Archive for April 22, 2021

Thursday, April 22, 2021

Exploiting Vulnerabilities in Cellebrite

Moxie Marlinspike:

Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.


Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned.


Also of interest, the installer for Physical Analyzer contains two bundled MSI installer packages named AppleApplicationsSupport64.msi and AppleMobileDeviceSupport6464.msi. These two MSI packages are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes version


In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.


Update (2021-05-05): Lucas Ropek (via Hacker News):

A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking.

Update (2021-05-19): Riana Pfefferkorn (via Hacker News):

What will be the likely ramifications of Signal’s discovery in court cases? I think the impact on existing cases will be negligible, but that Signal has made an important point that may help push the mobile device forensics industry towards greater accountability for their often sloppy product security. Nevertheless, I have a raised eyebrow for Signal here too.


So while computer security folks were giggling at Signal’s cute, clever blog post, lawyers like me were sighing. Why? Because of an important life lesson that engineers typically don’t understand: Judges hate cute and clever.


You aren’t helping your cause when a reporter can’t tell which parts of your blog post are jokes and which parts are serious, or what you mean by your weird coy phrasing. This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies that are Cellebrite’s customers. They tend to prefer clear communication, not jokes and references to 25-year-old cult films.


And meanwhile, the existence of Cellebrite devices has served as, I think, a safety valve to keep backdoor mandates from being imposed on smartphone manufacturers in the U.S. to date, despite the occasional effort to do so.

Menuwhere 1.0

Rob Griffiths (tweet):

This handy $3 utility puts the frontmost app’s menu bar into a pop-up menu at your mouse’s location—say goodbye to those long trips to the menu bar; the main menu is now just a hot key away[…]

There were several classic Mac OS apps that did this, and it’s also similar to the way the NeXT menu bar worked. It’s never been my cup of tea on a desktop Mac, where I find it easy to fling the mouse to the top of the screen. Notebooks may be a different matter, though, as trackpads are slower and less precise. To me, Menuwhere seems best used via the keyboard, both because you can avoid repositioning your hands and because typing eliminates the need for precise cursor movements to navigate the submenus.

Many Tricks:

I have two 27" displays with the menu bar only on the left display. It’s a very long trip from bottom right, even with mouse acceleration.

And if you’re using the keyboard, Fitt’s Law doesn’t apply: Invoke our app, start typing, done.

The first big new feature is an “all apps” menu option: Define a separate hot key, and Menuwhere will show you all the menus from all your apps[…]

Kaleidoscope 2.4.1

Filipe Espósito:

After a long period without major updates, Kaleidoscope has been acquired by Letter Opener GmbH, which is now committed to providing regular updates to the app with new features. Following the release of an update last month to reduce memory usage, Kaleidoscope 2.4 brings new options focused on developers.

The new Xcode Debugger integration provides “ksp” and “kspo” commands in “lldb,” as well as new inputs with the “ksdiff” tool.

Florian Albrecht:

Wouldn’t it be great if one could visually compare what exactly your app does during runtime?

This is where this integration comes in. It helps you send and textual or graphical output of the debugger to Kaleidoscope, so you can inspect differences down to the last character or pixel.

Florian Albrecht:

As it turned out, some AppKit/UIKit classes are notoriously hard to convert into the right destination format. Under the hood, the runtime sometimes uses optimized structures.

In Kaleidoscope 2.4.1 we provide built-in support for the most common objects. In detail:

  • iOS: UIImage and UIView (which includes it’s subclass UIWindow)
  • macOS: NSImage, NSView and NSWindow.


Examining Competition in App Stores

The video of the senate judiciary hearing is here and here.

Lauren Goode:

Daru, from Tile, says that when Apple made changes in iOS for the rollout of Find My, Apple started showing people prompts to turn Tile off but not turn off Find My. Also says new “magic onboarding flow” with AirTags isn’t available to third parties like Tile.

Match CLO says Google called Match last night asking why Match’s public testimony was different than what co said about the situation in earnings call earlier this year…Google sr director of public policy says this was not meant to be intimidation, just a standard biz call.

Sen. Lee is asking Tile’s Daru questions about Apple that she says she can’t answer because Apple required Tile to sign an NDA. Lee immediately turns to Apple counsel and asks co to waive NDA, on the spot. (I have a feeling this isn’t going to go very far.)

Juli Clover:

Tile has known about Apple’s work on the AirTag for some time now and has brought it up in prior legal proceedings as it is unhappy to have Apple as competition in the item tracking space. To avoid antitrust complaints, Apple waited to launch AirTags until it had already debuted the Find My Network accessory program, which allows third-party Bluetooth devices like item trackers to integrate into the Find My app alongside AirTags.

The Find My network is open to Tile, but it does require item trackers to work exclusively with Find My, and Tile already has an established item tracking app and its own network that uses smartphones for crowdsourced tracking purposes.


With the App Store competition hearing kicking off today, Fight for the Future launched an “Abolish the App Store” initiative that calls on people to sign a petition to demand that Congress “end the App Store monopoly.”

July Clover:

Match, meanwhile, complained that it had wanted to add ID verification rules to boost the app’s safety in Taiwan, but Apple would not allow it to do so. Match contacted an Apple executive, who allegedly told the company that it should be glad Apple was not taking all of its revenue. “You owe us every dime you’ve made,” the Apple executive reportedly said.


