Fabian1 Posted September 13, 2019 Report Share Posted September 13, 2019 (edited) Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone: WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open. An incredible Bug! My question: Was Enpass also affected? Could attackers - even theoretically - read the passwords from the Enpass database? As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock. Who knows more? Edited September 13, 2019 by Fabian1 correction Link to comment Share on other sites More sharing options...
Fabian1 Posted September 15, 2019 Author Report Share Posted September 15, 2019 Nobody really knows if all the safety of Enpass was endangered? Link to comment Share on other sites More sharing options...
Ivarson Posted September 15, 2019 Report Share Posted September 15, 2019 I dont think Enpass was targeted, there where easier, standardized targets with APi's like you mentioned. They also stole oath tokens meaning that no matter how you store your password, the resulting granting "ticket" for e.g Google or Microsoft Live was passed on. But of course Enpass wouldnt sustain a root-level threat like that if being targeted. The security of an individual app cant hold up if security of underlying operating system is broken. Link to comment Share on other sites More sharing options...
Vinod Kumar Posted September 16, 2019 Report Share Posted September 16, 2019 Hi @Fabian1, 13 hours ago, Ivarson said: Enpass wouldnt sustain a root-level threat like that if being targeted. The security of an individual app cant hold up if security of underlying operating system is broken. As stated by @Ivarson, Absolute security of an app is dependent on the OS itself. If integrity of operating system is broken and a adversary is able to run arbitrary code with root privileges, there is little Enpass can do to protect itself. However I would like to summarize, how Enpass stores its data and what happens if your use PIN or bio-metrics to unlock Enpass. All of your data is stored in a database encrypted using your master password. None of your sensitive data is decrypted and stored in any of temporary file, except when you need to export an attachment to external app. Access/oauth tokens to cloud services are also stored inside this encrypted database. So, a stolen Enpass database file is as secure as its master password. If you are using PIN to unlock Enpass or using bio-metrics on devices without secure enclave, master password is stored in the keychain in obfuscated (non-encrypted) form. In this case your master password can be obtained from keychain dump and adversary will be able to unlock your vault easily. If you are using bio-metrics to unlock Enpass on devices with (A7 and above chip), your master password is stored as encrypted data in keychain with a key stored in Secure Enclave of device. Modern iOS devices (iPhone 5s above) have Secure Enclave and encryption keys are stored in separate execution unit with its own processor and ram. As per Apple Quote The Secure Enclave provides all cryptographic operations for Data Protection, key management and maintains the integrity of Data Protection even if the kernel has been compromised. It requires a very sophisticated attack to break into Secure Enclave. I have found no reference if the attack in question can lead to compromising of Secure Enclave too. So, your master password and hence all Enpass data is secure if Secure Enclave is resistant to the attack. Cheers:) Link to comment Share on other sites More sharing options...
Fabian1 Posted September 16, 2019 Author Report Share Posted September 16, 2019 Dear Vinod, Thank you very much for the very precise answer. That was exactly what I wanted to know. 1. PIN use (or old iPhone) = security risk, if the iOS keychain is broken 2. Biometric-Unlock + Secure Enclave = may still be considered secure, no indication of compromise of the Secure Enclave 3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone? Do you store the clear text masterpassword in process memory of the kernel? Thx again & kind regard Fabian Link to comment Share on other sites More sharing options...
Vinod Kumar Posted September 17, 2019 Report Share Posted September 17, 2019 13 hours ago, Fabian1 said: 3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone? Evidence is not required in this case. Keylogging, memory reading, screenshots and video recording are very much possible for a process with root privileges. 13 hours ago, Fabian1 said: Do you store the clear text masterpassword in process memory of the kernel? Enpass throws master password after using it but how does UI TextField handles memory internally, is outside of Enpass scope. This is an area we are dependent upon iOS security architecture. In future, we plan to use custom UI elements for text entry of master password as well just like we do it in Desktop versions. Link to comment Share on other sites More sharing options...
Maricores Posted March 27, 2022 Report Share Posted March 27, 2022 (edited) . Just a small piece of information though. The first thing you need to do in order to define whether your server was hacked is to track back the IP adress. If you find out that the IP address is external then I'm pretty sure that your server was hacked. You can choose to forget about it or hire a hacker iphone to get back into your server. A hacker isn't expensive to hire unlike most people assume. You can always negotiate the price with him before sealing the contract though. Edited March 30, 2022 by Maricores Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now