lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Nov 2019 22:06:03 -0500
From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] Insecure Defaults in Adobe’s Mobile SDKs

[Original post:
https://wwws.nightwatchcybersecurity.com/2019/11/06/insecure-defaults-in-adobes-mobile-sdks/]

SUMMARY

Example/default configuration files provided by Adobe within their
mobile SDKs include several insecure options. These have also been
found in the wild in multiple mobile applications. When these options
are used insecurely, attackers can view or modify information
transmitted by the application back to Adobe’s cloud services.

Application developers are encouraged to check the configuration files
within their own applications to make sure these options are set
correctly. The vendor has updated some of these files with secure
alternatives – for others, new SDKs are available with secure
defaults.

We also have a tool available (“truegaze“)
[https://github.com/nightwatchcybersecurity/truegaze] that can be used
for static scanning of mobile applications with insecure defaults in
their Adobe configurations.

DETAILS

Adobe provides multiple mobile SDKs intended for integration into
mobile applications across multiple platforms. These SDKs communicate
between the mobile apps and the vendor-provided cloud services. Some
of the example/default configuration files include insecure settings.
This can lead to applications copying these insecure settings into
their own applications and we have observed this behavior in the wild.
We are also working on automated tools to detect these files with
insecure settings within mobile applications.

The main configuration file for these SDKs is called
“ADBMobileConfig.json”
[https://docs.adobe.com/content/help/en/mobile-services/android/configuration-android/json-config.html]
and is usually packaged within the application file. There are several
insecure settings included within this file which may lead to
sensitive data being transmitted without SSL and can be seen or
modified by an attacker with access to the network traffic. These
include:
- analytics -> ssl – Enables (true) or disables (false) the ability to
send measurement data by using SSL (HTTPS). Default is false. This is
the one most commonly found and should be changed to “true” by
default.
- mediaHeartbeat -> ssl – enables (true) or disables (false) the
ability to send hearbeat data by using SSL (HTTPS). Default is false.

There are also additional settings which can be incorrectly set not to
use SSL, but are not usually presented that way by default:
- postback -> templateurl – configuration for the postback URL which
are used to send data collected by the SDK to a third party server
- remotes – defines the Adobe-hosted endpoints for dynamic
configuration files including:
-- analytics.poi – endpoint for hosted POI configuration.
-- messages – endpoint for hosted in-app message configuration

This can also be configured via code as follows:
- C/C++/Objective C – hbConfig.ssl = NO;
- JS – MediaHeartbeatConfig.ssl = false

Here is an abbreviated example file with the insecure settings highlighted:

{
  "analytics": {
    ...
    "ssl": false,
    ...
  },
  "messages": [
    {
      ...
      "payload": {
        "templateurl": "http://example.com/subscriptions/{%mcid%}",
        ...
      },
      ...
    },
  ],
  "remotes": {
        "analytics.poi":
"http://assets.adobedtm.com/staging/42a6fc9b77cd9f29082cf19b787bae75b7d1f9ca/scripts/satellite-53e0faadc2f9ed92bc00003b.json",
        "messages":
"http://assets.adobedtm.com/staging/42a6fc9b77cd9f29082cf19b787bae75b7d1f9ca/scripts/satellite-53e0f9e2c2f9ed92bc000032.json"
    }
 }

