CIR-01-009 WP1: User DoS via DNS Spoofing on iOS & Android (High)

It was found that the Android and iOS apps are vulnerable to DoS attacks via spoofing of the DNS domains used for establishing backend communications. Malicious attackers, able to modify clear-text network communications (i.e. open Wi-Fi without guest isolation, BGP hijacking, ISP MitM, DNS rebinding, etc.), could leverage this weakness to prevent legitimate app users from accessing the system. In a worst case scenario, a malicious attacker may leverage DNS rebinding to prevent all Circulo users from notifying their peers and trusted authorities of danger.

This issue was confirmed by changing the DNS settings on the test iOS and Android devices (i.e. to simulate DNS spoofing), so that they point to an attacker-controlled DNS server using dnschef, spoofing the domains as follows:

Command:

./dnschef.py -i 192.168.1.6 --fakeip 0.0.0.0 --fakedomains "casa.encirculo.org"

Corresponding Logcat Output:

09-20 14:10:58.643  1132  1200 E SYNC/SyncThread: Caused by: java.net.ConnectException: Failed to connect to casa.encirculo.org/0.0.0.0:443
09-20 14:11:08.727  1132  1207 V FormattedJsonHttpLogger: --> GET https://casa.encirculo.org/_matrix/client/r0/sync?filter=0&set_presence=online&timeout=0&since=s64557_11405184_90_9265_15469_5411_4931_33734_0_1
09-20 14:11:08.763  1132  1207 V FormattedJsonHttpLogger: <-- HTTP FAILED: java.net.ConnectException: Failed to connect to casa.encirculo.org/0.0.0.0:443

This issue occurs due to all backend communication being built on top of the insecure DNS protocol. An example of this can be seen in the output of the command below, which shows a failure to leverage the latest iOS protections for iOS 14 (explained in the mitigation guidance below):

Command:

egrep -Ir '(NWParameters|PrivacyContext)' * | wc -l 

Output:

0

It is recommended to switch over to DNS over HTTPS (DoH) to mitigate these types of attacks. This will automatically remove all clear-text DNS resolution with its associated privacy and security problems and instead encrypt all DNS traffic over HTTPS, this ensures DNS traffic will have the confidentiality and integrity protections offered by the HTTPS protocol thereafter. On iOS, since iOS 14 Apple allows developers to specify DoH connection parameters via NWParameters.PrivacyContext, however, it is also possible to implement DoH at the app level in a compatible way with older iOS versions. On Android, DoH can be easily deployed via the okhttp-dnsoverhttps module, which has a Kotlin implementation available that could alternatively be used as a reference.