April 23, 2015 Bill Cerniuk 810 Vermont Ave, NW Washington, DC
advertisement
Booz Allen Hamilton Inc. 8283 Greensboro Drive McLean, VA 22102 www.boozallen.com April 23, 2015 Bill Cerniuk 810 Vermont Ave, NW Washington, DC 20420 Re: HipaaChatLite AppCritique Security Report Findings This letter and attached report are intended to address the Fail rating that was assigned to the above mentioned app by Booz Allen Hamilton on the Analytics and Project Coordination Support contract. We recommend an overall evaluation of Fail for HipaaChatLite for the following reasons: Stores screenshots, pictures and audio recordings unencrypted and with low file protection values Pictures and audio can be accessed by any user with trusted access to the device Vulnerable to account impersonation by replaying stolen tokens Specific details around the findings can be found in the subsequent report. Regards, Travis Hoffmann Booz Allen Hamilton AppCritique Security Report HipaaChat Lite Ver: 4.0.0 App Metadata Version Developer Package Name Platform iTunes App Store Link 4.0.0 Tapestry Telemed LLC com.tapestrytelemed.hipaac hat iOS https://itunes.apple.com/us/app/id642738088 Executive Summary and Overall Security Overall Evaluation for Use Recommendation: Fail This app stores screenshots, pictures, and recorded audio unencrypted and with low file protections. It's also potentially vulnerable to account impersonation by replaying stolen tokens. The more red there is, the more security risk present in the app. Each peak indicates a Not Present, Warn, or Present value for a specific check. 1 Potential Attack Vectors Here the checks are categorized into common mobile attack vectors. Overall Evaluation Results Area of Concern Functionality Risk Rating Medium Risk Data Storage Medium Risk Networking Medium Risk Summary of Findings The app does not clear the cache of sensitive data transmitted over HTTPS, including authentication tokens The app does not scrub sensitive information from screenshots taken for backgrounding The app uses potentially vulnerable C functions The app downloads executable Javascript code Files are stored with low file protection values Video and audio recordings are stored unencrypted and can be accessed by any user with trusted access to the device Authentication tokens stored in the cache with low file permissions App uses a known weak hashing algorithm The app is taking over the certificate validation process which could allow for self-signed certs which are vulnerable to manin-the-middle attacks The app transmits video over alternate UDP ports 2 Functionality Findings The app caches sensitive authentication tokens that are exchanged via HTTPS. This information should instead be stored in the keychain. The app neglects to scrub sensitive information from screenshots. When the app is minimized, the screenshots are stored with low file protections and are not cleared of any sensitive data. The app contains a PIN code feature designed to further secure the app if it is restored after minimization or if it is logged in to. Restoring the app from minimization will still display sensitive information cached in the backgrounded screenshot before displaying the PIN entry. Logging in to the app will also still display the sensitive information for a fraction of a second before displaying the PIN entry. Checks Conducted Check App Writes to Media Directory Sensitive Data Synchronized to Cloud Sensitive Information Found in App Artifacts Result Not Present Not Present Present Weak Access Control Not Present Warn Possible Input Validation Vulnerability Lacks Binary Protections App Includes Unnecessary Functionality Downloads Executable Code App Alters OS Permissions Contains Known Malware Not Present Not Present Present Not Present Not Present Explanation App does not write to the media directory. No sensitive information was detected synchronizing to the cloud. Sensitive information is stored in app screenshots. Audio and video recordings are stored in the app's Documents directory unencrypted and with low file protections. No weak access control was detected. App uses methods that require input validation. App may be vulnerable to formatting or injection vulnerabilities. App was compiled with binary protections. No unnecessary code detected. App downloads executable Javascript code that may be malicious. iOS apps cannot alter OS permissions. App has been vetted by Apple's review process, and does not contain any known malware. Data Storage Findings The app stores audio recordings and pictures taken by its users unencrypted and with low file protections in the application's Documents directory. These are accessible to anyone who can bypass the lock screen or gain trust on the device, regardless of who is logged in to the app. Files are stored with low file protection values, which could allow the files to be accessed while the device is locked. Additionally, a login token was found stored in the cache. This token could potentially be stolen and reused to impersonate a user and read their messages or 3 perform other actions within the app as though you were logged in as that user. Because we cannot test the backend web service that the app uses, and