Update (2021-05-24): Lauren Feiner (via Amy Klobuchar):

Spotify Chief Legal Officer Horacio Gutierrez said he could think of “at least four clear examples of threats and retaliation” from Apple after Spotify decided to speak out about alleged anticompetitive behavior and Apple’s fees for developers on digital products purchased through its platform. That included threats of removing Spotify’s app, refusing to promote it, or waiting for months for minor app updates to be approved, he said.

“They’ve basically thrown the book at us in order to make it hard for us to continue to sustain our decision to speak up,” he said.

The App Store Isn’t Catching the Most Egregious Scams

Nick Heer:

One more thing that I think is critical is that it is, right now, impossible to flag an app as a rule-breaker or a scam. Say you download an app and it is, in some way, worth reported to Apple. Let’s start in the App Store, where there is no button to report an app, not even in the app listing’s share menu. If you go to Apple’s Report a Problem website, you will see all of your purchases and downloads from your Apple ID, and you will be be asked a question, “What can we help you with?” for a dropdown menu containing these options[…] If you pick the last one, you’ll be sent to a screen where you will be told to contact Apple Support if you think your Apple ID has been compromised; it has nothing to do with the items you purchased or downloaded.


But it appears that, if a scam makes its way into the App Store, Apple is entirely dependent on users posting on social media or contacting Apple through another channel to be alerted to problems.

Sean Hollister:

Recently, I reached out to the most profitable company in the world to ask a series of basic questions. I wanted to understand: how is a single man making the entire Apple App Store review team look silly? Particularly now that Apple’s in the fight of its life, both in the courts and in Congress later today, to prove its App Store is a well-run system that keeps users safe instead of a monopoly that needs to be broken up.

That man’s name is Kosta Eleftheriou, and over the past few months, he’s made a convincing case that Apple is either uninterested or incompetent at stopping multimillion-dollar scams in its own App Store. He’s repeatedly found scam apps that prey on ordinary iPhone and iPad owners by luring them into a “free trial” of an app with seemingly thousands of fake 5-star reviews, only to charge them outrageous sums of money for a recurring subscription that many don’t understand how to cancel. “It’s a situation that most communities are blind to because of how Apple is essentially brainwashing people into believing the App Store is a trusted place,” he tells The Verge.


And we’re starting to hear from Apple insiders, too, that the company’s claims about App Store security are overblown. Eric Friedman, the head of the company’s Fraud Engineering Algorithms and Risk (FEAR) team, will be testifying in next month’s Epic Games trial. In a recent deposition he spoke of the App Review team as “bringing a plastic butter knife to a gun fight” and “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug sniffing dog.” His team reportedly believed App Review’s job was incentivized to get apps “through the pipe” and “move people through” like TSA employees.


By the way: you know that app that John Gruber helped draw attention to in 2019, the one that reportedly charged $10 every week for wallpaper you could find free online? It’s still on the App Store. Never got removed.

Nick Heer:

It is remarkable because it is so simple. Hollister was easily able to replicate Eleftheriou’s scam-finding techniques, which combines data that Apple makes publicly available and information estimated by SensorTower. Some of these scams are raking in, according to Eleftheriou and SensorTower’s data, millions of dollars per year, and they are plentiful.

Ben Thompson:

App Review [somehow] seems far more effective in figuring out how to navigate from a privacy policy on a web page to a purchase page (and subsequently rejecting the app) than it is in rooting out scams.

David Heinemeier Hansson:

Now the problem is that Apple is defacto an accomplice to fraud. They knowingly aided and abetted scams that preyed on consumers and cost them millions. They were alerted and warned, specifically and repeatedly, about these scams, and not only did they do nothing, they continued to profit from the scams! Every scam that ran through the in-app payment system paid Apple a 30% cut of the take.


Update (2021-05-05): Kosta Eleftheriou:

Apple’s non-answers to Senator @ossoff’s great questions in yesterday’s hearing should anger all of us. They did not offer any explanation for why it’s so easy for me to keep finding multi-million-dollar @AppStore scams that have been operating for years.

Kosta Eleftheriou:

Two years later, the developer account of a fraudulent and LIFE THREATENING app is still up on the @AppStore! 🤯

Update (2021-05-07): Juli Clover:

At the time, Temple Run was a super popular iOS exclusive title, and in February 2012, a fake version of Temple Run hit the App Store charts. Schiller sent out an email to Eddy Cue, Greg Joswiak, Ron Okamoto, Phillip Shoemaker, Matt Fischer, Kevin Saul, and others on the App Store team. “What the hell is this????” he asked. “How does an obvious rip off of the super popular Temple Run, with no screenshots, garbage marketing text, and almost all 1-star ratings become the #1 free app on the store?”

“Is no one reviewing these apps? Is no one minding the store?” he ranted on, before asking whether people remembered a talk about becoming the “Nordstrom” of App Stores in quality of service.


Oh, spin me once again a yarn about how the App Store is inherently slathered in discerning curation; so discerning that low effort scams emerge, and so discerning that automated processes are dreamed up to salvage the situation, with automatically triggered removal of already approved applications without consideration for due process or developer impact the inevitable and apparently desirable outcome.