How safe is your iPhone data?
by Jürgen Schmidt
This article was originally published by the German c't magazine.
The greatest current risk for iPhone owners is not viruses or malicious web pages, it is the danger that the phone might fall into someone else's hands. Although iPhones do offer elaborate security mechanisms, these mechanisms won't stand up to an imaginative hacker.
At worst, losing an iPhone also means losing all the data stored on it. And the data won't just be gone – it could also be in someone else's hands. This doesn't only affect such readily accessible things as address book entries or stored documents, it also includes passwords and other access codes. For instance, a brief inspection of an iPhone that had been in use for about a year produced various long-forgotten Wi-Fi passwords and the access credentials for email, Facebook, eBay and other accounts.
Since the iPhone 3GS, all device data has been hardware encrypted; the method used is 256-bit AES in cipher-block chaining mode. However, this almost uncrackable encryption technology won't protect users' data, because it doesn't present any access hurdles: The keys that are used are all stored on the device and, in regular operation, the system decodes all data transparently.
Getting more secure
The H also has three tips to help you secure your iPhone or iPad more effectively; as this article shows, it won't be an unbreakable data vault, but the tips will make life harder for people who want to get their hands on your personal information.
The hardware encryption's reason for being is that it enables the system to erase the flash memory very quickly by discarding the keys. As the encryption can't be cracked without the keys, the remaining cyphertext can safely be regarded as illegible junk.
This means that the passcode lock is the main barrier between the iPhone data and a thief, a random finder, or a criminal investigator with a search warrant. If a user has enabled it, that is – it is disabled by default. Without the passcode, emergency calls are the only thing that's still available on a locked iPhone; there is no access to the user interface or any other functions. A locked iPhone will even refuse to cooperate, and will demand the passcode, if someone attempts to synchronise it via iTunes with a PC or Mac that it has never been synchronised with before.
However, the passcode lock does even more. Since iOS 4, the passcode is also incorporated into the encryption of specially protected data. This means that the data is no longer accessible when the phone is locked; only entering the passcode will make it legible. Unlike locking the user interface and sync access, this protective mechanism cannot be bypassed by circumventing the system software. Without the passcode, the plaintext data simply isn't available.
However, this feature requires the developers of apps which handle sensitive data to set special options when creating their objects. For instance, files can be created with the NSProtectionComplete flag. Any subsequent attempt to access the locked file will then result in an error message. Similarly, the access to keychain elements can be restricted via such kSecAttrAccessible* attributes as AfterFirstUnlock or WhenUnlocked.
This method is not only used for the files in the mail folder's offline cache at /private/var/mobile/Library/Mail/, it also protects the password for accessing the email account, which only becomes available once the phone is unlocked – in other words, once the passcode has been entered at least once after booting. Some third party apps also use this option to provide extra protection for such data as online access credentials.
|iTunes Backup Password||WhenUnlockedThisDeviceOnly|
|Device Certificate & Private Key||AlwaysThisDeviceOnly|
Sadly, however, they are the rare exception, because these protective mechanisms require program alterations that not only allow the program to set the appropriate access options, but also to handle situations where the program may be refused access to its own data. To add more difficulty, the app will no longer function on older devices which run iOS 3.
Even Apple has so far only made the effort for its email app – and has half-heartedly restricted it to IMAP and POP accounts. When using the Exchange interface, which is popular in corporate environments, items such as the access data in the keychain are still unprotected. Incidentally, the same applies to the access credentials for Wi-Fi, VPN and LDAP/CalDAV/CardDAV connections.