The Mailbox security fail that wasn’t

A few days ago it was reported that the popular Mailbox app was falling short on protecting user data. Developer Subhransu Behera published a post on his blog outlining what he considered to be security failures on the part of Mailbox.

Using iExplorer, Subhransu was able to extract the SQLite database out of Mailbox and view its contents, which consisted of all of the contact information and emails from the app. The conclusion to the article was the belief that Mailbox needs to be doing more to secure this user data, specifically by employing methods in the iOS SDK which would prevent being able to access this data with tools like iExplorer. After being posted on Hacker News, a number of people reported trouble reproducing Subhransu’s results.

This isn’t the first time we’ve seen confusion about this sort of thing. Not too long ago there was a lot of fuss about an iOS lock screen bypass bug that exposed the device’s filesystem. It turned out that claim wasn’t at all accurate. The cause of confusion over that lock screen bypass may be the same source of the confusion here.

When you plug your iPhone, iPad or iPod touch into your computer for the first time, the device will exchange keys with the computer that allow the two devices to talk to each other. If you have a passcode on your device the first time you plug it into your computer, iTunes will give you an alert message saying you need to enter your passcode on the device first. This is because the device’s contents are encrypted and iTunes (or any other app for that matter) has no way to read the contents of the device. Once you enter your passcode, your device and computer can exchange keys as mentioned above and only then are they able to start communicating. These keys mean that even if the device is locked in the future, if you plug it into that same computer, iTunes (along with other apps) can still communicate with the device.

This can cause some confusion when somebody plugs a locked device into a computer it has previously been plugged in to. The misconception is that because a locked device is plugged into a computer and the contents of the device are readable, that the contents of that device would be readable on any computer that the device is plugged in to; but this is not reality. If you were to lose your phone on the street, then somebody else picked it up, took it home, plugged it into their computer and fired up iExplorer, they would just see a screen telling them to plug in a device. iExplorer has no way to talk to that device until the device has been unlocked, plugged into the computer, and the keys have been exchanged. You can reproduce this behavior on a computer that the device has already been plugged into by going to the '/private/var/db/lockdown' directory on the computer ('%AllUsersProfile%\Apple\Lockdown\' in Windows) and deleting the plist file in that directory that has your device’s UDID in the filename.

This of course raises the question of what about a device that doesn’t have a passcode? While it’s true that somebody could copy the SQLite database off in that scenario, it’s also true that the person could just launch the Mailbox app and view the same information in the app itself. Mailbox could provide a little extra protection by encrypting the locally stored database. This would provide an extra level of protection for users so that in the event that an attacker momentarily had access to an unlocked device, they could not just copy the database off, allowing them to take their time looking through it later. However, it’s debatable if not having such a protection qualifies as a security fail. And it’s certainly questionable if it warrants deleting the app off of you device as Subhransu did. Especially in a case where you’ve trusted a 3rd party service with accessing your email accounts and storing your email on their servers in the first place.

Not to mention that Gmail’s own iPhone app stores cached email in pretty much the same way.