InfoTeKS Academy launches Transparent Security contest
InfoTeKS Academy announces the launch of the Transparent Security contest in the Competition format, which is aimed at developing software code that implements the repackage mechanism of an iOS application and static code control. The contest will last until November 10, applications for participation are accepted today after registering in the personal account on the project website.
Thanks for the picture AdExchanger!
Many of us today use smartphones and tablets, because it is so convenient to book a hotel or a plane ticket through the app, pay for mobile, use mobile online banking, or pay for coffee. Speaking of coffee! Probably, many have also heard about the study of Daniel Wood (Daniel Wood) of vulnerabilities in the Starbucks iOS application, according to which client usernames, email addresses, passwords and location data are available through special crash analytics software in log files.
')
How many more applications store data in an obvious way and / or promise to protect it, which is not actually provided? We propose to understand this issue in more detail in the framework of the competition.
Participants in the Transparent Security contest are invited to choose the following 5 from the Apple app store as test applications:
1) AnywayAnyday
2) RBKMoney
3) ViaProtect
4) AppMe Chat Messenger
5) McAfee Security
Further, it is proposed to develop an application that embeds instructions (hooks), which allow analyzing the parameters of functions and methods from local to network, as well as to check (confirm / deny) the reliability of the mechanisms used, implemented by test applications for data protection and the very existence of these mechanisms, for example, encrypt passwords or store them in clear form.
Testing of applications submitted to the competition is made by the organizer. For participation in the competition, three prizes are assumed, which are distributed according to the largest number of criteria satisfying the conditions of the task. Winners must provide source codes that can be retested. Each prize will be marked by a financial reward, the maximum amount of which is up to 300,000 rubles .
More details on additional requirements, evaluation criteria and implementation conditions can be found below:
Requirements - the application must implement the functionality of inserting into the binary executable code a number of “analyzing” instructions regarding the selected methods for each application and cover the largest number of devices and OS versions (iOS 4 - iOS 7.0.3), optionally a simulator. Analyzing instructions should record the parameters of the method / function being audited (see below) into a log file, replace them with test ones (selected by the participant and described in the readme), which are also saved into the log file after the original values; It is recommended to use the user's documents directory as the location of the log file; It is also necessary to provide for the possible export of a log file from a device for analysis to Desktop. As test applications, 5 applications are selected from the Apple app store (see below).
Conditions of implementation - source code, which allows the use of third-party libraries, is compiled by the standard IDE compiler (MS Visual Studio, Xcode 4.6+, GCC 4.8) for each OS. OS is selected by the participant. The modified application runs on the iOS 4+, Jailbreak platform. The modified application runs on a jailbreak device (iPhone / iPad).
Evaluation criteria - participants submit a technical description and compiled files for the competition. A modified iOS application should not use more than 10% of resources compared to the original; The utility for modifying an iOS application should not use more than 500 MB of RAM. Testing is conducted on the side of the Organizers, the results are recorded and published in the overall standings (test system parameters - Win7, Intel Core i7 3Ghz, 8Gb RAM). Evaluation will be made for the specified OS versions (iOS 4+) and for each type of device (iPhone, iPad). As a result, the weighted average value of all indicators is taken, and this implies the smallest amount of resources used, support for OS versions. Evaluation of the implementation parameters of each of the participants is publicly available.
Methods / functions for analysis (applicable for each application are selected):
1) Methods of saving and loading data / files to files and / or DB (local)
2) Methods for saving and loading data to / from backup files
3) Data protection methods (encryption / decryption), for example, messages (when sending and receiving), interacting with a protected address book (creating, deleting, changing a contact record), protecting passwords or other sensitive information
4) Methods of sending messages and receiving contact information
5) Methods used when performing login activities (login, password, pin codes, etc.)
We are waiting for your applications! Site - academy.infotecs.ru
Thanks for the picture AdExchanger!
Many of us today use smartphones and tablets, because it is so convenient to book a hotel or a plane ticket through the app, pay for mobile, use mobile online banking, or pay for coffee. Speaking of coffee! Probably, many have also heard about the study of Daniel Wood (Daniel Wood) of vulnerabilities in the Starbucks iOS application, according to which client usernames, email addresses, passwords and location data are available through special crash analytics software in log files.
')
How many more applications store data in an obvious way and / or promise to protect it, which is not actually provided? We propose to understand this issue in more detail in the framework of the competition.
Participants in the Transparent Security contest are invited to choose the following 5 from the Apple app store as test applications:
1) AnywayAnyday
2) RBKMoney
3) ViaProtect
4) AppMe Chat Messenger
5) McAfee Security
Further, it is proposed to develop an application that embeds instructions (hooks), which allow analyzing the parameters of functions and methods from local to network, as well as to check (confirm / deny) the reliability of the mechanisms used, implemented by test applications for data protection and the very existence of these mechanisms, for example, encrypt passwords or store them in clear form.
Testing of applications submitted to the competition is made by the organizer. For participation in the competition, three prizes are assumed, which are distributed according to the largest number of criteria satisfying the conditions of the task. Winners must provide source codes that can be retested. Each prize will be marked by a financial reward, the maximum amount of which is up to 300,000 rubles .
More details on additional requirements, evaluation criteria and implementation conditions can be found below:
Requirements - the application must implement the functionality of inserting into the binary executable code a number of “analyzing” instructions regarding the selected methods for each application and cover the largest number of devices and OS versions (iOS 4 - iOS 7.0.3), optionally a simulator. Analyzing instructions should record the parameters of the method / function being audited (see below) into a log file, replace them with test ones (selected by the participant and described in the readme), which are also saved into the log file after the original values; It is recommended to use the user's documents directory as the location of the log file; It is also necessary to provide for the possible export of a log file from a device for analysis to Desktop. As test applications, 5 applications are selected from the Apple app store (see below).
Conditions of implementation - source code, which allows the use of third-party libraries, is compiled by the standard IDE compiler (MS Visual Studio, Xcode 4.6+, GCC 4.8) for each OS. OS is selected by the participant. The modified application runs on the iOS 4+, Jailbreak platform. The modified application runs on a jailbreak device (iPhone / iPad).
Evaluation criteria - participants submit a technical description and compiled files for the competition. A modified iOS application should not use more than 10% of resources compared to the original; The utility for modifying an iOS application should not use more than 500 MB of RAM. Testing is conducted on the side of the Organizers, the results are recorded and published in the overall standings (test system parameters - Win7, Intel Core i7 3Ghz, 8Gb RAM). Evaluation will be made for the specified OS versions (iOS 4+) and for each type of device (iPhone, iPad). As a result, the weighted average value of all indicators is taken, and this implies the smallest amount of resources used, support for OS versions. Evaluation of the implementation parameters of each of the participants is publicly available.
Methods / functions for analysis (applicable for each application are selected):
1) Methods of saving and loading data / files to files and / or DB (local)
2) Methods for saving and loading data to / from backup files
3) Data protection methods (encryption / decryption), for example, messages (when sending and receiving), interacting with a protected address book (creating, deleting, changing a contact record), protecting passwords or other sensitive information
4) Methods of sending messages and receiving contact information
5) Methods used when performing login activities (login, password, pin codes, etc.)
We are waiting for your applications! Site - academy.infotecs.ru
Source: https://habr.com/ru/post/225817/
All Articles