Understanding the iOS keychain

ASBFLIF

There is potentially a security vulnerability with 1Password, atleast with iOS environment. I have only tested it with latest iOS 6 & 1Password Pro version (as of 12/5/12). It could be more deep routed also, but as I don't understand the mechanism i cant be 100% sure.



I am attaching a series of pictures to explain what I am trying to explain. In summary I use dropbox across my iOS devices and Mac to keep my 1Password database synchronized. Today I had trouble remembering my master password when I was trying to log in from my iPad and wanted to re-initialize the device. Online the proscribed method is to delete the iOS app and re-install again for setting up the database again. Which I did....



After installing the iPad app, I went on to configuring new database followed by linking with my dropbox account for which I gave the sropbox credentials. Then the app asked me to key in the master password that I used on the PC/Mac. I did not enter the password and just canceled the procedure by clicking on back back... To my surprise the app had syncronized the database from dropbox and all of my accounts showed up. I never entered the masterpassword.



I repeated this process 3 times and the last time I took screenshots that are attached below. It works everytime. So either the App does not delete the cached master password (which it should not be caching any ways) or something fishy is happenning here.

Chris100

Hey, just curious: did you try to look at one of your passwords?



I am new to this, but it is my understanding that not everything is encrypted in 3.x. The names of your logins are stored in clear text. So even if you dont supply a master PW, when you connect to dropobox it should be able to find your list and display it.



Also I believe if you have configured the iOS app to auto-sync, your master password is stored in the iOS keychain for sync purposes (But is not used to unlock password entries in the UI -- you would still need to enter the master password to view an entry.)



Some of that may be wrong, but I am sure khad or another moderator will be along shortly....

Penelope Pitstop

This doesn't address ASBFLIF's question but [url="http://blog.agilebits.com/2011/02/11/lost-iphone-safe-passwords/"]this blog post[/url] explains how all the passwords associated with 1PW and iOS keychains are dealt with. Thought it might be useful for anyone reading this thread and wanting to understand more.

Penelope Pitstop

I tried this and pressed Done on the keyboard after entering my dropbox credentials instead of pressing the blue Next button in the top of the dialog (picture 3 in the original post). I wasn't prompted for my master password but it downloaded all my keychain data and I was able to reveal the passwords.



I'm wondering if because the app is "signed" and I've unlocked my iOS keychain by entering my device passcode, 1PW is able to access iOS keychain and retrieve old security items associated with the app. It would seem then that iOS app deletion isn't clearing out associated iOS keychain items which is not what the dialog leads you to believe when you delete the app: ""Deleting "1Password" will also delete all of its data".



So I guess I'm able to replicate [color=#282828][font=helvetica, arial, sans-serif]ASBFLIF's experience[/font][/color] but I'm not sure if this behaviour represents a vulnerability or not since to access the data, I would need my original device, the passcode to the device and my dropbox credentials i.e. it is the fact that I have my phone and know the passcode that is granting me access to my Mac/PC master password. I believe it is very [url="http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/"]hard to crack the iOS passcode provided it is not a simple one[/url] because the device itself is required and it gets slower and slower with successive retries.



Well, no doubt the experts will be along shortly.

Chris100

I've noticed that iOS seems to keep app settings around in some cases, so that reinstalling an app recovers the old settings. So another thought comes to mind: what is your setting for the Master Password Auto-Lock, and did the remove/reinstall fall short of that time window?

ASBFLIF

Thanks Penelope for testing it.... My worry is more around the "unknown" than this specific scenario. In my case I don't save any password on my Mac's keychain - so nothing should be cached anywhere (ideally). If that is not the case I will try to understand why not later.



As I don't know what's caching where, if somebody has access to my iOS device and they just copy a few files (cached database of 1password) and few other files and move to a different device to read the information within?



In short I am just freaking out because the behavior I noticed is not what I expected... there are scenarios I can conjure up (valid or not) that would compromise a lot of sensitive details.... <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />









[quote name='Penelope Pitstop' timestamp='1354804389' post='64623']

I tried this and pressed Done on the keyboard after entering my dropbox credentials instead of pressing the blue Next button in the top of the dialog (picture 3 in the original post). I wasn't prompted for my master password but it downloaded all my keychain data and I was able to reveal the passwords.



