Some believe it might be more secure to read emails through supposed to be light applications on i-devices, as the emails are probably more localized on the remote web resources, etc.
Through the eyes of an attacker, let's see that a stolen/lost/powned iPhone/iPad could for example help at revealing the content of your emails, contacts, etc.
Moreover, important authentication schemes do not follow Apple security guidelines for developers. This might help an attacker at retrieving interesting cookies in clear text, and then it's possible to hijack a Gmail session and to steal sensitive information as you'll see further.
A fresh new vulnerability ? Let's read...
The default installation of the running process is under a path like this:
/var/mobile/Applications/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/GmailHybrid.app/GmailHybrid
Can we get the list of mail boxes handled ?
The file "./Library/WebKit/Databases/Databases.db" contains the list of Gmail box defined on the disk of your iOS. This might help an attacker or a forensic guy (who stoled your device in the street), to get the list of files to target:
INSERT INTO "Origins" VALUES('https_mail.google.com_0',xxxx);
INSERT INTO "Databases" VALUES(1,'https_mail.google.com_0','xxxxx@gmail.com','xxxxx@gmail.com',xxxx,'0000000000000001.db');
And can we read the content of the mail boxes cached ?
Now by looking at the related files, like "./Library/WebKit/Databases/https_mail.google.com_0/0000000000000001.db", it's possible to get cached_conversation_headers, addresses, cached_messages, etc.
Here are some structures of some interesting tables cached in clear text on your iPhones/iPad:
CREATE TABLE cached_conversation_headers (conversationId VARCHAR(16) PRIMARY KEY,isUnread INTEGER,isStarred INTEGER,isInbox INTEGER,isSpam INTEGER,isTrash INTEGER,isMuted INTEGER,isPhishy INTEGER,isDraft INTEGER,isActivity INTEGER,isMInbox INTEGER,personalLevel INTEGER,subject TEXT,snippetHtml TEXT,senderListHtml TEXT,numMessages INTEGER,dateMs INTEGER,modifyDateMs INTEGER,userLabelIds TEXT,hasAttachment INTEGER,mostRecentMessageId VARCHAR(16),activityId TEXT,modifiedTime INTEGER,downloadAttempts INTEGER DEFAULT 0, isNotification INTEGER);
CREATE TABLE cached_messages (messageId VARCHAR(16) PRIMARY KEY,conversationId VARCHAR(16),activityId VARCHAR(64),isUnread INTEGER,isStarred INTEGER,isInbox INTEGER,isSpam INTEGER,isTrash INTEGER,isMuted INTEGER,isPhishy INTEGER,isDraft INTEGER,isActivity INTEGER,isMInbox INTEGER,personalLevel INTEGER,subject TEXT,snippetHtml TEXT,address_from VARCHAR(64),address_to VARCHAR(64),address_cc VARCHAR(64),address_bcc VARCHAR(64),address_replyTo VARCHAR(64),receivedDateMs INTEGER,body TEXT,isClipped INTEGER,attachments VARCHAR(64),hasExternalImages INTEGER,hasStrippedExternalImages INTEGER,imagesAlwaysDisplayed INTEGER,uploadedAttachments VARCHAR(64),localUpdate INTEGER,lastAction VARCHAR(16) DEFAULT NULL,originalMessageId VARCHAR(16) DEFAULT NULL, entityRefId VARCHAR(64));
CREATE TABLE cached_labels ( labelId TEXT PRIMARY KEY, position INTEGER, metadata TEXT, totalCount INTEGER, unreadCount INTEGER); CREATE TABLE cached_contacts ( contactId INTEGER, name TEXT, emailAddress TEXT, isPrimary INTEGER, popularityRank INTEGER, PRIMARY KEY (contactId, emailAddress));
Example of interesting content in this file:
INSERT INTO "cached_queries" VALUES('xxxxxxx','{"conversationId":"xxxxxx","subject":"Get Gmail on your mobile phone","isUnread":1,"clipSize":20480,"checksum":xxxx,"isTombstone":false}','cv',1,0,1,104,xxx,x,xxxx);
Could we get the full content of emails ?
