

Mailbox iOS app is a security fail - subhb
http://subhb.org/2013/04/24/mailbox-ios-app-is-a-security-fail/
Mailbox iOS app is not even using file protection API that iOS SDK provides by default.
======
Samuel_Michon
_“if anyone else can get hold of your phone, he can access to files of those
apps where data is not protected.”_

As always, if someone has physical access and unlimited time, no device or
computer is safe.

Also, Mailbox.app only supports GMail. Security minded people are obviously
not the target market.

~~~
huskyr
If you get physical access you can also read all the mails in Apple's
Mail.app, or any other app on the device. Maybe not using a tool, but you can
easily read them in the app, forward them, and send fake e-mails using the
account of the user.

(edited to make my point more clear :)

~~~
andyhmltn
Or, you could just... open up Mail.app? and read the emails without a tool
haha.

~~~
huskyr
Yes, that's my point.

------
jder
The original article misses the whole point of the NSFileProtection API: the
strongest level of protection, NSFileProtectionComplete, prevents access to
files _while the device is locked_. The whole point of the API is to protect
things until the user has authenticated. (It's quite possible Mailbox is
already using this API, given the evidence presented.)

In other words, this is the expected behaviour when your phone is unlocked.

See:
[https://developer.apple.com/library/ios/documentation/Cocoa/...](https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html#//apple_ref/doc/constant_group/File_Protection_Values)

------
uptown
I'm less concerned about physical access to the device, but more concerned
about third-party services like Mailbox increasing the number of attack
vectors on your inbox. Mailbox has total access to your email account. Now
somebody can either attempt to hack Google's servers, or Mailbox's servers.
It's enough to convince me not to sign-up for their service since email
provides the gateway to virtually everything else.

~~~
jalada
This. Why is no one talking about this massive elephant in the room? Mailbox
wants you to trust it (and its employees) with (reversibly-encrypted? I
haven't used the app but I don't know how it could provide all its features
without this) access to and storage of your Gmail account and all your
emails?! I barely trust Google with that.

This article just helps compound the idea that that trust might be a little
misplaced....

------
nezza-_-
An important fact is wrong: You actually need to unlock the device to access
the data unless the iPhone and the computer were paired before.

~~~
cvursache
Don't have any data on this, but I know a bunch of not-so-tech-savy people
that don't use lock codes. Their data's then as naked as a greek nude.

~~~
johansch
If the device is not locked, how about just launching the Mailbox app and
browse the attachments via its fancy UI? :)

~~~
subhb
On any app that consists of sensitive information, one should probably
implement passcode security on the application itself. Now this might annoy
some users, but if you know you are going to use it for something special, you
won't mind it!

~~~
tmpajk
So therefore, your article could have been titled
"{Mailbox|GMail|iMail|all_other_mail_clients_ever} is a Security Fail!"?

Because as far as I am aware, few mail clients either support or (if they do)
actively encourage an extra password layer, and your users _do not want it_.
Given an average un-password-protected phone, you will be able to read their
email even if they were using the iOS encrypted files framework, just by
opening the app.

I apologize, but it appears that your headline is deliberate sensationalism.
If you want to have a discussion about how we need to secure email apps _in
general_ , I'm interested. If you want to just pick the latest 'big thing' and
take pot shots at it, nah.

~~~
subhb
@tmpajk How does it make Mailbox more secure. Let's talk about the scenario
where you have access to an iPhone for few minutes. In one case, you can go
through some contents, in another case you can copy all emails and contacts.
My whole point is files or attachments on information on every app that has
sensitive information should be protected. There are various ways to do it on
iOS! One can use keychain to store some secret key and protect these files
using that secret key.

~~~
tmpajk
Where is the key kept then? One possibility, the user has to know it, at which
point we're back to the fact that users dont seem to want a password for their
email app (again, happy to see an interesting post on the generalities of
email app security). The other approach is to store it somewhere on the phone,
at which point connecting the phone to a computer as you describe is still an
attack vector; you just need to find the key.

Of course, I am not highly versed in security, so if there's another option
I'm interested to hear it.

~~~
subhb
One can keep a secret key anywhere other than Document or Library directory of
such apps. One of the obvious place will be device keychain.

------
danpalmer
I'd recommend "Hacking and Securing iOS Applications" by O'Reilly. It really
explains well the security and permissions model on the phone.

The argument that 'once you've lost the phone you've lost the data anyway'
isn't really fair. If a passcode is being used, data marked as being a
security concern is protected with the passcode. A 4 digit code is trivial to
brute force, yes, but the point is that it should be done anyway.

Using iExplorer to find files is a lot easier than loading a custom bootloader
on to the phone, booting custom firmware, brute forcing the passcode and
decrypting the files. If anything, the extra time will raise the chance that
you can get to a computer and initiate a remote-wipe.

------
uzyn
This is like telling someone you can access his ~/Documents/ and read the
content of files within when he leaves his laptop unattended and logged in.

~~~
subhb
One need to handle security differently for mobile devices and for laptops.
When it comes to the example I gave above in one case a person can read the
contents of the files, in another case the same person can copy your entire
content. Now if that's not something to worry about, what is!

~~~
andyhmltn
That's not worrying at all. Considering you need the passcode of the device to
do so. If they have the passcode, or there isn't one, then the attacker can
just open the app and look without extracting the files. These aren't
passwords stored in plaintext. This is plaintext stored in plaintext.

------
bengotow
Mailbox.app is a security concern because it copies all of your Gmail to it's
own cloud server, and delivers the email to the app from there. Sure, it's
exposing your emails on the device. I'm more concerned about them exposing
_everyone's_ emails when their cloud platform is exploited.

------
subhb
Can someone verify this with an iOS5 device. On iOS 6.1.3 this doesn't work
anymore though. But someone just claimed this on the blog: "I ran a test using
my iPhone 5 and a computer I’ve never synced with before. I didn’t need to
unlock the phone before getting access to it I don’t believe. I did manage to
browse all my mailbox files."

~~~
mikehotel
You don't need to sync your device to pair it. This someone may have connected
his unlocked device to the computer, which is enough to pair the device. Once
a device is paired, the file system can be browsed regardless of lock status.

I have not tested with a new 6.1.3 device yet, but if true, this would be a
very serious security regression.

------
cheffe
There is a secure store solution available from a company located in germany.
They call it "Secure Incremental Store" - an enhancement for Core Data.

~~~
subhb
Interesting. But Apple provides protection API for Core Data as well as a part
of their SDK.

~~~
cheffe
Protection API is not enough -> jailbreak. And with device passcode disabled
the door is open.

------
mariusmg
If you lose your phone is already game over. Here's a idea...if you have
important data that you want to be secure.....DON"T KEEP IT ON YOUR PHONE.

How about that, huh ?

~~~
subhb
How about making it more secure! Won't it solve the problem? It's just not
about Mailbox app it's about all the apps that should protect user's data.
Should they care about their user's data or leave it up to the device to
protect it?

~~~
mariusmg
No. Sorry but encryption doesn't really solve the problem. If you lose the
device with valuable info on it, the info will be recovered even if it's
encrypted.

~~~
AlexandrB
Encryption absolutely solves the problem. Otherwise any kind of online
security would be impossible.

You might need to use an actual strong password though and not the 4 digit
passcode.

