This repository has been archived by the owner on Jun 11, 2024. It is now read-only.
Mobile iOS application does not exclude keychain items from online backups #1884
Comments
97 tasks
ManuGowda
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
The lisk-mobile does not prohibit its keychain items from being saved to an iTunes backup or being uploaded to iCloud. Both Apple, Inc. and any attacker with access to a user’s iTunes or iCloud backups will have access to that user’s private data.
Recommendation
Short term, explicitly set a ThisDeviceOnly accessibility class (e.g., kSecAttrAccessibleWhenUnlockedThisDeviceOnly or WHEN_UNLOCKED_THIS_DEVICE_ONLY ) for all keychain items. This should prevent keychain data from being migrated to iTunes and iCloud backups. Long term, empirically validate that no sensitive data is stored to a backup of the lisk-mobile.
References
https://developer.apple.com/documentation/security/keychain_services
https://github.com/oblador/react-native-keychain#keychainaccessible-enum
Steps to reproduce
Alice gains physical access to Bob’s phone and knows his passcode. She initiates a backup of Bob’s phone to iTunes and extracts all the lisk-mobile sensitive keychain data. Alternatively, Alice identifies user email addresses and then uses a previously disclosed password database to guess their current iCloud passwords. She retrieves iCloud backups that contain sensitive lisk-mobile keychain data from a large number of users.
The text was updated successfully, but these errors were encountered: