Mobile app security testing research from Google has shown that a range of Android & iOS devices are open to attack over WiFi leading to device takeover.
Gal Beniamini at Google’s Project Zero published his research on a WiFi chipset from Broadcom that is used in iOS and Android phones. Apple released a patch for the vulnerability in iOS 10.3.1 stating that “an attacker within range may be able to execute arbitrary code on the WiFi chip”. Beniamini’s own research noted that the flaw allowed the execution of code on an up to date Nexus 6P “by Wi-Fi proximity alone, requiring no user interaction.”
The mobile app security testing research uses WiFi frames, a small packet of WiFi data, holding irregular values causing the firmware on Broadcom’s to overflow its stack. The frames target timers that perform regular events, e.g. scanning for networks in proximity, from here it’s possible to overwrite the device memory with executable shellcode. The same route gives attackers a way to run malicious code on susceptible devices.
The hardware lacks any mitigating security protections that might be expected on software and hardware with no counter to exploits such as stack cookies, safe unlinking and access permission protection.
For iPhone users the newest OS update provides a fix. For Android users there’s a wait for the April security update to be include a fix that’s only going to be available to a limited number devices and further two weeks or more to get the over-the-air update.
There’s a lot more to read up on in Beniamini’s post and some food for thought on the security of the hardware that underpins the mobile ecosystem and the classic Apple vs Google security question.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.