Discover which iOS apps store password securely with iOS 6.02 bug

Today’s article is a bit technical because it is related to Information Security. I realized that with lots with hacking incidents worldwide, small businesses are increasingly under the cross-hairs of international cyber criminals. So, I’m covering this area in future. If you think that IT security is not important and that no one will target your business, think again. As this recent 7:30 Report showed (Russian hackers target Australian small business), cyber criminals don’t care who their target are- if they can extort money out of your business, THEY WILL. And make no mistake, they are getting better and more sophisticated as each day passes.

In this article, I will explain how you can exploit what seems to be a bug in the latest iOS 6.02 to find out which of apps in your iPhone/iPad adopt security best practice. NOTE: I’m not an iOS systems programmer. The bug that I’m going to describe is deduced/guessed as an end-user outsider, using my intuition. I’m prepared to be corrected.

INSERT: This post will be updated as I gather more information.

First, I will explain iOS’s keychain security feature. In layperson’s terms, keychain is where apps store information securely. Typically, apps use them to store account passwords (obvious, isn’t it). Without going too much into technical details, keychain impose stringent checks and restriction on which apps can access secret information using sophisticated cryptographic protocols. It is so secure that even if a hacker takes apart your iPhone physically, he can’t retrieve the secret information. Think of keychain as an extremely strong fortified repository for your secret information.

Obviously, app developers who know what they are doing in terms of security will use keychain to store secret information like account passwords. However, some apps don’t utilise iOS’s keychain feature and store such information in insecure locations. This means if there is a security hole in that app, a hacker can potentially steal your secret information.

I discovered what seems to be a bug in Apple’s latest iOS update (6.02). My intuition tells me that this bug seems to lie somewhere in the keychain feature. If my intuition is correct, then you can utilise this bug to find out which apps use keychain to store your secret information and thus, adopt information security best practice.

Here are some of the symptoms of the bug:

iOS Twitter

    1. Go to Settings >;;Twitter and select one of your Twitter account.
    2. You may get a complaint from iOS that your Twitter password is wrong. Enter the correct password and tap on “Done”.
    3. iOS will verify that your Twitter password is correct and return to the Twitter settings screen.
    4. Select your Twitter account again and iOS will immediately forget your Twitter password.

INSERT: It turns out that iOS 6.0.2′s Twitter settings’s username is case-sensitive. Before 6.0.2, the username is not case-sensitive. Now, if you enter the wrong case, the symptom will happen.

WordPress

Account passwords can’t be ‘remembered by the app:

    1. Refresh post list in the app.
    2. WordPress will complain of wrong password.
    3. Enter the correct password.
    4. WordPress will verify that the password is correct and return you to the post list.
    5. Refresh post list and WordPress will complain of wrong password again.

INSERT: I discovered that if the URL of your blog settings is set too ALL CAPS, WordPress will remember your password. This bug seems to be similar to the Twitter issue (see above).

CloudOn

    1. Log into your CloudOn account on the app.
    2. Go to the home screen.
    3. Return to CloudOn.

You will notice that CloudOn ‘forgets’ that you are logged in and return to the pre-signin screen.

Some apps

  1. Go to an app and make sure you are logged in to the app’s account (e.g. ensure that eBay app is logged into your eBay account).
  2. Go to the home screen.
  3. Invoke the multitasking bar (by double-clicking on home button).
  4. Terminate that app (by pressing and holding on the app icon and tap on the terminate mini-icon on the top left). Sometimes, iOS will terminate that app automatically in the background.
  5. Relaunch that app.
  6. The app will ‘forget’ that you’ve already logged in. You will return to the sign in screen of the app.

In all these symptoms, if you notice that the app ‘forgets’ all login credentials (ie ID and password), then I believe it probably uses keychain to store them. If it still remembers them, then it may perhaps mean that it stores them insecurely.

My intuition is that there is probably a bug somewhere in the keychain that prevents the apps from retrieving secret information from it. Hence, it results in all these symptoms. If my intuition is correct, then it may mean that this bug can be used to find out which apps adopt security best practice and which ones don’t. The ones that seem not to trigger this bug include:

  1. eBay
  2. Pinterest
  3. Twitter (if your Twitter app gets its credentials from iOS, then you may see the screen as shown here (this will happen if your iOS’s Twitter username is of the wrong case). But if you enter your password within the app, it will seem to ‘remember’ your password.)
  4. GMail
  5. Google+
  6. LinkedIn
  7. Tapatalk
  8. Facebook (iOS’s Facebook is able to remember passwords)
  9. Skype

Apps that seem to trigger the keychain bug:

  1. Blogger
  2. Seek
  3. CloudOn
  4. Google Currents
  5. WordPress
  6. Photoshop Express
  7. Google Authenticator

INSERT: With these recent testing results, iOS 6.0.2 may introduce case-sensitivity to the keychain API. That may prevent apps from retrieving secret information from the keychain properly, hence the symptoms.

INSERT (24 Dec): Something’s changed today. Blogger, CloudOn, Google Currents and some other apps no longer exhibit this bug. However, Seek and WordPress still exhibit the same problem. Maybe these apps was fixed remotely? I sent Apple feedback yesterday and I knew someone at Google read this article.

INSERT (29 Dec): I noticed that some people cannot connect to Yahoo on their Mail app. Somehow the username/password got rejected.

Can any insider (e.g. someone from Apple or the app developer) give a definitive answer to what seems to be a security bug in iOS 6.02?

Pin It
  • http://www.facebook.com/steve.denn Steve Denn

    Is there any update to this article or any news on iOS 6.0.2?

    • http://estrategypro.com/ eStrategyPro

      No update. I’ve sent Apple a bug report. Talked about it in Google+ communities. Posted in blogs. There don’t seem to be a critical mass of people seeing this as an issue.

      Do you have the same problem?