Stored Passwords Add to Mobile Security Risks

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Slide Show

Tips for Creating a Strong Password

Correct risky password behavior and reduce your chances of being hacked.

The recent furor about the surreptitious tracking and storing of geo-location data by Apple's iPhone prompted Zscaler researcher Michael Sutton to go hunting for other security issues on the popular smartphone. In a blog post, Sutton documented how he peered into the backup archives generated when iOS devices are synced to iTunes to identify apps that transfer unprotected passwords into backup archives. This was easily achieved using free tools such as the iPhone Backup Extractor to browse the backup archives.


Sutton examined a popular document scanner app called JotNot Scanner Pro and determined that the app stores information such as version information and user-defined settings onto an XML document. To its credit, the company behind JotNot Scanner Pro quickly clarified in a blog comment that it is already working on implementing an additional layer of security to better protect users against such exploitation.


The heart of the issue here has to do with how applications rely on stored passwords to enhance their usability. While remembering passwords makes for a far better user experience, the risks of a lost or stolen laptop with iOS archives on its hard disk drive could place employees in a far more precarious situation than they realized. And the risk is hardly limited to JotNot Scanner Pro. Sutton observed:

Unfortunately, the authentication credentials stored for Evernote, Google Docs, Apple's iDisk and any WebDav enabled server are stored in plain text. Therefore, anyone that gained access to this backup file, would then have your username/password for these services.

Stored passwords can also result in heightened risks when smartphones are misplaced or stolen. I don't have numbers on hand to prove my point, though anecdotal evidence points towards smartphones being lost far more than far bulkier laptops. Beyond making off with an expensive mobile device, the possibility of hackers breaking into the wealth of stored data - which includes stored passwords - is swiftly becoming a real concern.


Indeed, Russian computer forensics company ElcomSoft last week announced that it had developed a toolkit that effectively circumvents the encryption implemented in iOS 4. This was achieved by extracting the decryption key from a tethered iPhone and using it to directly unlock the otherwise robust AES 256 encryption. As reported by CNET News, ElcomSoft has pledged to only make it available to government and law enforcement agencies, as well as intelligence and forensic organizations. But how long will it take for a rogue copy to be leaked out onto the Internet?


More than ever, users are increasingly accessing their private and corporate mailboxes, social media networks, instant messaging services, even their company VPN and CMS from their smartphones. With so much at stake, it is clear that corporations need to consider the heightened risks that mobile devices entail and work to mitigate those risks.