iMore Forums Apps Games Accessories Reviews How-To Podcasts Contests iPhone iPad mini iPad iPod touch Apple TV iOS iCloud iTunes Mac Hot: iPhone 5S Guides: iPhone buyers | iPad buyers | iOS users Free: Wallpaper | iPhone apps, games | iPad apps, games Shop Online Cases Chargers Screen protectors Headsets & More Free shipping on orders over $50 The Mailbox security failure that wasn’t By Nick Arnott, Monday, Apr 29, 2013 a 9:38 pm 3 
A few days ago it was reported that the popular Mailbox app was falling short on protecting user data. Developer Subhransu Behera published a post on his blog outlining what he considered to be security failures on the part of Mailbox.
Using iExplorer, Subhransu was able to extract the SQLite database out of Mailbox and view its contents, which consisted of all of the contact information and emails from the app. The conclusion to the article was the belief that Mailbox needs to be doing more to secure this user data, specifically by employing methods in the iOS SDK which would prevent being able to access this data with tools like iExplorer. After being posted on Hacker News, a number of people reported trouble reproducing Subhransu’s results.
This isn’t the first time we’ve seen confusion about this sort of thing. Not too long ago there was a lot of fuss about an iOS lock screen bypass bug that exposed the device’s filesystem. It turned out that claim wasn’t at all accurate. The cause of confusion over that lock screen bypass may be the same source of the confusion here.
When you plug your iPhone, iPad or iPod touch into your computer for the first time, the device will exchange keys with the computer that allow the two devices to talk to each other. If you have a passcode on your device the first time you plug it into your computer, iTunes will give you an alert message saying you need to enter your passcode on the device first. This is because the device’s contents are encrypted and iTunes (or any other app for that matter) has no way to read the contents of the device. Once you enter your passcode, your device and computer can exchange keys as mentioned above and only then are they able to start communicating. These keys mean that even if the device is locked in the future, if you plug it into that same computer, iTunes (along with other apps) can still communicate with the device.
This can cause some confusion when somebody plugs a locked device into a computer it has previously been plugged in to. The misconception is that because a locked device is plugged into a computer and the contents of the device are readable, that the contents of that device would be readable on any computer that the device is plugged in to; but this is not reality. If you were to lose your phone on the street, then somebody else picked it up, took it home, plugged it into their computer and fired up iExplorer, they would just see a screen telling them to plug in a device. iExplorer has no way to talk to that device until the device has been unlocked, plugged into the computer, and the keys have been exchanged. You can reproduce this behavior on a computer that the device has already been plugged into by going to the '/private/var/db/lockdown' directory on the computer ('%AllUsersProfile%\Apple\Lockdown\' in Windows) and deleting the plist file in that directory that has your device’s UDID in the filename.
This of course raises the question of what about a device that doesn’t have a passcode? While it’s true that somebody could copy the SQLite database off in that scenario, it’s also true that the person could just launch the Mailbox app and view the same information in the app itself. Mailbox could provide a little extra protection by encrypting the locally stored database. This would provide an extra level of protection for users so that in the event that an attacker momentarily had access to an unlocked device, they could not just copy the database off, allowing them to take their time looking through it later. However, it’s debatable if not having such a protection qualifies as a security fail. And it’s certainly questionable if it warrants deleting the app off of you device as Subhransu did. Especially in a case where you’ve trusted a 3rd party service with accessing your email accounts and storing your email on their servers in the first place.
Not to mention that Gmail’s own iPhone app stores cached email in pretty much the same way.
Nick Arnott
Security editor, breaker of things, and caffeine savant. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.
More Posts
8
8 92 0 More of: Featured, NewsMore of: Security, mailbox ? PreviouslyMicrosoft makes Windows Phone commercial, sells iPhone instead Next up ?Horizon Calendar review: Check the weather at the location of your next appointment There are 3 comments. Add yours.
asuperstarr says: Apr 30, 2013 at 6:43 pm - 12 hours ago Glad I decided against this app!
Reply
Allyson Kazmucha says: Apr 30, 2013 at 8:53 pm - 10 hours ago Did you even read the article?
