http server in the iPad but I think it’s a waste of memory, which is scarce here). Here’s an example of a proxy.pac configuration for a SOCKS proxy:
function FindProxyForURL(url, host)
{
return “SOCKS localhost:8080″;
}

This example configures the iPad to access a SOCKS proxy in the localhost at port 8080 (options 2) and 3)). For option 1) you need to configure it to ip/port of the local server where you made the proxy available. Now you can test and see if it’s working. To be sure traffic is being forwarded via the tunnel, you can either sniff at the iPad (install tcpdump) or at the remote server (tcpdump eth0 port 80, for example) and verify if traffic is being forwarded to the remote server or leaving the gateway to the site we are trying to access. Since this is a global setting, all apps will use forward their traffic thru the tunnel :-)

Reference: http://apple.stackexchange.com/questions/5308/how-to-connect-to-a-socks-proxy-from-an-iphone-ipod-touch

As I was saying, I still don’t trust iPad apps due to their rather opaque nature – one cannot easily see what they are doing and I don’t like this loss of control. This is delaying the transition of some of my tasks to the iPad. While I was verifying if the tunnel was working, I saw some interesting packets coming out of Angry Birds game. It was sending all my gaming information to a remote site, what I did at each level! Check this little excerpt of a capture:

“0x02f0:  0000 0c4c 6576 656c 2066 6169 6c65 6400  …Level.failed.
0×0300:  0400 054c 6576 656c 0004 332d 3133 000f  …Level..3-13..
0×0310:  4269 7264 7320 6176 6169 6c61 626c 6500  Birds.available.
0×0320:  0133 0008 4174 7465 6d70 7473 0001 3100  .3..Attempts..1.
0×0330:  0a42 6972 6473 2075 7365 6400 0133 0000  .Birds.used..3..

The initial request also sends your UUID, iOS version, locale, and probably other information. There is an interesting paper here talking about this and also the Wall Street Journal articles about this. I find it amusing that companies say it’s not spyware but analytics, but then flurry.com reverses to an obscure domain called 411gift.com with opaque domain registration. If it’s so benign why do you need these tricks?

I knew there were privacy problems but I didn’t explored it enough to see how deep they were. It seems that analytics “spyware” is widespread in iOS (and also Android) apps and I don’t like it. Cydia appstore has a firewall similar to Little Snitch, but I prefer the harder way to explore iOS and find a way to block this kind of crap – obvious solution is to mask UUID or something, but I still have to research about the impact of this. Another solution is to decrypt all apps and patch that spyware crap. Another project to the TODO list :-) I will have to review every single app I use… Damn, security is a pain ;-)

Have fun,
fG!

P.S.: Another interesting paper here. I love the iPad but the amount of information leakage worries me :-) I’m glad we can modify the binaries as we wish!

7 thoughts on “How-to make an iPad connect thru a ssh SOCKS proxy + iOS “spyware”

    1. Uau that’s a great paper. I just browsed thru the contents and it has very interesting information! Thanks for the tip.
      I’m playing around by removing the calls for the analytics stuff. Programs seem to work without any problems :-)
      The iPad is full of information leakage. We have the classical certificate verification but also Angry Birds downloading each level from a site stored in the Amazon cloud.

      I’m also trying to port gdbinit to iPad’s gdb but I’m facing some troubles with the flag register. Gdb port to ARM presentes the CPSR register (conditional flags besides other stuff) in a array and it seems the only way to print it is in full and change the flags by inserting the modified full value for the register. Trying to find how to recompile gdb so I can patch this stuff :-)
      Good luck for the exams :-)

  1. Cheers, for a dumbo like me, where can I get clear instructions for your first option.

    I have played round with a few things but not really got amywhere. It’s the… Create a tunnel and connect to it bit that I do not have any understanding of.

    Love if you could help

    1. The ssh option you need is DynamicForward. What you need to do is connect to a remote ssh server with that option enabled. Since you want the iPad to connect thru this tunnel, you need to enable this for the IP of the computer where the iPad will conenct to. Then you configure the proxy.pac to use that IP and Port and that’s it.
      Example:
      If desktop computer has IP 192.168.1.1, then you could add the option DynamicForward 192.168.1.1:9000. Connect to the remote ssh server and now you have a Socks proxy running on 192.168.1.1 port 9000. Configure the proxy.pac file to use this and point the iPad to it.

  2. Hey fG,

    I’ve read the last paragraph about flurry.com and their spyware. I was wondering if blocking flurry.com in the hosts-file will be enough to hideMyAss? Maybe I should restrict file permission only to read and clearing al the data inside… on every app :(
    Now I’ve seeing a lot of flurry files in every app and makes me kind of paranoid about my privacy.

    Regards.

    1. Flurry and other analytics use a variety of hosts to upload their data so you would need to keep blocking them.
      The privacy app available on Cydia repo seems to be outdated and not working. You can try to write something like it using MobileSubstrate or any other injection library (comex has one if I am not mistaken).
      That is a better solution since these libraries are loaded into every app.
      This also seems to be interesting: http://www.nesolabs.de/en/software/gorilla/

      It really sucks that Apple doesn’t provide fine grained controls over this. This is one thing I really don’t like about iOS.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>