or Connect
AppleInsider › Forums › Mobile › iPhone › Security issue in Facebook, Dropbox iOS apps requires physical access
New Posts  All Forums:Forum Nav:

Security issue in Facebook, Dropbox iOS apps requires physical access

post #1 of 28
Thread Starter 
A newly discovered security flaw in the Facebook and Dropbox applications for iOS could lead to identity theft, but only if a malicious user were to physically get their hands on an iPhone or iPad.

Earlier this week, developer Gareth Wright discovered the flaw in Facebook's official, free software available on the iOS App Store. He was able to install his personal "plist" file from the social networking application on four different devices without warning.

After discovering the issue, Wright contacted Facebook's security team, and they confirmed they they are "working to fix it." No timetable was given for the fix.

The same issue was also discovered in the official iOS Dropbox application by The Next Web. Both applications store personal information in plain text, rather than encrypting or packaging it, leaving personal information accessible to malicious users — but only if they are able to obtain the physical device that holds the data.

The data can even be obtained from Apple's latest devices, including the third-generation iPad, and it can be extracted without "jailbreaking" the device, or hacking Apple's iOS mobile operating system.

In other words, there is currently no current risk with the security flaw for users who keep their iPhone or iPad in their possession. The newly discovered issue mostly applies to those who may have lost their device or had it stolen.




In a statement, Dropbox said it is currently updating its iOS application to store its access tokens in a "protected location," like the service's Android application already does.

"We note the attack in question requires a malicious actor to have physical access to a user's device," they noted. "In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices."

[ View article on AppleInsider ]
post #2 of 28
1) This isn't good. I don't care if it's because of sloppy coding on the part of FB and Dropbox devs because they didn't follow Apple's guidelines, I do expect that Apple's venting process can look at a plain text PLIST file for passwords and other sensitive data.

2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #3 of 28
In other news: Losing your drivers license or social security card could lead to identity theft.

Quick. Everyone panic.
post #4 of 28
AAAAAAA(to the tenth power)!!!!!!!!!

Quote:
Originally Posted by Postulant View Post

In other news: Losing your drivers license or social security card could lead to identity theft.

Quick. Everyone panic.
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
post #5 of 28
So wait, they are not using the Keychain like they are supposed to?
post #6 of 28
Quote:
Originally Posted by crisss1205 View Post

So wait, they are not using the Keychain like they are supposed to?

Correct. This makes me flippin' angry. Dropbox has no excuse for this -- even amateur iOS devs can read a few bits of documentation and use the Keychain to store this stuff. GAH!
post #7 of 28
Quote:
Originally Posted by SolipsismX View Post

1)
2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.

I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.
post #8 of 28
Quote:
Originally Posted by paxman View Post

I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.

Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #9 of 28
Quote:
Originally Posted by SolipsismX View Post

Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.

Yes, that's how I do it, too. I was hoping you had discovered that the in app browser was awesome. A real shame it can't work like the OSX version. I read the reason at some point and concluded that I had to live with clunky.
post #10 of 28
Failure to provide physical security does not equal flaws in software or OS security.
post #11 of 28
Quote:
Originally Posted by GQB View Post

Failure to provide physical security does not equal flaws in software or OS security.

They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #12 of 28
This is another scaremongering story which fails to point out that if people secure their iOS device with a passcode then it won't be accessible to a thief who does not get the passcode. Setting the simple passcode off allows for complex passwords which makes the data even safer.

Yes FB and DropBox should be using the data protection API's but they only provide protection with a passcode too. They're just an extra layer of protection or like a secondary encryption. Users should also be advised to encrypt any iTunes backups. if a thief can't get a hold of your computer then that eliminates any other back door. A PC free setup iOS device with a complex passcode is extremely safe.

Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.
post #13 of 28
I cancelled my Facebook account. Yeah! One less person for them to capitalize on. F- Facebook.
post #14 of 28
This is why I use BoxCryptor on my computers and iOS devices. All of my important files are encrypted.

Facebook is quite a challenge to secure though.

Quote:
Originally Posted by SolipsismX View Post

They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
post #15 of 28
Quote:
Originally Posted by ontheinside View Post

Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.

Gareth just updated to confirm passcode-protected iOS devices are safe provided the thief or attacker does not have access to a computer which knows the passcode. One which hasn't synced that iOS device.

Everyone needs to passcode and encrypt your iTunes backups. Plus put a password on your computer accounts. If possible encrypt your full drives. If you've got a Mac running Lion, turn on FileVault!
post #16 of 28
Having physical access to ANY device = compromised. Why would anyone be surprised about this? Anytime you lose your smartphone or laptop, your safest bet is to remote wipe it as soon as possible. If you don't, consider your data compromised. It's that easy to gain root access to your devices if they have physical access to it.
post #17 of 28
Quote:
Originally Posted by yAak View Post

Dropbox has no excuse for this --

which is why i use data locker just as added security. does data locker have flaws and security holes? maybe, but i don't lose sleep over it.

i also use 1 password and used toUSED TOstore on dropbox, but stopped a few months ago. info is way too important. i'll wait until things are a bit more secure.
post #18 of 28
Quote:
Originally Posted by SolipsismX View Post

Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.

My bank has an App, I enter a pin and have access.