Reply
subhransu says: Apr 30, 2013 at 11:29 pm - 7 hours ago @Nick, there's another interesting fact behind this though. Some people choose to enable for passcode after few minutes (http://i.imgur.com/A9TR486.png). This is different than the normal lock screen. lock screen just turns of the display of your phone. so if passcode is not set to be enabled immediately (let's say it's being set to 15 mins) ... within that period data can be extracted from a device using iExplorer or similar tools. It's definitely true one can read emails directly on the app if device is not locked, but reading emails vs copying contents (including contacts, attachments) etc are two different things.
Reply Contact iMoreSEND US NEWS | SUBMIT AN APP Follow iMore(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=213678485361751"; fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));Follow @iMore!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");
Google+
RSS
YouTube
iTunes Shop iMore
THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED
Browse All Accessories Cases and Skins Chargers Cradles Bluetooth Headsets Screen Protectors See all accessories Browse Accessories For Your Phone 
iPhone 5 Cases Chargers Car Kits & more 
iPhone 4S Cases Chargers Car Kits & more 
The new iPad Cases Chargers Screen Care & more 
iPhone 4 Cases Chargers Car Kits & more 
iPad 2 Cases Chargers Screen Care & more 
iPhone 3GS Cases Chargers Car Kits & more Shop iMore THE #1 ACCESSORY STORE | 2 MILLION+ ORDERS SHIPPED
View All Devices STORE AD CONTENT 
Download iMore
iMORE APP | iMORE FORUMS | MOBILE NATIONS Watch iMoreMORE SHOWS | MORE VIDEOS Tell iMore Team iMore 
Rene
Georgia
Leanna
Chris
Ally
Simon
Chris
Michelle
ABOUT iMORE Wear iMore
ORDER YOUR T-SHIRTS NOW! Mobile Nations YouTube Channel Follow Us on Twitter Join us on Facebook Mobile Nations RSS Feed 13,102,764 Readers Per Month Mobile Nations brings you the very best of Android Central,CrackBerry, iMore, webOS Nation, and WPCentral
Thor 2: The Dark World hits theaters this fall, but you can get lots of great Thor stuff from iTunes right now
BlackBerry CEO supposedly says dumb things about the future of tablets, but what are the smart things?Currency for iPhone review: Convert between currencies on the goFeed Wrangler aims to make you forget about Google Reader, make RSS easier with Smart Streams, filters, and more 
Mid-range HTC 'M4' reportedly looks like a miniature HTC OneHTC dropping HTC Watch support for 6 countries in Europe come May 31Google I/O 2013 session schedule now availableMadfinger Games bringing titles to OUYA, Moga and Gamestick this yearGoogle releases Glass intro video to help us all get started 
I highly doubt Thorsten Heins thinks the tablet market will dieBlackBerry Jam rocks BotswanaTELUS BlackBerry Q10 unboxingLinkedIn v2.2 for BlackBerry OS smartphones brings BBM integration and company pagesPopcornFlix arrives for BlackBerry 10 - Watch free movies on your BlackBerry smartphone 
IM+ gets bumped for Windows Phone 8 & Indigo gets some minor improvements tooApply even more cool effects to images with the new Nightshot filter in Nokia's #2InstaWithLoveBoth Tumblr and NBC News updated, anything new?A behind the scenes look at the "Don't fight. Switch" Windows Phone adAT&T is giving you at least $100 for your old smartphone 
App Giveaway: Othello StockWatchLast call! Verizon Pre3 60-second video entries close tomorrowMonday Brief: WWDC sells out, BlackBerry Q10 review and the Samsung Galaxy S4 has arrivedPhoenix teams up with OpenMobile to Kickstart the ACL for TouchPadIsis Web doesn't bring new WebKit to the TouchPad, but it's still betterThis is the WindsorNot - the webOS slate smartphone that never was iPhone / iPad ForumsAndroid ForumsBlackBerry ForumsWindows Phone ForumswebOS Forums Copyright 2013 Mobile Nations ? Terms and Conditions ? Privacy Policy 
No comments:
Post a Comment