André Borie

Freelance Django developer // currently at Bitstocks, previously Teleport, Depop & OpusVL // opinions are always my own.

Read this first

Working around iOS’ location services permissions

iOS has a pretty good permission system that gives the user granular control on what personal data apps can access - things like location, contacts, calendars, pictures, etc. As far as I know, these permissions are bulletproof - there are no vulnerabilities there per se.

However, there are ways in which apps can work around them and still get access to things they shouldn’t. I feel like there’s a lack of awareness about this and the current permissions UI is dangerously flawed.

 Location services and photos

The native Camera app (and presumably third-party ones*) allows you to geo-tag your pictures with the location they were taken at. The idea sounds great in theory, and there isn’t much to be concerned about - your camera app is trusted, right?

The issue is, every single photo you’ve now taken has location attached which over time would give an attacker a pretty good idea of your...

Continue reading →


Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

 Install GnuPG and a decent PIN entry program

$ brew install gnupg2 pinentry-mac

 Configure GnuPG

We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent.

In ~/.gnupg/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac
enable-ssh-support

 Start the agent on startup

GnuPG has its own mechanism to start the agent the first time you use it, so explicitly starting the agent is no longer necessary. SSH however does not support this mechanism, so if we want to use the GPG agent as an SSH agent we’ll need to make sure it’s always running. A quick change to your shell’s startup scripts (~/.zshrc.local in my case) takes care of that.

We’re exporting the location of the SSH agent socket and then checking whether a valid UNIX socket is in that path. If the check is false we launch the GPG-agent. Note that gpgconf is smart enough to not...

Continue reading →


Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this.


Today I noticed a quite worrying vulnerability that would allow any app (and potentially any website, provided they break the same-origin policy) to secretly find out your Three mobile number - the privacy implications of this are obvious - an advertiser could thus track you across all apps even if you delete and reinstall the app, and they could also secretly resell that information to data brokers.

It’s been more than a month since I did my best to privately report it to them (and the ICO) without any success, so here’s the vulnerability in all its glory:

http://mobile.three.co.uk/om_services/threeuserinfo/headers?app_id=ThreeAppIphone

Open that URL on any Three phone and you’ll get a (badly formatted) XML...

Continue reading →


Setting an alternative shell in macOS Terminal

After switching to Zsh on my new Mac I noticed a little issue with the built-in Terminal. When using the default Bash shell, the app could tell whether a process (besides the shell) was running in it and present a confirmation if you tried to close the window:

Screen Shot 2017-06-27 at 02.05.42.png

Do you want to terminate running processes in this window?

Switching to Zsh made the terminal think the shell itself was a running process I cared about and would ask me for confirmation even if nothing else but the shell was running, where as with Bash it would ignore the shell itself and only ask if something else was running.

At first I thought macOS shipped with a special version of Bash that could tell the terminal whether something else was running in it, but it turns out the solution is simple - there’s a list of processes for which the Terminal would not display a confirmation, and you can configure it:

Screen Shot 2017-09-24 at 00.39.15.png

Just add...

Continue reading →


Strongswan VPN for iOS quick-start guide

Here’s a really basic Strongswan configuration for a single client, authenticated using a PSK. This has been successfully tested with iOS 10 but should work on any other decent OS. It can be useful to secure traffic from public Wi-Fi or a compromised/evil mobile carrier.

 Install

Compile and install Strongswan with swanctl support, as most distros’ packages don’t yet have that feature enabled.

 Configuration

Save the following as /etc/swanctl/swanctl.conf and adjust it according to your setup. Don’t forget to set a secret PSK.

connections {
    myconn {
        unique = replace
        pools = v4pool, v6pool
        local {
            id = gateway.example.com # server's ID, corresponds to "remote ID" on iOS
            auth = psk
        }
        remote {
            id = someone.example.com # client's ID, corresponds to "local ID" on iOS
            auth = psk
        }
...

Continue reading →


Windows code-signing in 5 minutes or less

Note: this might be unsafe - only use this as a quick reference if you know what you’re doing.

 Create the self-signed certificate

 Config

Save this into ssl.cfg or similar.

[req]

distinguished_name = req_distinguished_name
req_extensions = default_req_extensions

[req_distinguished_name]
# empty

[default_req_extensions]

basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, nonRepudiation
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom

 Make the certificate and private key

ssl.cfg refers to the file created above. Adjust the subject as necessary.

openssl req -x509 -newkey rsa -keyout testkey.pem -nodes -days 3650 -sha256 -config ssl.cfg -subj "//CN=Demo code-signing certificate" -out testcert.pem

You can get OpenSSL in either Git for Windows or Cmder.

 Create a PFX and import it into your personal certificate store

openssl pkcs12 -export -inkey
...

Continue reading →


Hello world!

Well, here I am on Svbtle, hopefully this time I actually take blogging seriously and not give up after a few weeks.

Fingers crossed!

View →