Cwa-app-ios: [BSI][05_22_cwa-app-ios-master] Developer Menu Compiled Into AppStore Version

Created on 23 May 2020  路  5Comments  路  Source: corona-warn-app/cwa-app-ios

Rating: Informational

Description:
The app contains a developer menu functionality which can be used for
additional debugging and testing. This functionality is only intended
to be used in Debug and Release builds, not AppStore builds. For this
there is a compile-time check that influences the return value of the
isAllowed() function. In case of an AppStore build, this function
will return false. However, the implementation of the developer menu
will still be present in the AppStore variant. A user or an attacker
with root privileges can modify this function to return true and thus
activate the developer menu in the AppStore version of the app. To
mitigate this, the developer menu should not be compiled into the
AppStore variant of the app in the first place.

Proof of Concept:
The implementation of the isAllowed() function can be found in the
DMDeveloperMenu.swift file starting from line 70:

private func isAllowed() -> Bool {
    #if RELEASE || DEBUG
        return true
    #else
        return false
    #endif
}
enhancement in review
Source
picture BSI-TF-CWA

Most helpful comment

We fully understand that this issue is due to the development phase of this project.
Please consider this issue as a reminder to ensure that this will not make it into production.
Please leave this issue open until it is resolved in the version we are testing.

Thank you very much

Proof of Concept:
The implementation of the isAllowed() function can be found in the DMDeveloperMenu.swift file:

    private func isAllowed() -> Bool {
    true
//        #if RELEASE || DEBUG
//            return true
//        #else
//            return false
//        #endif
    }
picture BSI-TF-CWA on 28 May 2020
👍3

All 5 comments

We require this menu to be available for a couple of more days since it will be useful during testing.

The app is using two different set of entitlements:

App Store Builds

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.exposure-notification</key>
    <true/>
</dict>
</plist>

Release and Debug Builds

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.exposure-notification-test</key>
    <true/>
    <key>com.apple.developer.exposure-notification-test-skip-file-verification</key>
    <true/>
    <key>com.apple.developer.exposure-notification</key>
    <true/>
</dict>
</plist>

Thus what the app can do is limited on an OS level already.

The developer menu is not able to do anything the user could not do otherwise. Getting access to the developer menu is harder than just sending the corresponding HTTP/s requests using a standard HTTP/s client. So even if we remove any traces of a developer menu from the code base you would still be able to do everything the developer menu can.

I am closing this issue. If you feel this is incorrect please simply reopen.

Thank you very much.

ChristianKienle picture ChristianKienle on 23 May 2020

We fully understand that this issue is due to the development phase of this project.
Please consider this issue as a reminder to ensure that this will not make it into production.
Please leave this issue open until it is resolved in the version we are testing.

Thank you very much

Proof of Concept:
The implementation of the isAllowed() function can be found in the DMDeveloperMenu.swift file:

    private func isAllowed() -> Bool {
    true
//        #if RELEASE || DEBUG
//            return true
//        #else
//            return false
//        #endif
    }
BSI-TF-CWA picture BSI-TF-CWA on 28 May 2020
👍3

We fully understand that this issue is due to the development phase of this project.
Please consider this issue as a reminder to ensure that this will not make it into production.
Please leave this issue open until it is resolved in the version we are testing.

Thank you very much

Proof of Concept:
The implementation of the isAllowed() function can be found in the DMDeveloperMenu.swift file:

    private func isAllowed() -> Bool {
  true
//        #if RELEASE || DEBUG
//            return true
//        #else
//            return false
//        #endif
    }

Thanks for very much for bringing this issue up again. We will put this on our checklist that will be used during the release prep. This issue will remain open until we have completed the checklist.

ChristianKienle picture ChristianKienle on 28 May 2020
👍1

hi, i have some experience in developing big banking app. we build for this 2 different versions of our app. one for appstore with disabled funktion (including logging) and one for testing with an apple enterprise account and different bundleid. maybe this could be an solution.
I can support you on on this if needed.

thanks
andreas

inidona picture inidona on 31 May 2020

@BSI-TF-CWA can you confirm that #484 fixes this?

ChristianKienle picture ChristianKienle on 11 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Hermann12 picture Hermann12  路  3Comments
Eisbaerhaar picture Eisbaerhaar  路  3Comments
olafthecruel picture olafthecruel  路  3Comments
felixbohnacker picture felixbohnacker  路  3Comments
Applaus-Klaus picture Applaus-Klaus  路  3Comments