The Mailbox security fail that wasn’t

A few days ago it was reported that the popular Mailbox app was falling short on protecting user data. Developer Subhransu Behera published a post on his blog outlining what he considered to be security failures on the part of Mailbox.

Using iExplorer, Subhransu was able to extract the SQLite database out of Mailbox and view its contents, which consisted of all of the contact information and emails from the app. The conclusion to the article was the belief that Mailbox needs to be doing more to secure this user data, specifically by employing methods in the iOS SDK which would prevent being able to access this data with tools like iExplorer. After being posted on Hacker News, a number of people reported trouble reproducing Subhransu’s results.

This isn’t the first time we’ve seen confusion about this sort of thing. Not too long ago there was a lot of fuss about an iOS lock screen bypass bug that exposed the device’s filesystem. It turned out that claim wasn’t at all accurate. The cause of confusion over that lock screen bypass may be the same source of the confusion here.

When you plug your iPhone, iPad or iPod touch into your computer for the first time, the device will exchange keys with the computer that allow the two devices to talk to each other. If you have a passcode on your device the first time you plug it into your computer, iTunes will give you an alert message saying you need to enter your passcode on the device first. This is because the device’s contents are encrypted and iTunes (or any other app for that matter) has no way to read the contents of the device. Once you enter your passcode, your device and computer can exchange keys as mentioned above and only then are they able to start communicating. These keys mean that even if the device is locked in the future, if you plug it into that same computer, iTunes (along with other apps) can still communicate with the device.

This can cause some confusion when somebody plugs a locked device into a computer it has previously been plugged in to. The misconception is that because a locked device is plugged into a computer and the contents of the device are readable, that the contents of that device would be readable on any computer that the device is plugged in to; but this is not reality. If you were to lose your phone on the street, then somebody else picked it up, took it home, plugged it into their computer and fired up iExplorer, they would just see a screen telling them to plug in a device. iExplorer has no way to talk to that device until the device has been unlocked, plugged into the computer, and the keys have been exchanged. You can reproduce this behavior on a computer that the device has already been plugged into by going to the '/private/var/db/lockdown' directory on the computer ('%AllUsersProfile%\Apple\Lockdown\' in Windows) and deleting the plist file in that directory that has your device’s UDID in the filename.

This of course raises the question of what about a device that doesn’t have a passcode? While it’s true that somebody could copy the SQLite database off in that scenario, it’s also true that the person could just launch the Mailbox app and view the same information in the app itself. Mailbox could provide a little extra protection by encrypting the locally stored database. This would provide an extra level of protection for users so that in the event that an attacker momentarily had access to an unlocked device, they could not just copy the database off, allowing them to take their time looking through it later. However, it’s debatable if not having such a protection qualifies as a security fail. And it’s certainly questionable if it warrants deleting the app off of you device as Subhransu did. Especially in a case where you’ve trusted a 3rd party service with accessing your email accounts and storing your email on their servers in the first place.

Not to mention that Gmail’s own iPhone app stores cached email in pretty much the same way.

Latest And Best Prime Day Deals

It might be Prime Day, but this Instant Pot deal is available to everyone
Instant Pot 3-Quart Duo Mini Pressure Cooker
$39.95 $65.00 Save $25

This 3-quart multi-cooker is perfect for smaller households or serving sizes, and today's deal beats the others we've seen.

Unlock voice control with Echo device deals and $5 Amazon smart plugs
Amazon Echo devices bundled with $5 smart plugs

Amazon's Smart Plug lets you start voice controlling anything plugged into it by asking an Alexa-compatible device, and today's deal lets you snag one for only $5 with purchase of select Echo devices.

Be more productive with a year of Office 365 Home and a free $50 Amazon gift card
Office 365 Home 12-month subscription and $50 Amazon gift card
$99.99 $150.00 Save $50

The subscription works with up to six people, but that card can be all yours.

Amazon's Fire TV Cube is down to just $70 thanks to this Prime Day deal
Amazon Fire TV Cube
$69.99 $119.99 Save $50

Grab TCL's 32-inch 720p Roku TV for less than $100 in this Prime Day Lightning deal
TCL 32S325 32-inch 720p Roku TV
$99.99 $130.00 Save $30

Act fast while you can. These Lightning deals tend to sell out quick.

The Ring Alarm security system is reaching new low prices for Prime Day
Ring Alarm home security systems

Various configurations of the Ring Alarm are discounted to their best prices yet exclusively for Prime members at Amazon through Tuesday night to help keep your home secure.

The Sonos Beam Prime Day deal includes a $40 discount and 2 $50 Amazon gift cards
The Sonos Beam Prime Day deal includes a $40 discount and $100 in Amazon gift cards
$359.00 $499.00 Save $140

That's just so much savings in one deal. You'll have to wait for the physical gift cards, but that's basically $100 to spend however you want.

Prime Day dropped this PlayStation 4 console bundle to just $250
PlayStation 4 Slim 1TB console with Marvel's Spider-Man and Horizon Zero Dawn
$249.99 $359.98 Save $110

This deal on the PlayStation 4 Slim console saves you $50 off its regular price while also including Marvel's Spider-Man and Horizon Zero Dawn Complete Edition for free. You'll just need an Amazon Prime membership to snag it.

More Prime Day Deals