18

Consider this hypothetical situation:

Bob and Eve's apps are installed on the same iPhone. Bob's app is running and binds to localhost:8080 to listen for AJAX calls from its own UIWebView. Eve's app runs in the background and tries to interfere with Bob's app by making AJAX calls to localhost:8080.

Two questions:

  1. Assuming Eve's app knows Bob's AJAX API, will her calls be successful? (i.e. does iOS sandbox traffic on localhost?)

  2. Is it possible for Eve's app to sniff the traffic Bob's app is generating?

Ryan J. Thompson
  • 650
  • 1
  • 6
  • 18
  • That's... a very good question. Scarily good. – RonLugge Dec 05 '12 at 23:23
  • Wow.. that's interesting. I did some searching and couldn't find an immediate answer. If you find out, post the answer as I would like to know. I would assume it is sandboxed, as this seems like a bit of an oversight if it is not. – Bergasms Dec 05 '12 at 23:28
  • Try it. The best way to get an answer to this is to throw together two such apps and see what happens. – rmaddy Dec 05 '12 at 23:42

1 Answers1

5
  1. if Bob's app is running, yes Eve's app can connect to it.

There are 2 possible ways to have this happen. Either Bob's app is in the foreground, and Eve's app connect to it in the background, given that Eve's app is running in background. Or, Bob's app is running in the background, and Eve's app connect to it in foreground.

By default the iOS suspend apps in background. If the app make use of background execution, and continue to run in the background, it can access the network as usual.

You may want to read "Beyond The Basics" in Apple's technical notes on Networking and Multitasking

  1. Sniffing traffic require root access, it cannot be done unless Eve's app is a jailbroken app.

In the section "BSD (including Mac OS X)" of the article Wireshark CapturePrivileges, it state that on BSD systems we need to have permission to access BPF devices to capture packets (read: sniff network traffic). Only root (or any superuser) can access the BPF devices, or grant permission to any other user to access them.

howanghk
  • 3,070
  • 2
  • 21
  • 34
  • Excellent answer. This confirms my suspicions. Jailbroken apps are my primary concern here, so this is very pertinent information. It seems that if Bob were concerned about this, his best option would be to secure the traffic using HTTPS or the like. – Ryan J. Thompson Dec 06 '12 at 06:10
  • Since this has security implications (a malicious app connecting to another app's server, or spoofing another app's server in the background so the victim connects to the backgrounded malicious server), do you know if Apple has ever addressed it? I know that, for example, Win10 apps (including on phones) have sandboxed networking by default; has Apple added something similar? – CBHacking Dec 19 '16 at 20:03
  • Only if apps are in the same app group is socket IPC possible. Berkeley sockets are file descriptors and these files are sandboxed. See also https://stackoverflow.com/a/53011775/490488 – Garvan Keeley Oct 26 '18 at 15:21