because we don't know how long the token is valid for, the likelihood of this attack to succeed given the factors involved is unknown. The app uses a known weak hashing algorithm. Checks Conducted Check Security Information Found Outside Keychain Sensitive Information Vulnerable Result Warn Weak or Untested Encryption Warn Warn Explanation Authentication tokens are stored in the app's web cache. Screenshots are not scrubbed before being stored. Audio recordings and pictures are stored unencrypted with low file protections. App uses weak or deprecated encryption library. Encrypted data may be vulnerable. Networking Findings The app transmits video chat data over alternate ports using UDP. It's unknown if this traffic is properly encrypted, and it's possible that an adversary could decrypt video traffic being exchanged between two devices. Analysis of UDP traffic would require an extended amount of time due to its conversationless format. Checks Conducted Check Sensitive Information Vulnerable in Transit Sensitive Cookies Insecure Result Present Non-Standard Protocol Use Not Present Present Sensitive Information Transmitted To Third Parties Unnecessary Sensitive Information Transmitted Not Present Not Present Explanation Video and audio chats are conducted over UDP and may be unencrypted. All cookies use secure flags, or no cookie was found. This app uses arbitrary UDP ports for audio and video conversations. No sensitive information was detected in transit to a third party. No unnecessary sensitive information was detected in transit. 4 Connection Summary Ad Networks Analytics Networks Google ad network Google analytics Cloud Networks Social Networks Distribution Networks Amazon AWS cloud network Web Connections Country Code http://004-qsk-624.mktoresp.com http://munchkin.marketo.net http://netdna.bootstrapcdn.com http://use.typekit.net http://www.everbridge.com http://www.hipaachat.com https://api3.hipaachat.com https://cdn.auth0.com https://hipaachat.auth0.com https://www.gravatar.com US US GB US US US US US US US * If country code is not provided it could not be determined. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com. Hard-Coded Strings Found Embedded IPs Country Code 127.0.0.1 * Embedded URLs Country Code http://acedicom.edicomgroup.com http://barbados.usembassy.gov http://bugzilla.xamarin.com http://code.google.com http://crl.comodo.net http://crl.comodoca.com http://crl.entrust.net http://crl.geotrust.com http://crl.globalsign.net GB US US US GB GB US US US 5 http://crl.netsolssl.com http://crl.pki.wellsfargo.com http://crl.securetrust.com http://crl.sgtrustservices.com http://crl.usertrust.com http://crl.xrampsecurity.com http://crt.comodoca.com http://cybertrust.omniroot.com http://docs.xamarin.com http://experiencestmartin.com http://fedir.com http://logo.verisign.com http://ns.adobe.com http://ocsp.comodoca.com http://ocsp.entrust.net http://policy.camerfirma.com http://repository.swisssign.com http://s2.turksandcaicosyp.com http://schemas.microsoft.com http://studentsabroad.state.gov http://tirana.usembassy.gov http://travel.state.gov http://www.airportairport.com http://www.angolatelecom.com http://www.apple.com http://www.areacodedownload.com http://www.britishvirginislands.com http://www.certicamara.com http://www.certplus.com http://www.cnc.gov http://www.com http://www.digicert.com http://www.dot.gov http://www.dps.gov http://www.entrust.net http://www.firmaprofesional.com http://www.frommers.com http://www.gexf.net http://www.google.com http://www.ida.gov http://www.justice.gov http://www.nanpa.com http://www.nationalnanpa.com http://www.phonebookoftheworld.com http://www.quovadisglobal.com http://www.startssl.com http://www.trustdst.com http://www.usertrust.com http://www.valicert.com http://xamarin.com https://api.opentok.com https://ocsp.quovadisoffshore.com https://secure.comodo.com https://www.apple.com https://www.catcert.net https://www.net https://www.netlock.net www.camerfirma.com www.cnmiphonebook.com www.digicert.com www.entrust.net www.google.com www.login.live.com www.login.skype.com GB US US FR GB US GB US US US GB US US GB US ES CH US US US US US DE AO US US US US US * BS US US * CA ES US FR US * US US US US BM IL US GB US US US BM GB US ES CA HU ES MP US CA US * * 6 www.login.yahoo.com www.mail.google.com www.xrampsecurity.com * * US Embedded Emails ca@trustwave.com certs@thawte.com contacto@procert.net cps@netlock.net ec_acc@catcert.net ellenorzes@netlock.net info@izenpe.com info@netlock.net info@valicert.com ops@trustdst.com server@thawte.com * If country code is not provided it could not be determined. This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com. String Explanation /Users/tokbox/jenkins/workspace/otkit-ios-sdk/otkitobjc/OTVideoCaptureProxy.m /etc/passwd SELECT 'CREATE TABLE %s.