Lack of iOS security/privacy

Discussion in 'iPad' started by doboy, Apr 30, 2012.

  1. doboy macrumors 68000

    Joined:
    Jul 6, 2007
    #1
    Let me preface this by saying I'm NOT an security expert!

    So yesterday I decided to try out the iExplorer from Macroplant that allows you to "browse" inside your iOS device (PhoneView from Ecamm also does this). I mainly wanted to save app data (mainly games) prior to deleting the app from my iPad. When I connected my passcode-enabled iPad, I was shocked to see what was available to view and download. Pretty much everything! I erroneously thought that the iOS data protection would encrypt the data and keep it safe as long as it was passcode locked.

    Side note: I know there are apps that support iTunes file sharing and when you connect it to any computer running iTunes, you can save to and from the app that supports that feature. It is a nice and convenient feature, but it bypasses the passcode unless the app is specifically written not to allow access. For instance, Goodreader has an option to enable security where you can't download files using iTunes sharing until you enter your passcode on the idevice. You can still see the name of the files, but can't download them. However, most other apps allow iTunes file sharing on a passcode locked device including Apple who allows access to photos when connected to iPhoto on Mac or when connected to a Windows PC. I knew about the file sharing ever since it was implemented, but wasn't too concerned about it initially since I wasn't keeping any confidential files on the iPad. However, that is changing and it's very concerning.

    So back to iExplorer. I initially tried the program on my desktop PC connected to my TV for home entertainment. iExplorer was horrible and gave me constant errors, but I managed to use it to save some data. I tried to download files from Goodreader and was able to do so even when the iPad was locked with a passcode. This had me really concerned since this is the app that I use for sensitive pdf files and was immune to "data leakage" using iTunes file sharing. Since it was like pulling teeth using this program, I decided to install iExplorer on the Mac at work. It was a much much better experience using this program on the Mac versus the PC. When I tried to download files again from Goodreader using Mac version of iExplorer, it didn't allow it until I unlocked my iPad with the passcode. So I will need to try this again with the PC version when I get home because two versions are behaving differently.

    Sorry for the long post. My main point is that people should be careful what they store on their iPads because even when the iPad is passcode locked and set to destroy itself after 10 incorrect attempts, someone can simply plug it in and use software like this to see and download app data as well as phone logs, messages, etc without even entering the correct passcode. Only safe apps are the ones that encrypt their own data like 1password. This also means that your spouse or significant others can see all the "unsuitable" materials :p one may store inside these privacy apps since files are all visible when using programs like iExplorer. I'm definitely going to do more research regarding the Goodreader since it did protect my files when I tried using Mac version of iExplorer. Also if you have a jailbroken device, this program can see into your root directory so game over. It's like using iFiles on my iPhone.

    TL;DR, your data is not safe even when passwcode is enabled with data destruction. Apple really needs to address this by not allowing any access to the files, even iTunes file sharing, until passcode is entered.
     
  2. Kyotoma macrumors 68000

    Kyotoma

    Joined:
    Nov 11, 2010
    Location:
    Carnegie and Ontario
    #2
    This is pretty old news. As old as Jailbreaking, pretty much.

    There are security holes in every piece of software(and hardware) that has ever been created. It's just a matter of exploiting these holes that are beneficial to the one wanting to gain access to the system. With bootrom-level holes like the limera1n exploit for A4 devices, this leaves a permanent backdoor into the system. The backdoor left open in older 3GS models was so large that Apple was forced to change the bootrom in the middle of the product cycle.

    In other words, with every Jailbreak or exploit found by the Dev team or independent hacker, it is proven that iOS has holes in its security. Some of these, in the case of the A5 jailbreak, are so minuscule or particular that they only work under very certain conditions.

    So, also, in a way, with each Jailbreak, iOS security is improved. Apple sees these exploit tools and, since it is freeware, have access to them thus see how they work.

    As a close, I will add that you should NEVER assume that your data is safe over the internet. Unless of course you're constantly running several layers of encryption and are willing to pay for it.
     
  3. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #3
    The reason the two versions behaved differently was because you have not synced with your iPad before on the Mac at work, which was why the unlock code was required.

    However, because you HAVE been syncing on the PC, it can see everything.

    Bottom line: if you passcode lock your iOS device, someone would have to have access to both your iOS device and the computer you sync to to gain easy entry.
     
  4. doboy thread starter macrumors 68000

    Joined:
    Jul 6, 2007
    #4
    I understand there are exploits since I've been jailbreaking for awhile. I think this is different in that Apple can implement better security strategy. And I didn't say anything about data safety over the internet. I would definitely truecrypt anything that is important.

    Sorry, but I never synced my iPad/iPhone to either machine. I only sync it to my home Mac, which was NOT used for this testing.
     
  5. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #5
    if that's the case, then I suggest you contact Apple and explain your concerns.

    But I still say that either the iPad wasn't locked when you were testing at home, or you have synced it at some point, but might not remember.
     
  6. doboy thread starter macrumors 68000

    Joined:
    Jul 6, 2007
    #6
    I'm definitely trying again with the PC software when I get home. However, it technically shouldn't matter if it was previously synced to that PC or not (which I'm sure it was never synced). I may try after logging out of the iTunes home sharing first on the PC.
     
  7. doboy thread starter macrumors 68000

    Joined:
    Jul 6, 2007
    #7
    For anyone interested I've re-ran the test again on my PC and I was able to drag and drop the files within Goodreader app onto the desktop while the iPad was locked with the passcode, unlike the Mac version which didn't allow drag and drop while it was locked. However, the files were empty (0 bytes) so I couldn't see the contents of the transferred files. Once I unlocked the iPad with the passcode, I was able to drag and drop and see the contents of the transferred files. So I'm glad to say that at least Goodreader prevented iExplorer from downloading my files when I enabled passcode lock and the security setting on the Goodreader app itself. Unfortunately, I was able to transfer app data from all other apps even while the iPad was passcode locked.
     

Share This Page