It's device specific and you to have set it up first, which involves a password sent by SMS.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #19 of 28
I think I would be more concerned with the loss of my phone. Who cares about Facebook if you also bank using your phone or other financial things. Plus as others pointed out simply using a lock code prevents all this. If someone banks and does other things with their device and fails to lock it, they have far more to worry about.
post #20 of 28
Quote:
Originally Posted by hill60 View Post

My bank has an App, I enter a pin and have access.

It's device specific and you to have set it up first, which involves a password sent by SMS.

My bank has something similar but it requires a password, not a PIN. It doesn't have all the features of the webpage. For instance, I haven't owned checks in years but my bank allows me to, for free, go online and cut a check and they'll mail it.

Still, even with the app I need to access 1Password and copy the password as it's 22 to 32 randomly generated characters.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #21 of 28
Quote:
Originally Posted by drblank View Post

I cancelled my Facebook account. Yeah! One less person for them to capitalize on. F- Facebook.

NOT! Facebook never cancels an account. It will always remain forever on the Facebook server. I cancelled my account years ago. Used all the tips to permanently delete it. Guess what, Facebook still has it and can activate it. They never delete anything even when they have you think they do delete it. And I highly suspect the data you had as public is still available for the public to find it, since I still find references to the profile page.
post #22 of 28
I try to tell my friends to never use their real first and last name because of potential identity theft, but of course no one worries about such things until it happens.

The details of the user profile can be changed, but not the main username. It is okay I suppose if you're a smith or jones or any other common name.

Quote:
Originally Posted by ljocampo View Post

NOT! Facebook never cancels an account. It will always remain forever on the Facebook server. I cancelled my account years ago. Used all the tips to permanently delete it. Guess what, Facebook still has it and can activate it. They never delete anything even when they have you think they do delete it. And I highly suspect the data you had as public is still available for the public to find it, since I still find references to the profile page.
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
Originally Posted by Granmastak: Labor unions managed to kill manufacturing a long time ago with their unreasonable demands. Now the people they were trying to protect, are out of a job.
Reply
post #23 of 28
http://www.appleinsider.com/print/11...s_malware.html
Quote:
Originally Posted by SolipsismX View Post

Still, even with the app I need to access 1Password and copy the password as it's 22 to 32 randomly generated characters.

Do you copy some non-sensitive text after pasting that password, or do you thrust there is no clipboard hack around?

Or am I being overly suspicious? I haven't heard of any clipboard hacks, but then again, I didn't know about an address book exploit / auto fill exploit and code signing flaw until I read it here.

Thanks,
Phil
post #24 of 28
Quote:
Originally Posted by PhilBoogie View Post

http://www.appleinsider.com/print/11...s_malware.html

Do you copy some non-sensitive text after pasting that password, or do you thrust there is no clipboard hack around?

Or am I being overly suspicious? I haven't heard of any clipboard hacks, but then again, I didn't know about an address book exploit / auto fill exploit and code signing flaw until I read it here.

Thanks,
Phil

Right to the clipboard. It's the only option available. On the PC side 1Password is a little more clever and will remove the clipboard contents after a short interval. Of course, they can't do this with iOS.

I assume that no app still running in the background will get unfettered access to the clipboard. I had thought about recopying the clipboard data to something nonsensical before switching out from the app but then I realized that the clipboard keeps a fairly long list of the perviously used information.

This is one of those things I expect Apple to be looking for when vetting apps for poor security which is why I'm surprised that they allowed plaintext passwords in a PLIST file to begin with.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #25 of 28
Quote:
Originally Posted by SolipsismX View Post

Right to the clipboard. It's the option available. On the PC side 1Password is a little more clever and will remove the clipboard contents after a short interval. Of course, they can't do this with iOS.

I assume that no app still running in the background will get unfettered access to the clipboard. I had thought about recopying the clipboard date to something nonsensical before switching out the particular app I'm using the password in but then I realized that the clipboard keeps a fairly long list of the pervious clipboard information.

This is one of those things I expect Apple to be looking for when vetting apps for poor security which is why I'm surprised that they allowed plaintext passwords in a PLIST file to begin with.

This is freaking aces! What an informative post; thanks much!
post #26 of 28
Quote:
Originally Posted by PhilBoogie View Post

This is freaking aces! What an informative post; thanks much!

Update: I'm wrong. It keeps a long list of items to Undo, like typing and such, but it appears to only keep the last item on the clipboard. So that's a good thing. I think I will take that extra step and change my clipboard data before leaving an app I've saved a password too. Thanks. I wouldn't have considered checking this more thoroughly without your post.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #27 of 28
Quote:
Originally Posted by SolipsismX View Post

Update: I'm wrong. It keeps a long list of items to Undo, like typing and such, but it appears to only keep the last item on the clipboard.

Hahaha, excelling your excellent post, again, thanks much.
post #28 of 28
You seem to be forgetting that back in 2011 Charlie Miller demonstrated a web only hack that broke out of the Safari sandbox at Pwn2Own.

There are tether free Jailbreaking websites sites that work by exploiting flaws accessible from web code.

Sure some of the PDF and font exploits that existed in 2011 have since been plugged, but presumably others remain.

Bottom line if a Jailbreaking website can breakout of the sandbox and not only access the file system but root the device, it can then sure as hell read .plist files from the file system.

Obviously it's easier if the device is already jailbroken and you have physical access but that it's strict requirement.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Security issue in Facebook, Dropbox iOS apps requires physical access