iOS Security Details
This article is a supplement to our document on sync security, which should be read in its entirety before exploring the issues here. The information here is to specifically discuss some “attacks” on iOS security that have been reported. We have designed 1Password so that these have no impact on the security of your 1Password data. However, because our users are correct vigilant about security issues, we would like to discuss some of them.
Attacks on encrypted iOS Backups.
As described in our sync security document encrypted data on your device, including iOS keychain data, depend in part on a hardware key built into your device. When iTunes on your Mac or PC makes a backup of your device data it all remains encrypted with the hardware key. This means that such data cannot be decrypted from that backup on anything other than your iOS device.
Starting with iOS 4, Apple introduced an exception to this so that people could – under limited circumstances – migrate all of their data (all apps and their data) from one iOS device to another. These backups, designed for migratation, do not have their data encrypted using the device hardware key. To create such a backup, the user must select to encrypt their device backup within iTunes. This kind of backup will be encrypted with a password that the user gives it in iTunes, but the internal data (including keychain data) will no longer be encrypted using a device hardware key.
This design decision, needed to allow migration, has been characterized by some as a security vulnerability. Elcomsoft has already produced software which attacks the password a user may pick to encrypt the device backup. Once that is broken, it can then extract information from iOS keychains. Here is an excerpt from Elcomsoft’s FAQ
If a backup is not password-protected, the keychain is encrypted using “hardware” keys stored in the iPhone and not accessible from the outside.
If a backup is password-protected, the keychain is encrypted using software keys that are generated from the backup password. As a result, you can restore such backups to any device, and keychain information will be restored as well.
Starting with 1Password 3.5.5 for iOS we do not allow the Dropbox and 1Password credentials in our iOS keychain to be migratable. So an attack of the sort described would never reach the data stored in the iOS keychain as it would never leave your device.
For confidential data other than 1Password you should be very careful about making encrypted device backups. Encrypting actually weakens the overall security of the data stored within the backup. It may have been wiser for Apple to have used the term “transferable backup” instead of “encrypted backup.” If you do make an encrypted backup, use 1Password’s strong password generator to create the password for that backup.
Jailbreaks
Jailbreaking an iOS device allows an attacker to by-pass some of the of the defenses built into iOS. But without your device unlock code the information that 1Password stores in your iOS keychain remains safe from attackers. Additionally, we have put in an additional encryption layer so that even if an attacker can jailbreak your device and gets hold of your device passcode they will not be able to get at the data stored by 1Password in the iOS keychain.
Without your 1Password master password an attacker will not be able to decrypt your 1Password data.
See this posting on our blog for more discussion.
Smudge attacks
Researchers have discovered that it is often possible to recover a four digit device unlock code from the pattern of smudges on a phone. Because fingers are often in motion when entering such a code, it is possible to determine the actual sequence of numbers. The experiments weren’t conducted on iPhones, but there is every reason to expect that results would be similar to the devices tested. An article in the Register describes the research, or you may read the original research report (PDF).
Cleaning your phone screen frequently is certainly one way to reduce the risk of this kind of attack. Another way to hamper a smudge attack is to use a different four digit device unlock code than your four digit 1Password for iPhone unlock code. Finally, you can go beyond a four digit code for your device by going to Settings > General > Passcode Lock and switching “Simple Passcode” to OFF.