You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 11, 2024. It is now read-only.
The lisk-mobile does not prohibit its keychain items from being saved to an iTunes backup or being uploaded to iCloud. Both Apple, Inc. and any attacker with access to a user’s iTunes or iCloud backups will have access to that user’s private data.
Recommendation
Short term, explicitly set a ThisDeviceOnly accessibility class (e.g., kSecAttrAccessibleWhenUnlockedThisDeviceOnly or WHEN_UNLOCKED_THIS_DEVICE_ONLY ) for all keychain items. This should prevent keychain data from being migrated to iTunes and iCloud backups. Long term, empirically validate that no sensitive data is stored to a backup of the lisk-mobile.
Alice gains physical access to Bob’s phone and knows his passcode. She initiates a backup of Bob’s phone to iTunes and extracts all the lisk-mobile sensitive keychain data. Alternatively, Alice identifies user email addresses and then uses a previously disclosed password database to guess their current iCloud passwords. She retrieves iCloud backups that contain sensitive lisk-mobile keychain data from a large number of users.
The text was updated successfully, but these errors were encountered:
ManuGowda
changed the title
Mobile application does not exclude keychain items from online backups
Mobile iOS application does not exclude keychain items from online backups
Jul 20, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
The lisk-mobile does not prohibit its keychain items from being saved to an iTunes backup or being uploaded to iCloud. Both Apple, Inc. and any attacker with access to a user’s iTunes or iCloud backups will have access to that user’s private data.
Recommendation
Short term, explicitly set a ThisDeviceOnly accessibility class (e.g., kSecAttrAccessibleWhenUnlockedThisDeviceOnly or WHEN_UNLOCKED_THIS_DEVICE_ONLY ) for all keychain items. This should prevent keychain data from being migrated to iTunes and iCloud backups. Long term, empirically validate that no sensitive data is stored to a backup of the lisk-mobile.
References
https://developer.apple.com/documentation/security/keychain_services
https://github.com/oblador/react-native-keychain#keychainaccessible-enum
Steps to reproduce
Alice gains physical access to Bob’s phone and knows his passcode. She initiates a backup of Bob’s phone to iTunes and extracts all the lisk-mobile sensitive keychain data. Alternatively, Alice identifies user email addresses and then uses a previously disclosed password database to guess their current iCloud passwords. She retrieves iCloud backups that contain sensitive lisk-mobile keychain data from a large number of users.
The text was updated successfully, but these errors were encountered: