we want to use certificates on the iPhone to authenticate for MS Exchange Sync. We are not sure how the security concept is implemented to protect this certificates.
e.g. is it possible to get "full" Keychain access on the iPhone if no ScreenLock is enabled? (or with an Jailbroken iPhone).
Does anybody has some links about this?
Everything stored in iCloud Keychain is secure—it's protected by industry-standard encryption. Your iCloud Keychain can't be set up on another Mac or iOS or iPadOS device unless you approve it.
iCloud keychainEvery iPhone has a powerful tool that makes it tricky for hackers to hijack your accounts. It's called the iCloud Keychain – and lets you quickly and easily block hackers from snooping on you. We're constantly told to choose complicated passwords – but that's difficult with so many accounts.
It's safe and secure, but limited in some areas. All of my devices have the Apple logo on them, but if you have a Windows computer or Android device in your life, it won't work there, and for a password manager to be effective, it needs to work on every device you use.
With iCloud Keychain, you can keep your passwords and other secure information updated across your devices. iCloud Keychain remembers things, so that you don't have to. It auto-fills your information—like your Safari usernames and passwords, credit cards, and Wi-Fi passwords on any device that you approve.
Fraunhofer's study on iOS keychain security:
From what I can tell, there are two levels of encryption that the iOS keychain uses. The first level uses the lock screen passcode as the encryption key. The second level uses a key generated by and stored on the device.
Fraunhofer's researchers have figured out how to get around the second level. This is the "easier" level to get around, since the encryption key is stored on the device. So on iOS4, their method only works with keychain entries which do NOT use kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleWhenUnlockedThisDeviceOnly, because those entries reside in memory with the first level decrypted--even when the phone is locked.
≈50ms per password try; → ≈20 tries per second; → ≈1.7 years for a 50% change of guessing the correct passcode for a 6-digit alphanumeric code with base 36. The standard simple code of 4 numeric digits would be brute-forced in less than 9 minutes. Based on the assumption that the counter for wrong tries in the iOS can be bypassed, as it is not hardware-based
Apple Inc. WWDC 2010, Core OS, Session 209 "Securing Application Data", Slide 24
Bottom line: If you must store sensitive data, better use your own encryption. And don't store the key on the device.
Edit: There are numerous news articles which cite the Fraunhofer study and reassure their readers not to worry unless their devices are stolen, because this attack can only be done with physical access to the device.
I'm somehow doubtful. The fact the researchers did their tests with physical access to the phone seems to have just been a way to simplify the problem, as opposed to being a limitation. This is their description of what they did to decrypt the keychain entries:
After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain. The decryption is done with the help of functions provided by the operating system itself.
As anyone who has used jailbreak.me knows, jailbreaking does not require physical access to the device. Theoretically it should be trivial to modify the jailbreak.me code and have it automate the following:
So once again, be cautious about what you put in the keychain.
Normally, the keychain would be the recommended way to store such a certificate. However, it has been discovered that jailbreaking can be used to bypass the security of the keychain (article).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With