It’s Dmitry Sklyarov’s turn to take the floor and talk about popular free password managers for iOS, their security implementation details, and common drawbacks.
Actually, there are lots of applications available for people in the App Store, and we’ll start with free ones. Just type “Password Keeper” in App Store search, and you will get a lot of results – actually, there are hundreds of them. Then you can choose several applications that are claimed to be free password keepers, or something close to password keepers. Here is a short list of those applications (see image). We will discuss each of them a little bit closer. The first set is about one application, but actually about three of them (see image). I call them “[un]Safe Triplets“. They are like triplets because they are actually the same application but with different names, different icons and different background. Everything else about them is identical, and it’s very easy to learn from the data stored in the SQLite database that all these apps use the same filename. The master password is always 4 digits (you cannot set longer passwords), but it doesn’t really help you in any way because nothing is encrypted with this application, and it’s just stored in plaintext in SQLite database, so you could extract the master password by one simple query to the database. Returning back to the app’s slogan, it’s about being really ‘secure’, as you see. Those three applications are not ‘alone’ in the App Store. The next one I’m going to review is iSecure Light (see details on the image). Again, it involves no encryption at all. You can see the filename looks like some template name, or some name from a code sample, so obviously people just don’t invest much effort to make the application unique, they just slightly modify it and put it on App Store. Actually, lots of people are downloading it – it’s one of the top results in search. Again, all the information can be extracted just by direct query to the database. The next application is not really positioned as password keeper; it’s some program to manage access controls to some files stored on an iOS device. It’s called Secret Folder Lite. Again, all the data is in plaintext, there’s no encryption, and it’s very easily extractable. The next one I will talk about is a free counterpart of the application called Ultimate Password Manager, and the author of that application honestly notes the difference between the paid and free version. Free version doesn’t protect your data, so it’s a password keeper that doesn’t protect your data because it’s free. I’m not sure if someone would actually need a password keeper providing no protection. Now, one of my favorites – it’s My Eyes Only™ – Secure Password Manager. It promises a lot of benefits to the user. It uses NSKeyedArchiver format which is common for Apple solutions. This one encrypts all private data with RSA asymmetric encryption, which is considered a standard for good security. This sounds pretty impressive. It stores the private key, as well as the master password, in keychain. Storing sensitive data in keychain is a very good idea for iOS, because keychain items are protected by the operating system, and there is no easy way to extract all data. There are other ways, but they are not so easy to implement here as for the applications I reviewed a little bit earlier. I believe using RSA and storing private data in keychain is an attribute of a good application. However, the length of the key is only 512 bits. By the way, the first time RSA key of such length was factored was in 1999, so it’s 13 years ago. At the time, it took a lot of computation power, but now it could be solved in a couple of days on modern computers. The funny thing about using RSA is that the private RSA key is stored inside the data file along with protected data, so secret is stored near the key. I don’t know who invented this, but it looks really funny to me. The next application is Keeper® Password & Data Vault – again, we have military-grade encryption here, it’s really strong. This application uses MD5 hash to validate the password. The hash value is stored inside the database and can be easily extracted from the database. It also uses SHA-1 hash as encryption key for AES algorithms. MD5 is actually a commonly used hash function, but it’s not too good because there is a collision built for MD5 many years ago. But MD5 is like a platform for testing skills on GPU acceleration: many people try to compete with each other by implementing a fast way of cracking MD5 using GPU. Also, there are a lot of rainbow tables already built and available for free for downloading online, allowing you to get the password by its MD5 hash in minutes. The easiest way to attack such hash is to just type a hexadecimal value of your hash in Google, and in many cases you will find the password in fraction of a second. So, cracking such type of protection can be lightning fast, which is why military-grade encryption doesn’t help in this case. Another application is Password Safe – iPassSafe free version. This is the only application out of the ones we analyzed that tries to prevent using easily guessable passwords, so when a user tries to set a weak password, the app alerts them that this password is very easy to brute-force by fingers, so it’s better not to use it, and it doesn’t allow setting this password for protecting the password database. But encryption is performed in a very funny way: we have a password that’s just padded to length of 32 bytes (256 bits) and used as an AES key. That key is used to encrypt the master key, which is then used to protect all data. There is an encrypted string for validation inside the database, but actually this application uses PKCS7 padding again. So, after decrypting the key you should have the last block completely filled with value 16, because AES uses block size of 16 bytes and the key of 32 bytes (it’s two blocks), and an additional block is added, so we just don’t need to decrypt the key to verify the password. We decrypt only the last block and check its value; if all bytes have the value of 16, we find the correct ones. So, attacking this type of protection requires only one AES encryption, setting the password and decrypting one block, so it’s really fast. As of now, on GPU we have the speed of about 20 Million, because we don’t have optimized implementation of AES encryption for GPU, and probably if we spend some effort to doing so (as we did, for example, for MD5 or PBKDF key derivation function), the rate of password testing will be increased by 10 or 20 times. And again, this application does not use any randomness to generate encryption key from the password, so it’s possible to build a rainbow table and use it to attack the data at a very fast rate. The next application is Strip Lite – Password Manager. Again, it has both free and paid version, the difference being in the number of passwords that can be stored. And to be honest, this is the best one out of all password managers we tested during our research. It’s straightforward and simple. It just uses PBKDF with 4000 iterations – that’s very close to the number of iterations used by WPA authentication on wireless networks. You can look up speed testing for WPA on the Internet, and you will get the same speed for this application, although this app is a little bit easier crackable than WPA. But honestly, 4000 is a good decision for mobile device, and definitely much better than most other solutions. By the way, this application works in a slightly unordinary way. It doesn’t protect individual records inside the database – instead, it protects the entire database. Therefore the whole database is encrypted. Furthermore, the open-source component developed by the same company (Zetetic) is perfectly available at the source level, so it’s not too problematic to figure out the number of iterations and the algorithms utilized to enforce security in this particular password management application for iOS operating system.