BiteSMS Pin Security Flaw

Jul 7, 2010 3:35am

wrxratd 6 post(s)

Here is something i read that i think should jump to top of list to be fixed/added to biteSMS

Source – http://willstrafach.tumblr.com/post/766474676/b…

Bypassing the biteSMS PIN lock

For some reason, biteSMS thought it would be a good idea to store the PIN of it’s users in complete plaintext in its preferences plist file. I tried give them some suggestions, such as at least using the keychain, but they would have none of it. When I tried to tell them that doing so would at least be a step in the right direction, they demonstrated that they clearly have no idea what I am talking about, because deleting the preferences property list would not magically delete the Keychain, as they seem to be suggesting. Currently though, not only can someone delete that property list to bypass the PIN, but they can also read the property list to find out what your PIN is, which is potentially worse than just bypassing it if you use that code for anything else. Additionally, they could SHA1 the pin, and use that as a key to encrypt messages in the SMS database, so that even if a person got root access to the device they couldn’t recover any of the messages without the user’s PIN. I don’t know, I don’t work for them, so figuring out an exact solution isn’t my job. What I do know, though, is that storing a PIN in the biteSMS preference property list is a terrible idea. A malicious person could create a trojan-ed Cydia package that reads the file and sends them back your PIN if they wanted. They could also write a malicious Cydia application that displays the users PIN on screen, install it onto someone’s phone (if someone has biteSMS they probably have Cydia), uninstall it after memorizing the PIN, and then being able to read the owner’s text messages without him/her knowing about it at all. They could also delete the property list to bypass the PIN entirely, but that’s not as bad, because the owner would at least know they’d be comprimised at that point.

Hopefully biteSMS addresses this issue soon. If you’d like to check for yourself, since there is no app written to dump the PIN (yet), you can just use SSH or iPHUC for now to check in ~/Library/Preferences/ on your device for the biteSMS preference file, lo and behold, the PIN will be there in plaintext.

Jul 7, 2010 4:16am

Martin Administrator 4,297 post(s)

Already responded earlier in the week here http://forums.bitesms.com/forums/6/topics/2570?...

Repeated below:

Essentially there’s little point in encrypting the passcode, because if you want to look at a users SMS database and can access their phone via a shell (or malicious cydia app), you can simply copy off the SMS database. Just seems like more work for no benefit to us. However if you think we should spend our time working on this instead of bug fixes for iOS 4 and new features for Release 5.0, please let us know! The counter argument of also encrypting the SMS database is a terrible one full of support issues and in effect taking over users messages and relying on biteSMS to decrypt them, not something we want to get into. We firmly believe a user should be able to switch to the native Messaging app if they want to at any time.

Jul 7, 2010 5:39am

wrxratd 6 post(s)

Thank You for the response.

Jul 7, 2010 8:12am

Ram 1,917 post(s)

One could simply:

1. Be careful with their phone and not lose it

2. Not give their phone to malicious people

3. Change one’s ~/root password

4. Have a (stronger) alphanumeric password for the entry in iOS4

5. Invest in a service like MobileMe to remote wipe the phone, if one is really sloppy

When someone has your phone, its not only the SMS database they can access. Your email, your contacts and your notes remain wide open for viewing. I’ve read the article before, its a nice rap, lots of geeky technical stuff written to scare the crap out of the ordinary user (example my mom who has no clue about what jailbreaking is), but for me, this is like trying to hunt a dead lion and show you’re brave :-) Quite futile.

~~You don’t need to hack this and bypass that, just opening the native Messages app and you already have enough to feast your eyes on.~~

Like Martin said, creating an encryption will be work for no realizable output in return.

Jul 7, 2010 8:36am

Martin Administrator 4,297 post(s)

Ram we do protect the native app..:)

Jul 7, 2010 9:57am

Ram 1,917 post(s)

We do ? Sorry, I don’t even remember the last time I opened it :D

Modded.

Jul 7, 2010 3:35am wrxratd 6 post(s)	Here is something i read that i think should jump to top of list to be fixed/added to biteSMS Source – http://willstrafach.tumblr.com/post/766474676/b… Bypassing the biteSMS PIN lock For some reason, biteSMS thought it would be a good idea to store the PIN of it’s users in complete plaintext in its preferences plist file. I tried give them some suggestions, such as at least using the keychain, but they would have none of it. When I tried to tell them that doing so would at least be a step in the right direction, they demonstrated that they clearly have no idea what I am talking about, because deleting the preferences property list would not magically delete the Keychain, as they seem to be suggesting. Currently though, not only can someone delete that property list to bypass the PIN, but they can also read the property list to find out what your PIN is, which is potentially worse than just bypassing it if you use that code for anything else. Additionally, they could SHA1 the pin, and use that as a key to encrypt messages in the SMS database, so that even if a person got root access to the device they couldn’t recover any of the messages without the user’s PIN. I don’t know, I don’t work for them, so figuring out an exact solution isn’t my job. What I do know, though, is that storing a PIN in the biteSMS preference property list is a terrible idea. A malicious person could create a trojan-ed Cydia package that reads the file and sends them back your PIN if they wanted. They could also write a malicious Cydia application that displays the users PIN on screen, install it onto someone’s phone (if someone has biteSMS they probably have Cydia), uninstall it after memorizing the PIN, and then being able to read the owner’s text messages without him/her knowing about it at all. They could also delete the property list to bypass the PIN entirely, but that’s not as bad, because the owner would at least know they’d be comprimised at that point. Hopefully biteSMS addresses this issue soon. If you’d like to check for yourself, since there is no app written to dump the PIN (yet), you can just use SSH or iPHUC for now to check in ~/Library/Preferences/ on your device for the biteSMS preference file, lo and behold, the PIN will be there in plaintext.

Jul 7, 2010 4:16am Martin Administrator 4,297 post(s)	Already responded earlier in the week here http://forums.bitesms.com/forums/6/topics/2570?... Repeated below: Essentially there’s little point in encrypting the passcode, because if you want to look at a users SMS database and can access their phone via a shell (or malicious cydia app), you can simply copy off the SMS database. Just seems like more work for no benefit to us. However if you think we should spend our time working on this instead of bug fixes for iOS 4 and new features for Release 5.0, please let us know! The counter argument of also encrypting the SMS database is a terrible one full of support issues and in effect taking over users messages and relying on biteSMS to decrypt them, not something we want to get into. We firmly believe a user should be able to switch to the native Messaging app if they want to at any time.

Jul 7, 2010 5:39am wrxratd 6 post(s)	Thank You for the response.

Jul 7, 2010 8:12am Ram 1,917 post(s)	One could simply: 1. Be careful with their phone and not lose it 2. Not give their phone to malicious people 3. Change one’s ~/root password 4. Have a (stronger) alphanumeric password for the entry in iOS4 5. Invest in a service like MobileMe to remote wipe the phone, if one is really sloppy When someone has your phone, its not only the SMS database they can access. Your email, your contacts and your notes remain wide open for viewing. I’ve read the article before, its a nice rap, lots of geeky technical stuff written to scare the crap out of the ordinary user (example my mom who has no clue about what jailbreaking is), but for me, this is like trying to hunt a dead lion and show you’re brave :-) Quite futile. ~~You don’t need to hack this and bypass that, just opening the native Messages app and you already have enough to feast your eyes on.~~ Like Martin said, creating an encryption will be work for no realizable output in return.

Jul 7, 2010 8:36am Martin Administrator 4,297 post(s)	Ram we do protect the native app..:)

Jul 7, 2010 9:57am Ram 1,917 post(s)	We do ? Sorry, I don’t even remember the last time I opened it :D Modded.

biteSMS

BiteSMS Pin Security Flaw

Voices