I'm wondering if because the app is "signed" and I've unlocked my iOS keychain by entering my device passcode, 1PW is able to access iOS keychain and retrieve old security items associated with the app. It would seem then that iOS app deletion isn't clearing out associated iOS keychain items which is not what the dialog leads you to believe when you delete the app: ""Deleting "1Password" will also delete all of its data".



So I guess I'm able to replicate [color=#282828][font=helvetica, arial, sans-serif]ASBFLIF's experience[/font][/color] but I'm not sure if this behaviour represents a vulnerability or not since to access the data, I would need my original device, the passcode to the device and my dropbox credentials i.e. it is the fact that I have my phone and know the passcode that is granting me access to my Mac/PC master password. I believe it is very [url="http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/"]hard to crack the iOS passcode provided it is not a simple one[/url] because the device itself is required and it gets slower and slower with successive retries.



Well, no doubt the experts will be along shortly.

[/quote]

jpgoldberg

Hi ASBFLIF! Welcome to the forums.



I haven't had a chance to read through what everyone has said thoroughly yet, and so what I say now is subject to extreme revision (and possibly reversal).



Here is the short answer:



Things that are stored in the iOS keychain cannot be accessed by (1) anything until your device is unlocked, and (2) by applications other than the ones that put them in the iOS keychain.



That is the over all design and intended use of the iOS keychain. Note that "the app that put it there" does apply to a reinstalled version of that app. So the behavior you saw was normal.



Somewhat longer answer:



1Password, for the purposes of doing automatic syncing, will store your Dropbox credentials, your desktop Master Password, and your local Master password in the iOS keychain. You can read about that here:



http://help.agilebits.com/1Password_touch/how_secure_is_syncing.html



Now there are lots of actual exceptions to (1) and (2) above. Applications can store things with different data protection settings instead of the default I've listed. We have used the most restrictive data protection settings in 1Password.



Jailbreaks provide another kind of exception to (2), and iTunes escrow keys can provide a sort-of exception to (1). As a consequence, we do have to consider the security of the iOS keychain when designing our synchronization.



Others here have pointed out the importance of having a good passcode for your iPhone in order to protect things like the iOS keychain, and I want to re-iterate that.



http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/



If we are going to store secrets that enable 1Password to do things when it is locked, then the best choice is the iOS keychain. But the security of the iOS keychain is both complicated and sometimes beyond our or the users' control. Automatic syncing is really great, but we do need to look at what vital secrets we may be leaving around to have that to work. So we are always looking for ways to improve both the ease of use and the security of the system. We do tinker with our design from time to time.



So the good news is that no, we are not just leaving vital secrets around where anyone can pick them up. We are using the iOS keychain appropriately. The bad news is that iOS keychain security is tricky, and we do need to design with that in mind.



I hope this helps, please let me know.



-j

ASBFLIF

Hi J,



Thanks for the quick response. But something still does not sound right in the way this worked out.. If I uninstall 1Password should it not clean/delete the keychain entries that were installed on iOS.



Secondly if i install a fresh copy of 1Password and it has a screen asking for the master password during initialization, why would it just go and use something from iOS keychain if nothing is provided to it.



Pardon my ignorance as I am not that technical. But there should be an option in the software that gives an option to the end user to decide that their master password should NEVER be stored in any KeyChain. Just like what Mac OSX does….



I had a perception till i encountered this scenario that the MasterPassword is NEVER transmitted or stored anywhere and it's local to the individual.





Thanks

Paco II

I was under the impression that when an App is deleted, everything associated with it is deleted as well (let's ignore iCloud for the moment). I think everyone's assumption would have been that after reinstalling, you would have had to give it both your Dropbox credentials and 1Password credentials to get things set up again. Sure seems like bad stuff if 1P app is not asking for the master password after a reinstall. Looking forward to hearing more from Agilebits.

khad

I'm not sure how an app [i][b]could[/b][/i] delete any items from the iOS keychain if the code needed to remove the items was in the app that was just removed. An app that doesn't exist on your device can't execute any code.



If anything, perhaps any items 1Password has previously stored in the iOS keychain could be removed on first run, but that wouldn't change the situation at all. It would simply provide the illusion that the items were removed from the iOS keychain before you ran the reinstalled 1Password app.



