|
|
|
Adventures with iOS UIWebviews |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Recently I have been assessing a number of mobile Android and iOS applications. The majority of the applications I have reviewed make use of WebKit Webviews. WebKit is an open source web browser engine. A Webview is often used to load HTML content as an in process web browser to save passing the user off to the platforms web browser. They are also often used when a developer wants to quickly port a web application to multiple mobile platforms without having to create a specific UI for each. In addition to these general use cases, clients keep finding ingenious ways to make use of them. The most common implementation that I come across is to facilitate advertisement loading from remote advertisers. I often find that by reviewing the code base and or performing an application assessment, vulnerabilities are discovered that can be leveraged specifically due to how a WebKit Webview has been implemented however the level of compromise achievable and to what end, is very platform dependent. The level of compromise is obviously also dependent on the application itself and in most cases, specific to the client I am dealing with. The remediation and mitigation strategies also differ wildly from platform to platform. When assessing the same mobile application on multiple platforms, the same issues can be found, but when I report back to the developers I am giving the iOS and Android developers different remediation and mitigation strategies. This is a point of frustration for all involved and what has ultimately led to me to produce this post rant . In this post I ll try and illustrate the differences between the OS X, Android and iOS WebKit implementations. I ll specifically be concentrating on how to best implement a WebKit UIWebview in order to reduce the likelihood of exploitation and to help limit an attackers movements, should a compromise occur on the iOS platform as this is the platform that offers the least amount of assistance . Before we delve into iOS though, it would be prudent to discuss Webview implementations and the security features that are available on the Android and OS X platforms first.
Les derniers articles du site " var log messages" :
- Introducing drozer
- BSides Challenge Walkthrough
- Mercury v2.2.1
- MWR HackLab - MWRcade
- HackFu Venue - Clue 7
- MWR HackLab - Getting Frequency with SDR
- HackFu Venue - Clue 6
- HackFu Venue - Clue 5
- MWR Challenge 2013
- MWR HackLab - Chubby Data
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
