Tuesday, August 16, 2016

iOS Format String Attacks

Validating and sanitizing user input is very important and mandatory in any application which takes user input. As user who is using our application is the most untrusted source in case of user input.

All the text input fields entires should be validated or sanity checked. Some examples are,

  • Empty text entry
  • Spaces at the beginning and ending (Trimming)
  • Restricted characters (phone number shouldn't contain alphabets)
  • Special characters
  • Email validation
  • Proper length checking

If we don't validate and use these text entries inside our app or sending them to server as parameters, the application will definitely goes out of your control.

Specially incase of strings we should clearly mention the format. Otherwise it's a chance to attackers to format a string of their own.

Let's see some examples of string attacks.

I have a search textfield and I need to store the search strings of user for auto fill.

    NSString *searchStr = self.searchTF.text;

I haven't validated the search string and just logging in this case for demo though we need to send it to server for logs. Let's see the NSLog output If user enters 'iPhone \n  iPad \n iPod' and obviously there will be no search results.


This is the output because of malfunctioned search string input by an attacker. Let's say these are stored in the server logs. When you take the report, It will show obviously wrong statistics.

App user searched for iPhone
App user searched for iPad
App user searched for iPod

If you observe, As we have not validated the user input, Our server logs are going wrong when we take reports.

In the same way, What If user enters '%x%x%x' as search string and we use it without validating and formatting it.

    NSString *searchStr = @"%x%x%x";
    NSLog(searchStr);      // 4f06800

It is printing the application memory addresses which is a security breach. Using this memory addresses, attackers can read/write/delete data from application memory.

To avoid all these, It is a good practice to validate or sanitize the input data always and use the format specifier %@ while displaying or using strings.

In the above case, If we use format specifier (%@),

    NSString *searchStr = @"%x%x%x";
    NSLog(@"%@",searchStr);    // %x%x%x

It is exactly what user has entered in the search field. 

Not only in the Log statements, Whenever there is a string format we are using,

  • stringWithFormat
  • initWithFormat
  • appendWithFormat

It is a good practice to format the string.

Hope this post is useful. Feel free to comment incase of any queries.