I think it is important to remember that whatever information is securely stored by 1Password in the iOS keychain using the most restrictive data protection setting is secure whether the app is installed at the time or not.



Everything written in the aforelinked "[url="http://blog.agilebits.com/2011/02/11/lost-iphone-safe-passwords/"]Lost iPhone? Safe Passwords![/url]" blog post holds true whether 1Password is currently installed or not.



The bulk of your 1Password data is in an encrypted database file. There is encryption provided by iOS (the operating system) and our own encryption based on your master password on top of that.



For automatic syncing via Dropbox, 1Password does store some extremely sensitive information in an iOS keychain. When 1Password fetches your data with Dropbox it needs three things: It needs to login to your Dropbox account, it needs to decrypt the data that it fetches from Dropbox, and it needs to re-encrypt that data to store it in the data format we use on iOS. (All of this encryption and decryption is performed only on your device.) To do this automatically 1Password stores the following in an iOS keychain.[list=1]

[*]Your Dropbox credentials (email address and Dropbox password)

[*]Your master password for your data as stored on Dropbox

[*]Your master password for 1Password on your iOS device

[/list]

If those three things fell into the hands of the bad guys your data would be entirely compromised. We want to make sure that that never happens.



When items are saved to an iOS keychain on iOS 4 or later there are different settings that can be used to define how they are encrypted and which keys are needed to decrypt them. There are six setting combinations that matter for this discussion. Items can be set to “Accessible Always”, “Accessible after First Unlock”, or “Accessible only when Unlocked”. Each of those three can be set as either “Migratable” or “Non-migratable.”



The keychain information that can be retrieved by the attacks described are only those that fall into the “Accessible Always” Class. Things stored this way are items that should be available to software on the phone as soon as it is turned on, even if the user doesn’t unlock it. These are typically network passwords, such as WiFI login information. It also includes MobileMe passwords and MS-Exchange passwords.



The data that 1Password stores in an iOS keychain has the most restrictive settings. It is set with both “Only when Unlocked” and “Non-migratable.” The first setting is what protects it against the kind of attack demonstrated by the researchers at Fraunhofer. The disadvantage of using this setting is that syncing won’t start happening immediately when your phone is turned on. We are very happy with the design choice we made in that respect.



The “Non-migratable” setting prevents attacks against device backups, as it ensures that the information is always encrypted with a unique hardware key built into the device. The disadvantage of using this setting is that if you wish to migrate all of your device settings and data to a different device you will have to re-enter the passwords needed to set up Dropbox syncing. Again, I think you will agree that we made the correct design choice with that.



“So what should I do if my device is stolen?”



The first thing to remember if your iPhone, iPod Touch or iPad is stolen are the simple words, “don’t panic.” The fact that you have been using 1Password already means that you’ve done 90% of what you need to do to protect your data. All the actions described here are just extra precautions.



Some sensitive data (though not from 1Password) can be revealed through some known attacks. Network passwords (WiFI passwords, VPN settings) can be exposed. More importantly MobileMe and Exchange logins can be exposed. So those are passwords that you will need to change. If those passwords aren’t unique, you should change passwords for every login that uses those. Users of 1Password on the desktop will find great tools to manage that chore.



Your 1Password data is safe from known attacks. But we also need to be concerned about attacks that we don’t know about. So it would be a good idea to change your Dropbox password quickly after discovering that your iPhone has been stolen. Your 1Password master password is actually the kind of thing that should be made strong from the beginning and rarely changed, but you may wish to change that as well.



You may also try the Remote Wipe feature. This is a good thing to try if your iPhone is stolen, but keep in mind that anyone who would launch a sophisticated attack against your iPhone would know to remove the SIM card first to foil Remote Wipe and Find My iPhone.



In the vast majority of cases of a stolen iPhone, iPad or iPod touch the thief is far more interested in selling the device than the data it contains. Once they see that your device is password protected, they will just wipe it themselves. But we aren’t only interested in the vast majority of cases. We have designed 1Password to withstand sophisticated attacks as well as casual ones. The recent news has given me the opportunity to discuss some of the guts of what we do to keep your data secure against sophisticated, resourceful attackers.



