iPhone’s Theme It Store – How Not to Implement Security

Hello all,

In this writeup, I will be providing proof that the owner/developer(s)/company that runs Theme It has developed an insecure iPhone and web application.  The only reason I am releasing this information before a fix has been made is because the owner/developer(s)/company has ignored repeated attempts to get into contact with them.

A while ago I wrote about the web front end to the jailbroken iPhone’s theme store.  There were a number of issues that I pointed out, and some issues have been fixed.  Unfortunately, not all have, and the issues that have been still leaves your account vulnerable.

When first talking with the Theme It team, their reason for not securing their application was because “we are not a bank“.  Any business/store that performs financial transactions should ensure its customer data is secured, both at rest and in transit.

While I obviously do not have access to Theme It’s back-end database to view how records are stored, we all have access to information sent to Theme It, and I can show you how Theme It does not protect user information.  In fact, it is left clear-text for any person to sniff and steal user login information.

The Theme It team previously mentioned that “96% of its users don’t use the website” implying that they use the Theme It iPhone application.  After reviewing the information transmitted from the Theme It app to its servers, it can be said that the application has not taken any steps to secure customer data (at the time of this writing).

To test, I simply had my iPhone join a network, and then had the iPhone open up the Theme It app, and connect with my account.  What you see below is what any person sniffing traffic can see:

If you look at the information captured, you can see that nothing has been encrypted.  The “pseudo” variable is your username, “password” is the password for your account, “device_id” is the UDID for your iPhone, “device_type” would be the type of iPhone you have, and “device_os” is what version of iOS you are running on your iPhone.

Any person on the network that the iPhone is transmitting on can sniff, intercept this traffic, and use its information to take over the customers account. Point being, the Theme It app does not take any steps to secure your personal information as it is being sent.

The Theme It Store also has a website that they allow users to connect to, purchase themes, administer their account, etc.  I wrote about their website a few months ago informing users how all information that is transmitted to their server is in clear-text and can be sniffed by an attacker (this included username and password).  The web site still transmits information in clear-text that can be sniffed.  With the information that is sent to the Theme It website, any attacker is able to perform what is called a replay attack.  What this means is that I can use the information I just sniffed from a customer logging in, send the exact same information to the Theme It server, and then be logged in with full control of the customers account.  The picture below shows a successful replay of captured information on the test account I created:

To fix this issue, the easiest thing that the Theme It company can do is get a certificate which will allow a secure/encrypted connection directly to the server Theme It uses.  If the company were to purchase a certificate, it would mitigate all attacks I have shown in this writeup.

I stated in multiple messages to both @fif7y and the official Theme It twitter account that I found their application is sending everything in clear-text, and that their web application is still vulnerable due to a lack of security.  I have yet to see a fix or hear back from either.  Hopefully we can see some security updates to their applications soon.

Leave a Reply