Jump to content
Fabian1

Enpass affected by iPhone hack?

Recommended Posts

Maybe you read the headlines: There was a massive iPhone hack. A Google team has found that thousands of iPhones were hacked - just by visiting a infected website. This allowed the attackers comprehensive access to the data in the iPhone:

WhatsApp, Signal, SMS, gps-location, photos, contacts and - yes - even the keychain with the passwords should have been open.

An incredible Bug!

My question: Was Enpass also affected?

Could attackers - even theoretically - read the passwords from the Enpass database?

As far as I know, Enpass uses the iOS keychain to store the masterpassword, if you use biometric unlock.

Who knows more?

Edited by Fabian1
correction

Share this post


Link to post
Share on other sites

I dont think Enpass was targeted, there where easier, standardized targets with APi's like you mentioned. They also stole oath tokens meaning that no matter how you store your password, the resulting granting "ticket" for e.g Google or Microsoft Live was passed on.

But of course Enpass wouldnt sustain a root-level threat like that if being targeted. The security of an individual app cant hold up if security of underlying operating system is broken.

 

Share this post


Link to post
Share on other sites

Hi @Fabian1,

13 hours ago, Ivarson said:

Enpass wouldnt sustain a root-level threat like that if being targeted. The security of an individual app cant hold up if security of underlying operating system is broken. 

As stated by @Ivarson, Absolute security of an app is dependent on the OS itself. If integrity of operating system is broken and a adversary is able to run arbitrary code with root privileges, there is little Enpass can do to protect itself. However I would like to summarize, how Enpass stores its data and what happens if your use PIN or bio-metrics to unlock Enpass.

All of your data is stored in a database encrypted using your master password. None of your sensitive data is decrypted and stored in any of temporary file, except when you need to export an attachment to external app. Access/oauth tokens to cloud services are also stored inside this encrypted database. So, a stolen Enpass database file is as secure as its master password.

If you are using PIN to unlock Enpass or using bio-metrics on devices without secure enclave, master password is stored in the keychain in obfuscated (non-encrypted) form. In this case your master password can be obtained from keychain dump and adversary will be able to unlock your vault easily.

If you are using bio-metrics to unlock Enpass on devices with (A7 and above chip), your master password is stored as encrypted data in keychain with a key stored in Secure Enclave of device. Modern iOS devices (iPhone 5s above) have Secure Enclave and encryption keys are stored in separate execution unit with its own processor and ram. As per Apple 

Quote

The Secure Enclave provides all cryptographic operations for Data Protection, key management and maintains the integrity of Data Protection even if the kernel has been compromised.

It requires a very sophisticated attack to break into Secure Enclave. I have found no reference if the attack in question can lead to compromising of Secure Enclave too. So, your master password and hence all Enpass data is secure if Secure Enclave is resistant to the attack.

Cheers:)

 

Share this post


Link to post
Share on other sites

Dear Vinod,

Thank you very much for the very precise answer.  That was exactly what I wanted to know.

1. PIN use (or old iPhone) = security risk, if the iOS keychain is broken

2. Biometric-Unlock + Secure Enclave = may still be considered secure, no indication of compromise of the Secure Enclave

3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone? Do you store the clear text masterpassword in process memory of the kernel?

Thx again & kind regard

Fabian

Share this post


Link to post
Share on other sites
13 hours ago, Fabian1 said:

3. Enter password yourself = currently best security. Or is there any evidence, that the current hack could read/log all keystrokes on the iPhone?

Evidence is not required in this case. Keylogging, memory reading, screenshots and video recording are very much possible for a process with root privileges.

13 hours ago, Fabian1 said:

Do you store the clear text masterpassword in process memory of the kernel? 

Enpass throws master password after using it but how does UI TextField handles memory internally, is outside of Enpass scope. This is an area we are dependent upon iOS security architecture. In future, we plan to use custom UI elements for text entry of master password as well just like we do it in Desktop versions.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...