Sniping a lot again...
On 10/07/2012 0:43, Jonas Sicking wrote:
On Mon, Jul 9, 2012 at 3:07 PM, Antonio Manuel Amaya Calvo <[email protected]> wrote:
But before we go further, it's a bit unclear to me what types of
attacks you are worried about and want to protect. Could you please
elaborate that you are worried that either the app can do, or worried
about that someone else can do to attack the app.
The most basic attack is an spoofing or misleading attack. That would be
one in which we've checked a client side application, with it's CSS,
images, HTMLs, etcetera, but we allow remote loading of anything that's
shown to the user as part of the UI. So where we previously saw a
Username:
Password:
with a 'TrustedAppLogo" background image the user can now see a
Username:
Password:
with a Bank of America background.
Now it's perfectly legal for an application to ask for a username and
password to check on it's server, and so the veto would Ok it. But
without changing any client side functionality (I ask for a
username/password and send it to www.trustedapp.com) now I'm doing some
fine phishing.
This is the more basic attack. Now depending on what permissions the
application has asked for and been granted because it was trusted, the
basic attack can be complicated, and the application (either the
original developer or a clever attacker that hacks the server) can find
novel ways to trick the user.
So what I'm worried about is that on the web it's quite easy to
transform "downloaded data" into "user interface". In fact it's not only
easy, it's part of the model. And that model works. It just cannot be
called trusted that way.
Ok, so it sounds like the attack you are worried about is that the app
itself will change its behavior and trick the user into entering login
credentials for something other than the app.
The attack you are describing is possible without network connection
too. The app can simply ship both the facebook background image and
the bank-of-america background image and swap them as needed. If it
wants to, it can obfuscate the bank-of-america background image, or
even generate it using code so that there are no image files which the
store reviewer might find.
However all of these things, including loading the image from a
server, is visible by reviewing the code of the application. It's
certainly hard to find these things, but no harder than finding any
other things through code review.
Note that reviewing the app by simply testing the app is *never* going
to be a good enough way to review an app. You will always have to look
at the code of the app.
I was assuming all the time that 'review' meant 'code review', sorry if
I gave the wrong impression at some point... and thus that anything
that's included on the client package could be revised. But server side
content is another beast altogether since even if we could in theory
revise that also it's kinda pointless since the code could be changed at
any point without notice.
If the review is going to include at least an attempt to remove the
ability to hijack the interface just by altering server side content,
then we're in agreement after all.
Best regards,
Antonio
--
Antonio Manuel Amaya Calvo_/ / _ /Security&Trust on N&S
email: [email protected] / _ _/ ( / Telefonica I+D
Tlf.: +34-91.312.98.95 _/ _/ \__/ D. Ramón de la Cruz 82
Fax : 28006 Madrid, SPAIN
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar
nuestra política de envío y recepción de correo electrónico en el enlace
situado más abajo.
This message is intended exclusively for its addressee. We only send and
receive email on the basis of the terms set out at.
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