INSERT INTO "cached_messages" VALUES('xxxx','xxxx',NULL,1,0,0,0,0,0,0,0,'false',0,2,'Get Gmail on your mobile phone','[image: Access Gmail on your mobile phone] The days of needing your computer ...','[null,"mail-noreply@google.com","Gmail Team"]','[[null,"xxxx@gmail.com","xxxx"]]','[]','[]','[]',xxxx,'[[null,1," FULL CONTENT OF THE EMAIL IN CLEAR TEXT "]]',NULL,'[]',1,0,1,'[]','xxxx',NULL,NULL,NULL);
Could someone hijack a Gmail account ?
One of the most interesting file is called "./Library/Cookies/Cookies.binarycookies".
A binary analysis of this file will reveal the cookies used by Gmail App.
One of these cookies, a famous one, is called "GX", largely known by the IT Security community, to be the one that can help at hijacking a Gmail session.
And, yes, it does work...
Indeed, thanks to its content, you can sharply crawl *.mail.google.com/mail* with the identity of another Gmail user. This might be very useful to steal data, etc.
FAQ (questions to TEHTRI-Security)
What could be done by Google ?They could try to move from a web application to a more native application, by adding security layers:
• Cipher personal data like emails/contacts/... to get rid of privacy issues.
• Avoid to store technical sensitive authentication data through clear text channels. For example, the GX cookie could follow the security guidelines from Apple, by using Keychains.
• Launch security assessment on their applications before submitting to Apple Store.
Are these files cached on the hard drive of the host with iTunes sync ?
Yes. It means that you must also take care with backups of iOS, through the use of passwords. By the way, there is no native way to easily push a remote policy to be sure that an end user will not have weak iTunes passwords.
Is that the same with other Google Apps products ?
This will be left as an exercise for the reader. By the way, Google is extremely fast at patching security bugs, so while you're reading these lines, they might already have deleted those vulnerabilities (or not).
Is that the same with other brands and products ? Or is it sometimes more awful ?For sure. Google Security Team is also dedicated to the hunt of security vulnerabilities, so we guess that they would have had more security flaws in these products without internal audits, etc. From what we have seen, there exist currently plenty of applications on the App Store, that are totally vulnerable, and many coming from really famous IT companies, banks, etc.
How can you explain that mobile applications are so poorly protected ?
The goal of companies is not to protect the end-users of their products. The goal is just to make buzz, business and to survive in this complex IT world with many enemies, economic crisis, etc. The time where you could almost blindly use tools without checking has ended. If you care for your security, you should definitely check by yourself or hire companies that have the skills on the Net or near you.
Examples to share ?We found vulnerabilities and they are currently under the process of patching, and we cannot share. Some exploits we created could have helped at powning really many companies or government agencies worldwide. That's why we always directly contacted the vendors to avoid cyber-conflicts. We always tried to cipher our findings, but funny, some vendors replied through cleartext channels including our proof of concepts or exploits.. So, we won't share examples here. Just know that even security products or sensitive applications might be totally vulnerable :-) If you think you might have issues for specific cases, and that we can be sure of who you are, contact us directly in case it might help, or check with your security people.
Why do you seek for vulnerabilities and do you do it on your spare time ?Spare time can be used to find vulnerabilities, but most of the time we create 0days during penetration tests or security assessments. As we are challenged by big entities that want to stress applications and to verify what really skilled attackers would be able to do, beyond known paths of standard audits, we always try to verify and follow any idea that could lead to a way to spy on remote accounts, to steal data, to stop industrial processes, etc. So, most of the time, our 0days and exploits are created because we need them to show security issues. On-demand hacking :-)
Compared to TEHTRIS, we don't believe in 0day for security business ?
Don't do business. Just do security. For some customers, IT Security is not just something useful to publish papers during conferences or for articles in the press. IT Security is something linked to millions/billions and money issues, to thousands of jobs that could be lost because of large scale intrusions, to industrial/commercial secrets, etc.
And from our experience, when you know some threats, even if it cannot be patched, it might first help you at detecting unknown attacks vectors thanks to sharp behaviors, or also to mitigate these issues thanks to new stuff, etc. Some companies prefer to know the kind of advanced technical paths that could be tried by potential intruders.
Some prefer to hide themselves behind certifications, etc. It's a survival choice, a posture choice. Here at TEHTRI-Security, we can only help those who want to fight against information leaks for real, with protection and counter-intelligence. We know, that for some people, it's not useful to find/use 0days during pentests, as no patch is available. And we do respect it. Sometimes, maybe some should do less business and more anti-cyber-intelligence stuff, where 0days do matter.
Good luck to all of us. 2012 might be funny.
