These days I’ve been messing around with DTrace and the mach side of OS X kernel. I still have to figure out how to make DTrace helpful in reversing protections and other stuff – I’m talking about efficiency in finding the right spots and gathering information. It’s a very powerful tool for system administration but has some shortcomings regarding reversing. Today I was a bit tired due to lack of proper sleep time so I started messing with the iPad.
One thing that I was looking for since the beginning was a way to tunnel all connections via a ssh SOCKS proxy. The available iOS ssh applications don’t support this option (only regular tunnels) so I went searching for a way to do it. This applies of course to jailbroken devices (while I understand Apple’s decision on making iOS sandboxes, the reverser side of me would request for a jailbreak on/off switch , meaning that Apple would allow you to run whatever you want, your responsibility – that would be fun, I love the iPad!). Back on track…
There are three major ways to create the tunnel:
Create the tunnel in a desktop/server/laptop machine. In this scenario you connect your computer to the remote host and create a dynamic forward available to the iPad (or the local network/world). After this you point the iPad to this local proxy and that’s it. The problem is that you need another computer to do this (besides the remote ssh server that will be the new gateway), so it’s rather incovenient if you are outside your local/home network. It has another disadvantage that will I show you later.
Open a terminal to the iPad, connect to the ssh server and create the dynamic forward (only for localhost). Now we just need to point the iPad to the localhost proxy. Much cleaner and much better on the road. For this you will need a terminal app. I tried MobileTerminal and it does the job (you need to add http://apt.macosmovil.com to Cydia sources/repos and download from there – the version available at Cydia default sources doesn’t work!). The app doesn’t seem to support multitask and when you change to other apps you lose the session (although the ssh process runs in background so it’s not a problem). You can install screen to solve this.
Use a ssh application to connect to your iPad (assuming you are running OpenSSH), then connect to the ssh server and create the dynamic forward. You should have a proxy also on localhost. I don’t like this method so much because I don’t use passwords for ssh access, only public/private keys. I still don’t trust the iPad apps enough to leave my private keys there.
The next step is to configure the proxy. You do this on the wireless definitions. There’s no direct support for SOCKS proxy, so one needs to configure this via an automatic proxy configuration file. To configure this, you create the file and put it somewhere in a webserver, either local network or Internet (the Internet option is better since it’s available anywhere; you could run an http server in the iPad but I think it’s a waste of memory, which is scarce here). Here’s an example of a proxy.pac configuration for a SOCKS proxy:
function FindProxyForURL(url, host)
{
return “SOCKS localhost:8080”;
}
This example configures the iPad to access a SOCKS proxy in the localhost at port 8080 (options #2 and #3). For option #1 you need to configure it to IP/port of the local server where you made the proxy available. Now you can test and see if it’s working. To be sure traffic is being forwarded via the tunnel, you can either sniff at the iPad (install tcpdump) or at the remote server (tcpdump eth0 port 80, for example) and verify if traffic is being forwarded to the remote server or leaving the gateway to the site we are trying to access. Since this is a global setting, all apps will use forward their traffic thru the tunnel.
As I was saying, I still don’t trust iPad apps due to their rather opaque nature – one cannot easily see what they are doing and I don’t like this loss of control. This is delaying the transition of some of my tasks to the iPad. While I was verifying if the tunnel was working, I saw some interesting packets coming out of Angry Birds game. It was sending all my gaming information to a remote site, what I did at each level! Check this small excerpt of a packet capture:
0x02f0: 0000 0c4c 6576 656c 2066 6169 6c65 6400 …Level.failed.
0x0300: 0400 054c 6576 656c 0004 332d 3133 000f …Level..3-13..
0x0310: 4269 7264 7320 6176 6169 6c61 626c 6500 Birds.available.
0x0320: 0133 0008 4174 7465 6d70 7473 0001 3100 .3..Attempts..1.
0x0330: 0a42 6972 6473 2075 7365 6400 0133 0000 .Birds.used..3..
The initial request also sends your UUID, iOS version, locale, and probably other information. There is an interesting paper here talking about this and also the Wall Street Journal articles about this. I find it amusing that companies say it’s not spyware but analytics, but then flurry.com reverses to an obscure domain called 411gift.com with opaque domain registration. If it’s so benign why do you need these tricks?
I knew there were privacy problems but I didn’t explored it enough to see how deep they were. It seems that analytics “spyware” is widespread in iOS (and also Android) apps and I don’t like it. Cydia appstore has a firewall similar to Little Snitch, but I prefer the harder way to explore iOS and find a way to block this kind of crap – obvious solution is to mask UUID or something, but I still have to research about the impact of this. Another solution is to decrypt all apps and patch that spyware crap. Another project to the TODO list. I will have to review every single app I use… Damn, security and privacy are painful.
Have fun,
fG!
P.S.: Another interesting paper here. I love the iPad but the amount of information leakage worries me. I’m glad we can modify the binaries as we wish!