Touch ID, XARA, etc.

secmaster
secmaster
Community Member
edited September 2015 in iOS

Dear 1Password Crew,

in June there was a discussion about a security leak in Mac OS, thats affects 1Password in certain circumstances:

https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion

And there was the suspicion, that it could be possible to steal the Masterpassword of 1 Password out of the iOS Keychain, when the TouchID is used.

The discussion ends with your statement:

"Is 1Password for iOS affected? The research paper isn’t limited to discussing inter-process communication (IPC) that is done through websockets, but covers a wide range of mechanisms used on Apple systems. This includes some mechanisms that we may use for some features in 1Password for iOS. (...) As yet, we have not had a chance to test whether there is any exposure there, but watch this space for updates."

Whats the update right now? Is using the TouchID safe or not?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @secmaster: Oh wow. That's a blast from the past! The discussion regarding iOS ended because iOS apps are not affected in the way that you seem to be implying. As stated in the paper (I"m quoting directly here),

    The fundamental cause for the ZARA flaws is unprotected cross-ap resource sharing and communication. Comparing OS X with iOS, the latter is relatively securer simply because it does not support credential sharing (among different apps) through a keychain item and sub-target sharing (e.g., framework) through container, nor does it provide any complicated IPC mechanism like distributed objects. For every avenue opened across apps, proper authentication should always be in place. Otherwise, an XARA risk may show up.

    So it sounds like you may be conflating iOS and OS X. Both use the Keychain to store passwords, but on iOS all apps are sandboxed (so you can't have a malicious app log your keystrokes), and Touch ID data is stored in the (hardware) Secure Enclave, and none of this data is ever shared with apps — it's completely inaccessible.

    Anyhow, I do apologize for the confusion, which was an unfortunate result of some sensationalistic, misleading, and often downright inaccurate press coverage surrounding the XARA paper. I'm not sure a lot of people actually bothered to read it.

    The paper itself is worth reading if you really want to understand the details (make sure you read the whole thing though, because they make some claims that later don't pan out), and my previous post on this topic (better make some popcorn) also goes over this in slightly less-excruciating detail, especially with regard to 1Password.

    Ultimately there could be a flaw involving Touch ID on iOS, but I think the fact that nobody's found one says a lot, especially after all the melodrama and attention XARA has gotten. I hope this helps! ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    And there was the suspicion, that it could be possible to steal the Masterpassword of 1 Password out of the iOS Keychain, when the TouchID is used.

    P.S: After reviewing the history, I don't see where this was stated anywhere (not even as a clickbait headline), but it's worth noting that anyone can just say this. It's up to someone to demonstrate being able to "steal" anything from the Secure Enclave. There simply isn't any evidence that this is possible.

This discussion has been closed.