Bug 27340 - Security: mtouch talks plaintext over port 80
Summary: Security: mtouch talks plaintext over port 80
Status: RESOLVED FIXED
Alias: None
Product: iOS
Classification: Xamarin
Component: Tools ()
Version: XI 8.6.0
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2015-02-24 02:41 UTC by henrik
Modified: 2015-02-25 12:03 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
insecsure content loaded (121.23 KB, image/png)
2015-02-24 02:42 UTC, henrik
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description henrik 2015-02-24 02:41:49 UTC
Given that a lot of developers sit on public WiFi (ignoring DNS poisoning), it would be a good idea not to load resources over the internet, unencrypted. Especially so when we have people hacking internet routers and doing effectively 'man in the middle attacks' which race the server to send the reply and how easy software like evilgrade will make it to inject content into the application.

When starting XS some mtouch-64 tries to load insecure resources. See screenshot.

Start by moving everything to HTTPS and using HSTS for your domains, as well as making XS ignore downgrade attacks; HTTPS to HTTP.
Comment 1 henrik 2015-02-24 02:42:12 UTC
Created attachment 9995 [details]
insecsure content loaded
Comment 2 henrik 2015-02-24 02:45:46 UTC
You're not a TV, but it's a fun podcast: https://kasperskycontenthub.com/threatpost/files/2014/09/digital_underground_168.mp3
Comment 3 Mikayla Hutchinson [MSFT] 2015-02-24 15:06:17 UTC
XS already uses HTTPS for everything, not sure why mtouch is accessing the internet.
Comment 4 Sebastien Pouliot 2015-02-24 15:43:56 UTC
We'll check. I do not recall any direct* use of port 80. In fact there's not much network activity from mtouch. 

Just for confirmation can you tell us which version of XI you're using (e.g. you can copy-paste the text from XS about box dialog).

* It could come from some Apple API we're using (hopefully only if you opted in to share information with Apple for either OSX or Xcode).
Comment 5 Sebastien Pouliot 2015-02-24 16:38:40 UTC
The IP address you gave us, 184.86.13.15, trace back to a184-86-13-15.deploy.static.akamaitechnologies.com (in NL, Europe).

Several Apple services are using Akamai, e.g. itunes [1], and `mtouch` is reusing some of Xcode/iTunes libraries to access your iOS devices.

I still want to be 100% sure, if possible, about what's going on (and where) since I have not seen this behaviour locally (but it could be a periodic, e.g. daily/weekly, check).

* Does this happen when doing a specific operation ? e.g. build, deploy to simulator, deploy to device...

* Does your tool report the exact URL (not just the host) being accessed ?

Thanks!

[1] http://www.ip-tracker.org/locator/ip-lookup.php?ip=itunes.apple.com
Comment 8 henrik 2015-02-25 04:17:15 UTC
It's on every start of XS.
Comment 9 Sebastien Pouliot 2015-02-25 08:48:27 UTC
Thanks for the additional information.


> http://www.apple.com/DTDs/PropertyList-1.0.dtd
 
Every *.plist contains that specific (http) URL. If resolved then it's not surprising it's using http (that's the URL present in the files).

I'll check just in case some XML code is resolving it at runtime. IIRC we're using text or Apple API's for the .plist (not any BCL Xml* classes) but I'll double check (more as an optimization than anything else).


> http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

That's not (directly) from mtouch. Note that downloading a X.509 certificate from http is likely* fine, as the structure itself is signed.

* it depends on how it's used later (but that same is true even if was downloaded from https).
Comment 10 Sebastien Pouliot 2015-02-25 12:03:17 UTC
I found the case (at XS startup) where parsing an XML document triggered the .dtd to be downloaded. That's done automatically by the .NET framework (but I added extra code so avoid it).

Fixed in maccore/master dc0cba04861853e0fd2dcf3a3a09902367254a8d

The certificate case is not an issue (and it comes from something out of our control).

Thanks again for the details.