Security Fail: Apple iOS Password Managers

Anonymous: 10 Facts About The Hacktivist Group

(click image for larger view and for slideshow)

To riff on the old Steve Martin joke about cats: Do you have a password manager on your mobile device? Do you trust it?

If so, that trust may be misplaced. Speaking Friday at Black Hat Europe in Amsterdam, two security researchers from Elcomsoft detailed a study they'd conducted of 13 Apple iOS password managers (a.k.a. password keepers, wallets, or safes). Only one of the tested products, however, had properly implemented strong crypto.

"Most people who develop password keepers, I believe they're very good programmers, but they need to study security," said Elcomsoft's Dmitry Sklyarov.

The sole exception they found in testing a sample of popular apps was Strip Lite, a free password manager from Zetetic. Strip Lite computes an encryption key using 4,000 iterations of PBKDF2-SHA1, together with a per-database salt (random bits). All this makes it very difficult to crack the password it generates, which means that the app does a good job of securing passwords.

[ The mobile ecosystem has a lot of growing up to do. Read more at Mobile's Cryptography Conundrums. ]

Elcomsoft's Andrey Belenko also said that a $10 product they tested called mSecure "seems not bad," in part because of its use of Blowfish encryption.

The researchers studied a total of seven free applications and six paid ones. On the free front, Sklyarov dubbed three of the apps--iSecure Lite Password Manager, Secret Folder Lite, and Ultimate Password Manager Free--as the "unsafe triplets." All three use the exact same underlying software code but have a different name and graphical user interface, and all store their master passwords in unencrypted form on the device, which makes retrieving the password a trivial matter. Other free applications studied were Keeper Password & Data Vault (from Callpod), My Eyes Only--Secure Password Manager (Software Ops), Password Safe--iPassSafe free version (from Netanel Software), and Zetetic's Strip Lite.

For paid applications, the researchers Googled "top password keepers for iOS" and picked six that looked popular: 1Password Pro (Agilebits, $15), DataVault Password Manager (Ascendo, $10), LastPass for Premium Customers ($1/month), mSecure Password Manager (mSeven Software, $10), SafeWallet--Password Manager (SBSH Mobile Software, $4), and SplashID Safe for iPhone (SplashData, $10).

The researchers began their testing project after a British law enforcement agency asked Elcomsoft how hard it would be to crack a SplashID database password, which the agency had encountered during an investigation. SplashID Safe for iPhone appears to be one of the three most popular password safes for the iPhone, with about a half million users.

On the positive side, the researchers found that SplashID Safe uses Blowfish, for which password experts have spent less time developing cracking tools. On the negative side, SplashID Safe uses a hard-coded key to encrypt a user's master password, thus making that master password instantly recoverable to anyone who can access the device and get past the iOS passcode entry requirement (if it's been enabled). In other words, the software may store passwords, but it effectively fails to secure them.

Based on their research, in fact, the researchers said that the single best way to secure passwords or any other data on an iOS device is to enable the iOS security feature that requires a passcode to be entered to unlock the device. "Always use a passcode for iOS devices, and use something more complex than the standard four-digit passcode, because ... a four-digit passcode can be brute-forced in less than two hours for any device before the iPhone 4S," said Belenko.

The security situation improved with the iPhone 4S, the iPad 2, and the new iPad, because all password-cracking attempts must be done on the device itself. This greatly slows attackers because "there are no publicly available exploits that can be utilized to recover the passcode," according to Belenko. (For older devices, the iOS passcode hash can be recovered, transferred to another computer, and then subjected to a brute-force attack.) "Of course, do not jailbreak the device, because you're making the ecosystem more open, but you're also making it more open for bad guys," he said.

That iOS security technique aside, why did so many password safe apps fail at security? For starters, many of the tested products use AES encryption, and password researchers have created AES-cracking tools optimized for the ultra-fast graphics processing unit (GPU) now built into most computers. Combined with the poor crypto implementations seen in almost every tested product, the use of GPUs allows attackers to--in many cases--test millions of possible passwords per second, and for some password managers up to 20 million passwords per second. For comparison's sake, when attempting to crack passwords for Microsoft Office 2007 documents, attackers can currently test only about 5,000 passwords per second.

Belenko said that he himself had been using 1Password Pro, which may be the most-installed password manager for Apple iOS. But he ceased using it after testing the application's cryptography. "When we recovered my master password in five seconds? That was a moment," he said.

Meanwhile, some password managers encrypt passwords by using the cryptographic hash function MD5. Callpod's Keeper Password & Data Vault, for example, claims to have "military-grade encryption"--thanks to MD5--which it says means that "you can trust that no one else will have access to your most important information." Except that MD5 must be used properly, since researchers have devoted extensive resources to defeating it. "MD5 is like a platform for testing skills on GPU acceleration," said Sklyarov.

For Keeper Password, however, GPU cracking isn't even required, since the product fails to salt its MD5 passwords. That means that an attacker could simply reference rainbow tables--lists of the password equivalent for any given hexadecimal hash--which are freely available on the Internet. "Type the hexadecimal hash in Google, and in many cases you will find the password value in less than a second," said Skylarov.

The same weak crypto that makes it easy to test millions of possible passwords per second also means that users would need relatively long passwords--typically, 14 characters or more in length--if they want to make their password uncrackable by an attacker in less than 24 hours. Of course, almost no one will use a password of that length, given the usability challenge of reliably entering so many characters via a touch screen. As a result, most real-world password safe master passwords are relatively easy to crack.

In response to a question from the Black Hat audience about whether these password manager cryptography problems had been shared--per responsible disclosure guidelines--with the relevant developers, the Elcomsoft researchers said they'd declined to notify vendors. "We don't think this will provide any benefit because this isn't a bug, this is architecture," said Belenko.

In other words, the applications don't have code-level errors that can be patched. Rather, most of their developers appear to have failed to understand how to properly implement cryptographic features. "It's very bad for the industry: security that doesn't provide security isn't a very good thing," Belenko said. "If you don't really need the password manager, we'd probably recommend that you don't use it."

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.