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0 Hard-coded developer user directory Hard-coded directory to unix user list file Creating hard-coded tables in a sqlite database Recommendations and Remediation The following are suggested changed that would be required for this app to pass a DISA Review, a standard DISA review (not based on the assumptions outlined in the App Testing Working Assumptions Doc), or to improve security. Action # 1 2 3 4 Explanation Enforce strict file protections. The default file protection level for all files should be NSFileProtectionComplete. Scrub all sensitive information from screenshots. Whenever the app is minimized by pressing the home button, overwrite the screenshot used to background the app with a black or white screen to prevent sensitive PHI from being leaked. Encrypt all audio recordings and pictures taken by the app. Messages sent in plain text are already encrypted in addition to their file protections, so the same should apply to recordings and pictures. Store all authentication tokens in the keychain. Any authentication information, whether it's passwords or authentication tokens, should be stored in the keychain and not in the cache. The developer should clear all sensitive information from the cache by overriding the willCacheResponse behavior. 7 Screenshots The following screen shows the main messaging view of the app. This screen is displayed immediately on login. Even if the pin code feature is enabled in the HipaaChat settings, this screen will still display briefly before the pin entry screen is displayed over it. This screen, as well as the actual contents of the chat and any other sensitive information, will be kept in any screenshots taken when the app is minimized. 8 Standards Mapping Check Categories App Alters OS Permissions App Includes Unnecessary Functionality App Writes to Media Directory Contains Known Malware Check Name Result MAPP-SRG App Alters Operating System Permissions Not Present SRG-APP-000033-MAPP-00010 Found Linked Frameworks not Directly Used by App Not Present SRG-APP-000033-MAPP-00012, SRG-APP-000141-MAPP00031 M10 App Writes to Media Directory Not Present SRG-APP-000243-MAPP-00049 M4 App Contains Known Malware Not Present SRG-APP-999999-MAPP-00077 Downloads Executable Code Downloads and Executes JavaScript Without User Permission App is not Compiled with Automatic Reference Counting App is not Compiled With PIE (Position Independent Executable) Protection App is not Compiled with Stack Smashing Protection Sensitive Data Found on Non-Standard Port/Protocol Source Uses Vulnerable C Functions Present SRG-APP-000022-MAPP-00009 M7 Not Present SRG-APP-999999-MAPP-00069 M10 Not Present SRG-APP-999999-MAPP-00069 M10 Not Present SRG-APP-999999-MAPP-00069 M10 Warn SRG-APP-000251-MAPP-00054, SRG-APP-999999-MAPP00069 M7 Security Information Found Outside Keychain Files Contain Sensitive Information Social Networking Token Found Present Not Present M2, M5 M2 Sensitive Cookies Insecure Sensitive Data Synchronized to Cloud Sensitive Cookies Insecure Not Present SRG-APP-000196-MAPP-00042 SRG-APP-000129-MAPP-00029, SRG-APP-999999-MAPP00066 SRG-APP-999999-MAPP-00066 Sensitive Data Synchronized to Cloud Not Present Sensitive Information Found in NSLog Sensitive Information Found in Multi-Tasking Display Sensitive Information Found in URL Cache Sensitive Information is Transmitted to a Third Party Not Present Present No Default File Protection is Specified Low File Protection Levels PList Files Contain Sensitive Information Files Contain Sensitive Information SQLite Contains Sensitive Information UIPasteBoard Leaks Information Does not Use Appropriate SSL/TLS Standards Sensitive Data Found on Non-Standard Port/Protocol Sensitive Data is Unencrypted in Transit Invalid SSL Certificate Unnecessary Sensitive Information Transmitted Present Present Not Present Present Warn Not Present Not Present Present SRG-APP-000196-MAPP-00042 SRG-APP-000196-MAPP-00042 SRG-APP-000196-MAPP-00042 SRG-APP-000196-MAPP-00042 SRG-APP-000196-MAPP-00042 SRG-APP-000243-MAPP-00049 SRG-APP-000264-MAPP-00057 M5 M2 M4 M2, M5 M2 M7 M3 M3 164.312(a)(2)(iv) 164.312(c)(2) Warn Warn Not Present SRG-APP-000264-MAPP-00057 SRG-APP-000264-MAPP-00057 SRG-APP-999999-MAPP-00075 M3 M3 M4 164.312(a)(2)(iv), 164.312(e)(2)(ii) 164.312(a)(2)(iv), 164.312(e)(2)(ii) Files not Encrypted Using Username / Password (Applies When Login is Present) “Remember Me” Sessions Enabled by Default Social Networking Token Found Present SRG-APP-000129-MAPP-00029 M5 164.312(a)(2)(iv), 164.312(c)(2), 164.312(d), 164.312(e)(2)(i) M5 M2 164.312(a)(2)(iii), 164.312(e)(2)(i) Uses Falsifiable Values for Authentication Uses Weak Encryption Library Not Present Present M5 M6 164.312(a)(2)(i), 164.312(d), 164.312(e)(2)(i) 164.312(a)(2)(iv), 164.312(e)(2)(ii) Lacks Binary Protections Non-Standard Protocol Use Possible Input Validation Vulnerability Sensitive Information Found in App Artifacts Sensitive Information Transmitted To Third Parties Sensitive Information Vulnerable Sensitive Information Vulnerable in Transit Unnecessary Sensitive Information Transmitted Weak Access Control Weak or Untested Encryption Present Warn Not Present Not Present Not Present OWASP Mobile Top 10 2014 M3 HIPAA 164.312(c)(2) 164.312(c)(2) M4 M4 SRG-APP-000266-MAPP-00059 SRG-APP-999999-MAPP-00075 SRG-APP-000129-MAPP-00029, SRG-APP-999999-MAPP00066 SRG-APP-999999-MAPP-00070 SRG-APP-000192-MAPP-00038, SRG-APP-000193-MAPP00039, SRG-APP-000194-MAPP-00040, SRG-APP-000195MAPP-00041 M4 M4 M4 M4 164.312(c)(2) 164.312(a)(2)(iv), 164.312(e)(2)(ii) 164.312(c)(2) 9
