Mailbox iOS App is a Security Fail

Posted: April 24, 2013 in iOS Development, iOS Security, Tools
Tags: , ,

# Update 1

After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this. I also need to check for on which iOS version this is secure. Because as per as I remember, this is definitely doable in earlier version of iOS. But the original problem still remains same. These files are unencrypted and unprotected and one can copy your entire mail contents if he/she has access to your phone.

File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location.

I am building some concept apps to try out few things. Stay tuned …

Last year I developed immense interest in iOS app security and discovered many interesting facts and tools about the same that I presented in my talk in GeekCamp.sg

I love iOS apps and developers. And it’s the apps that I love motivates me to write better codes. However, Mailbox is an exception. I like the UX of this application but I dislike its data protection approach more. As a matter of fact, there’s no data protection at all.

Apple discussed about “Protecting the User’s Data” in WWDC session 714. There you can get to know about all the data and file protection APIs a developer gets out of the box from their SDK.

Tools I used to extract the information

I used iExplorer, which is a tool that lets users to transfer music, movies and playlists from any iDevices to computers and iTunes. But wait it gives you more, it gives you access to an application’s Document and Library directories on your devices. These are the usual places, where iOS developers store their database, plist files or other resource files and can be extracted to a system if device is stolen. You don’t need to jailbreak the device, you do not even need to unlock the device.

So if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.

Information that I got from Mailbox app

On top level of the Documents directory there’s a folder called ‘Attachments‘. It consists of all the attachments that I received or sent. Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected, ready to be stolen if you lose your phone for some reason!

attachment

The same folder consists of a sqlite file which contains your email contacts, actual email contents and more.

db

One can just use any SQlite manager tool to open this file and see contents of it. There’s a table called ‘ZORCONTACT’ that contains details of your contacts and another table called ‘ZORITEM’ that contains details of your emails. Depending on what you do with your emails, this can be pretty scary!

email_body

How Mailbox can improve

Now for an app that I waited almost a month to get my hands on, I expect more.  I do not know if Mailbox is already working on adding these security features or not but this is something they should to retain their users. It’s all about adding few extra lines of codes to their iOS app to increase the security level. iOS SDK gives a developer a list data protection APIs (as displayed in the image below) for protecting documents, database and other sensitive files that consists of confidential information about your users. I would love to try my hands on a better Mailbox iOS app, that is more secure. Until then I have deleted my accounts from Mailbox.

data_protection_api_list

About these ads
Comments
  1. Shooshka says:

    I’ve actually already removed it (after on week of usage) and switched back to the Gmail app. Mailbox UX is not really that great.

  2. Subh says:

    @Shooshka, deleting the app is not a ideal solution for users who love the app. Because, they might have to be in the “wait queue” again before they can use. I will love to see an improved version of this app.

  3. […] Mailbox blijkt contactgegevens, e-mailberichten en bijlagen onbeschermd op te slaan. Dit ontdekte app-ontwikkelaar Subhransu Behera. Gebruik je een programma zoals iExplorer, dan kun je de […]

  4. Are you able to browse it with iExplorer on a Mac that have not been previously used to sync the iPhone? and did you setup passcode lock for your iPhone? is the iPhone screen unlocked when you browsing those file?

  5. […] how Subhransu Behera starts his post explaining that if you are a Mailbox app user, all it takes for important […]

  6. volkspost says:

    Same with the 15$ App Mail Pilot by the way

  7. volkspost says:

    To add to my post. Dats is sitting unencrypted in /Documents/Kiwi.sqlite

  8. Chris Shepherd says:

    I ran a test using my iPhone 5 and a computer I’ve never synced with before. I didn’t need to unlock the phone before getting access to it I don’t believe. I did manage to browse all my mailbox files. However, mailbox is not an exception, it’s simply in the majority. Other apps I tested including dropbox was the same. Not to say that it’s less important, just that other apps are in a similar situation

    • Subh says:

      @Chris which iOS version you are having? May not be true for the latest version.

      • cgarvey says:

        Using iOS 6.1.3 (never jail-broken), I can mount the phone in the locked state, and acess the OR*.sqlite file, giving me full access to the database (including unencrypted contacts, and mail contents, as you describe).

        I.e. I don’t need to unlock the device, and I don’t need anything fancy (other than a USB cable). This is on a Ubuntu machine, so no iTunes to cache my credentials, etc.

  9. […] Link: Mailbox iOS App is a Security Fail (Being a dream walker) […]

  10. Troy Austin says:

    I don’t see the merit in this as a story. At best, this seems an effort at sensationalism. More comments here http://9to5mac.com/2013/04/24/mailbox-app-leaves-contacts-email-content-and-attachments-exposed cover this pretty well.

  11. TJ says:

    Just the fact that your email goes through a third party so that Mailbox can push it on your phone is a huge security hole in itself unless you trust the third party as much as your email provider. This problem is a little less important now that the company has been acquired but how do you know if your email is stored and transmitted securely to your device?

  12. Kartik says:

    So, instead of not losing the phone or using a passcode which lets me wipe the device your suggestion is to not use Mailbox?? Seriously? If I have access to a device that is unprotected there are far easier ways of accessing this information. One of them is to simply read all of it directly off the phone.
    C’mon!! Stop dissing an app when the fault lies with the owner of a device who doesn’t secure it.

    • Subh says:

      @Kartik, My whole point is when you are using an App where they are dealing with data that might confidential, it is the app’s responsibility to encrypt / secure the data. And why not, when it’s literally possible! It is possible to jailbreak a device without even unlocking it, what will happen then? Data protection API even protects that (as long as the device is locked), if the device is not locked then a better level of data protection mechanism is required !

  13. chilik says:

    nice article, you may want to use iNalyzer open source and free framework for iOS app pen-testing. i think you will find it valuable for any blackbox testing of an iOS app.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s