The Hidden Dangers Lurking in Your Pocket – Pwning Apple Wallet ecosystem and its apps

Apple Wallet offers a convenient solution for users to store their boarding passes, tickets, reward cards, coupons, and gift cards in a single location. These features are dependent on the PassKit APIs in iOS and watchOS apps. However, the question remains whether the system performing validation can have confidence in these APIs.

For passes to be recognized by the Wallet app, they must be signed with an Apple-issued certificate that is associated with the team’s Apple developer account. These passes can only be accessed by apps that are developed by the development team and have the appropriate entitlements. The talk is split into two sections. The first part discusses a Time-of-Check-to-Time-Of-Use (TOCTOU) vulnerability found in the Apple Wallet application. This vulnerability allows for the bypassing of the solution’s integrity check requirements, meaning that the signature verification of an installed pass can be bypassed in order to tamper with the contents of the pass. Despite being reported to Apple, they dismissed this vulnerability.

In the second part of the talk, it is assumed that even if the previous vulnerability is not exploitable, many wallet applications (excluding Apple Pay) are still vulnerable to various wallet-specific issues that may compromise user data and sensitive information. The author analyzed tens of wallet applications and discovered that they are susceptible to pass-tampering attacks, user impersonation, and other authorization flaws due to not adhering to application security best practices. For instance, attackers could obtain additional privileges by tampering with boarding passes, hijack store reward cards, or distribute fake gift cards. Following responsible disclosure processes, all of these issues were reported to their respective teams, and some of them have been resolved.

Lastly, we will examine the defenses against these attacks and discuss the importance of following secure development practices.

Attendee Takeaways

1. Novel, 0-day exploits threats abound. Security Engineers will appreciate the author’s approach to holistic hunting of security threats, which involves a comprehensive and proactive strategy for detecting and mitigating these risks.
2. Product developers need to exercise caution when relying on the foundation of a technology, such as Apple’s Wallet app.
3. Application security principles still apply to apps developed for the wallet ecosystem. Attendees will learn more about the integration of their apps with the wallet ecosystem and how to avoid potential pitfalls.