Blog

What happens when you lose your iPhone

Last month we gave an ethical hacking demo at "The Future of Mobile Payments" in Leuven. We connected an iPhone 4 to a laptop with the tool "iPad Explorer" and we were able to copy the following information from the iPhone in clear text (meaning readable by anyone) format:

1. All GMail stored in a SQLite database unencrypted using the Gmail app

2. All Office365 mails stored in a SQLite database unencrypted using the OWA app from Microsoft

3. Properties files of mobile apps with username and password in clear text for popular web applications

4. Log files containing IP addresses of Voice-over-IP calls

5. Screenshots

6. Photo's and video's

7. Anything that you might have stored on the device

8. All your Dropbox content

Somebody of the audience made a comment: "I have a passcode on my Dropbox app to protect unauthorized access to the data, so this should not be possible". So we added a passcode in the Dropbox app, locked the iPhone and browsed to the content in the Dropbox app. Nothing was encrypted, and it was possible to copy all local data!!!

Yesterday during a "mobile security workshop" at a customer we did the same thing with the customer's iPhone 5. The difference with this device is that it never connected to iTunes on the laptop so it was our assumption that a PIN code was required to allow the connection to the laptop. That was not the case. The locked iPhone was not blocking access to the files on the device, all content was available in clear text.

The iOS was up-to-date, version 7.0.4. A iPhone 5 with iOS 7.1 required a PIN code to allow the connection from the laptop, another iPhone 5S also required a PIN code to allow the device (when there was a PIN code activated).

So how and why is this possible?

iOS has a feature called data protection, see http://support.apple.com/kb/ht4175 where it states:

"Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications."

Some more interesting information from a post on Stackoverflow: http://stackoverflow.com/questions/15139305/enable-ios-on-disk-encryption

"The reason you can access files without unlocking your device is that an escrow keybag has been created. This is explained in Apple's iOS Security Guide (pdf):

Escrow keybag is used for iTunes syncing and Mobile Device Management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user's passcode. It is stored on the computer that's used to sync with iTunes, or on the MDM server that manages the device.

The Escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an Escrow keybag and passes it to the host. The Escrow keybag contains exactly the same class keys used on the device, protected by a newly generated key. This key is needed to unlock the Escrow keybag, and is stored on the device in the Protected Until First User Authentication class. This is why the device passcode must be entered before backing up with iTunes for the first time after a reboot."

This is not the root cause! iOS apps from Apple use the correct class when writing data to the device. See the Apple iOS Security Guide that clearly states:

"Classes

When a new file is created on an iOS device, it's assigned a class by the app that creates

it. Each class uses different policies to determine when the data is accessible. The basic

classes and policies are as follows:



Complete Protection

(NSFileProtectionComplete): The class key is protected with a key derived from the

user passcode and the device UID. Shortly after the user locks a device (10 seconds,

if the Require Password setting is Immediately), the decrypted class key is discarded,

rendering all data in this class inaccessible until the user enters the passcode again.

The Mail app implements Complete Protection for messages and attachments. App

launch images and location data are also stored with Complete Protection."

OK, we are almost there. There is another class:

"No Protection

(NSFileProtectionNone): This class key is protected only with the UID, and is kept

in Effaceable Storage. This is the default class for all files not otherwise assigned to a

Data Protection class. Since all the keys needed to decrypt files in this class are stored

on the device, the encryption only affords the benefit of fast remote wipe. If a file is

not assigned a Data Protection class, it is still stored in encrypted form (as is all data

on an iOS device)."

So when you install an app that uses NSFileProtectionNone to create files on the iOS they are accessible. Is this good? I don't think so because everybody assumes that iOS will encrypt the data always.

It is not the responsibility of the user to check each mobile app for data encryption.

Recommendations:

1. Install a security product that allows to remotely wipe your device and encrypts all data in a seperate container that is not managed by the OS

2. Configure a PIN code and data security on the device

3. Don't trust apps for encrypting or securing your data (not on the device, not in the cloud)

Add comment