Describe the possible malicious behavior of iOS-based documents.
1, the middleman hijacks the communication.
You can set a "global http proxy server" for the description document, and after setting the proxy server, you can supervise all HTTP data of the device. This method was discussed at the 20 15 blackhat American Conference, and the "VPN" function can also monitor all communication data.
2. Rogue promotion
The description document has a function of setting "web+clip", which can display an icon with a specified URL on the desktop and can be set to be undeletable, which is very suitable for rogue promotion. In addition, if you can't delete the icon, you need to delete the description document before deleting the icon.
3. Maliciously restrict the normal function of the equipment.
The "Access Restriction" setting bar can turn off many normal functions of the device, and even prohibit deleting the app and modifying the password, which is easy to be maliciously used to restrict the normal use of the device.
4. Add certificates and forge https websites.
The description document allows the installation of certificates, PKCS 1 and PKCS 12 are as follows:
PKCS # 1: RSA encryption standard. PKCS# 1 defines the basic format standard of RSA public key function, especially digital signature. It defines how to calculate the digital signature, including the format of the data to be signed and the signature itself; It also defines the syntax of PSA public key and private key.
PKCS# 12: Grammatical Standard for Personal Information Exchange. PKCS# 12 defines the format of personal identity information (including private key, certificate, various secrets and extended fields). PKCS# 12 helps to transfer certificates and corresponding private keys, so users can move their personally identifiable information between different devices.
If the added certificate belongs to the root certificate (not sure whether it can be installed without jailbreaking), it is easy to be forged. Please refer to the events of Lenovo's pre-installation of Superfish and Dell's pre-installation of eDellRoot certificate, in which Dell pre-installed the private key of eDellRoot certificate, which is easy to be used by reverse analysis.
When a browser visits any https page pre-installed with such certificates, there will be no security prompt, and it is easy to forge private https websites such as online banking and email.
5. In the jailbreak environment, the certificate display is not synchronized with the actual storage.
One under the iOS system has a sqlite3 file, and its absolute path is: "/private/var/keychains/truststore. SQLite3".
This file stores a list of certificates that the current device truly trusts. You can use Settings->; "general"->; The list of certificates viewed by the configuration file may be out of sync with the list of certificates stored in the file. If we change the sqlite3 file manually, the actual trusted certificate list of the mobile phone will be completely different from that seen in the configuration file.
If the attacker escapes the malicious application checked by App Store through jailbreak plug-ins or even some obscene means, he will modify the file "/private/var/keychains/truststore.sqlite3" on the jailbreak iphone.
Insert the attacker's certificate, such as burp suite certificate, and the attacker can carry out man-in-the-middle attack on the victim's gateway unnoticed (of course, the application under level3 security level is impossible), and the victim is completely unaware.
Because the victim passed the "Settings"->; "general"->; "Profiles" will not find any abnormality when viewing the trusted certificate, that is, it can steal the victim's data and tamper with it without displaying the certificate.
So, for jailbroken phones, don't think about "Settings"->; "general"->; You can sit back and relax without installing some strange certificates under Profiles.