My apologies if you already read this when the blog post was linked earlier in the thread, but it seems to answer the questions which are still being asked, so I wanted to make sure to include it here in case folks were simply not clicking the links and reading them. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

Paco II

Khad, you've presented a ton of great information here, but just so I understand, in response to the original post, it sounds like what you're saying is that the reason they weren't asked to enter the 1Password master password is that it was still in the iOS keychain, even after they initially deleted the app. Is that correct?



I think, for me, I was surprised to hear that anything is left in the iOS keychain because whenever you delete an app, you are presented with a message that says "Deleting 'XXXXX' will also delete all of its data." It sounds like that statement isn't entirely true, if keychain data is left intact.

khad

[quote]

Khad, you've presented a ton of great information here, but just so I understand, in response to the original post, it sounds like what you're saying is that the reason they weren't asked to enter the 1Password master password is that it was still in the iOS keychain, even after they initially deleted the app. Is that correct?

[/quote]

As far as I know, yes. Again, I don't know how 1Password (or any app) [i][b]could possibly[/b][/i] remove information from the iOS keychain if you just deleted the app from your device. The app doesn't exist on your device anymore, and thus can't run any of its code (such as a function to remove items from the iOS keychain). You just deleted the only app on your device that could have performed that function.



[quote]

I think, for me, I was surprised to hear that anything is left in the iOS keychain because whenever you delete an app, you are presented with a message that says "Deleting 'XXXXX' will also delete all of its data." It sounds like that statement isn't entirely true, if keychain data is left intact.

[/quote]

The message you are seeing is from iOS itself not 1Password, so we don't have any control over the wording or clarity of it. This actually changed in iOS 4 if I recall correctly. At the same time that the different protection classes mentioned above were introduced, [url="http://stackoverflow.com/questions/3671499/iphone-keychain-items-persist-after-application-uninstall"]iOS 4 also began leaving the items an app placed in the iOS keychain intact when removing the app[/url].

Paco II

Interesting! Wow, then the deletion message is actually a bit misleading. Apple should modify that. I totally assumed that when an app was deleted, based on the iOS deletion message, [i]everything[/i] related to that app was deleted as well. I love learning new things about iOS <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



For me personally, I don't see this as a major issue: Someone would potentially need: your devices password (which should always be enabled IMHO), your App Store password (if the app hadn't been reinstalled yet), and your Dropbox password (which should be super secure).

khad

Indeed. I think the issue is that apps can [i][b]optionally[/b][/i] share iOS keychain data, so the items an app places in the iOS keychain can't just be deleted wholesale on app removal or it may pull the rug out from under another app relying on their presence.



Perhaps it would be better if Apple gave developers the option to clear items in the iOS keychain upon app removal. As far as I know this is not an option at this time, but as you mentioned it would take [i]quite a bit[/i] to get to the items 1Password stores in the iOS keychain. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



As Jeff mentioned, "we are not just leaving vital secrets around where anyone can pick them up. We are using the iOS keychain appropriately." The flip side, of course, is that "iOS keychain security is tricky, and we do need to design with that in mind."



I can't say more right now, but please do keep an eye on future 1Password developments in this area.

Penelope Pitstop

[quote name='ASBFLIF' timestamp='1354818643' post='64628']

Thanks Penelope for testing it.... My worry is more around the "unknown" than this specific scenario. In my case I don't save any password on my Mac's keychain - so nothing should be cached anywhere (ideally). If that is not the case I will try to understand why not later.



As I don't know what's caching where, if somebody has access to my iOS device and they just copy a few files (cached database of 1password) and few other files and move to a different device to read the information within?



In short I am just freaking out because the behavior I noticed is not what I expected... there are scenarios I can conjure up (valid or not) that would compromise a lot of sensitive details.... <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />

[/quote]

Experiences that cause you to call your understanding into question do tend to make you freak out. The same happened to me when I lost my iPhone a few years ago. I bought 1PW to protect myself against such an eventuality and thought I understood how it worked. However experiencing the worst for real sharpened my focus somewhat.



I panicked a bit and bombarded Agile with incessant questions about their design. As you can see they are really patient and happy to explain everything despite the fact they must have answered similar questions hundreds of times (I'm glad they do too because we all learn something more from their responses to posts like yours). When I eventually understood what was happening underneath, I calmed down. It took a week or two of learning and hard thinking mind you!