Examples

The following examples/docs were reported to the vendor and were
updated to have secure defaults:
- https://docs.adobe.com/content/help/en/mobile-services/android/configuration-android/json-config.html
- https://docs.adobe.com/content/help/en/mobile-services/ios/config-ios/json-config.html
- https://docs.adobe.com/content/help/en/mobile-services/universal-windows/config-univ-win-plat/c_json.html
- https://github.com/AdobeDocs/mobile-services.en/blob/master/help/blackberry/dev-qs.md
- https://github.com/AdobeDocs/mobile-services.en/blob/master/help/universal-windows/c-getting-started/dev-qs.md
- https://github.com/AdobeDocs/mobile-services.en/blob/master/help/windows-appstore/c-getting-started/dev-qs.md
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/samples/Android/ADBMobileSamples/app/src/main/assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/samples/Android/ADBMobileSamples/app/src/main/assets/ADBMobileConfigBloodhound.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/samples/Android/AndroidWearableSample/mobile/src/main/assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/samples/iOS/ADBMobileSamples/AdobeMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/samples/iOS/appleWatchExample/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Xamarin/ADBMobile/samples/AndroidSample/AndroidSample/Assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Xamarin/ADBMobile/samples/iOSSample/iOSSample/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Android/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/BB10/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Cordova/ADBMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/iOS/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Windows/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Windows8/AdobeMobileLibrary/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/mobile-services/blob/master/sdks/Xamarin/ADBMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/android/samples/BasicPlayerSample/assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/android/samples/BasicPlayerSample/assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/chromecast/samples/BasicPlayerSample/index.html
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/iOS/samples/BasicPlayerSample/libs/AdobeMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/iOS/samples/BasicSwiftPlayerSample/libs/AdobeMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/roku/libs/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/roku/samples/adoberokudemo/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/media-sdks/blob/master/sdks/roku/samples/SampleSceneGraphPlayer/ADBMobileConfig.json

The following have insecure defaults and are present within
vendor-provided code, documentation or code samples. The vendor will
not be fixing them:
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/android/samples/BasicPlayerSample/assets/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/ios/samples/BasicPlayerSample-tvOS/BasicPlayerSample/analytics/VideoAnalyticsProvider.m#L82
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/ios/samples/BasicPlayerSample-tvOS/libs/AdobeMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/ios/samples/BasicPlayerSample/BasicPlayerSample/analytics/VideoAnalyticsProvider.m#L83
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/ios/samples/BasicPlayerSample/libs/AdobeMobile/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/tvml/samples/SampleAtvJSApp/ADBMobile-tvOS/ADBMobileConfig.json
- https://github.com/Adobe-Marketing-Cloud/video-heartbeat/blob/master/sdks/tvml/samples/SampleAtvJSApp/SampleAtvApp/js/application.js#L34
- https://marketing-beta.adobe.com/resources/help/mobile/android/json_config.html

VENDOR RESPONSE AND MITIGATION

Application developers utilizing the Adobe SDK within their
applications should check the configuration for the SDK to make sure
all of the options are set securely.

The vendor provided the following response:

Thanks for reaching out to Adobe.  The configuration file you
identified is an empty “sample” file, and we’re working with the owner
to update that config to use SSL by default.  In practice, Adobe
customers will either:
1. Download a file from Mobile Services (where SSL is on by default)
2. Engage Adobe professional services to create a configuration file
(wherein SSL is recommended) or,
3. Customers will create their own configuration (where the vast
majority enable SSL)

Additionally, we’ve released a new version of the SDK
(https://github.com/Adobe-Marketing-Cloud/acp-sdks), configurable in
Launch, where SSL is always turned on by default.

The vendor also fixed most of these issues and provided the following
response regarding the remaining unfixed issues:
Adobe has announced end-of-support for these vulnerable SDKs and
encourages customers to move to our new version of the SDK where SSL
is the default:
https://aep-sdks.gitbook.io/docs/version-4-sdk-end-of-support-faq

STATIC SCANNING TOOLS

We have developed an open source tool that can be used for static
scanning of mobile applications with insecure defaults in their Adobe
configurations. You can find it here:
https://github.com/nightwatchcybersecurity/truegaze

REFERENCES

Adobe tracker # PSIRT-9709
Vendor documentation: see here

CREDITS

Advisory written by Y. Shafranovich.

TIMELINE

2019-03-04: Initial report to the vendor
2019-05-06: Followup communication with the vendor
2019-07-28: Draft blog post sent to the vendor for review
2019-08-01: Follow-up communication with the vendor
2019-08-09: Follow-up communication with the vendor
2019-10-08: Follow-up communication with the vendor
2019-10-29: Follow-up communication with the vendor
2019-10-30: Ok to publish received from the vendor
2019-11-06: Public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists