Password managers on mobile devices – fail

The Russian software company is best known for its password auditing and recovery technology. The best way to audit the strength of a password is to see how easily it can be recovered or broken. Elcomsoft has turned these skills towards an evaluation of password management apps on mobile devices.

Password management on mobile devices is increasingly popular. No longer just a a voice device, mobile systems such as the iPhone and Blackberry are miniature computers and used for standard business computing purposes. Users are faced with the same problem on mobiles as they are on desktops: too many passwords to manage without help. Password management apps store users’ multiple passwords – but Elcomsoft wanted to find out if they store them securely. It tested 17 separate iOS and Blackberry apps, and has published the results in the detailed paper being presented at BlackHat Europe. 

Those results are disturbing. “Only one password management app for the iOS platform, DataVault Password Manager,” notes Elcomsoft, “stores passwords in secure iOS-encrypted keychain.” Overall, the content of the 10 of the seventeen password keepers can be recovered in less than a day, which is “guaranteed if user-selectable master password is 10 to 14 digits long.” But these are the ‘good’ ones. For the other seven, “Passwords stored in them can be recovered instantly because passwords are either stored unencrypted, are encrypted with a fixed password, or are simply misusing cryptography.”

In short, the majority of password keepers for iOS and Blackberry, designed to enhance users’ security, actually reduce it. “Our research proved once again that IT security requires more than just programming skills,” commented Dmitry Sklyarov, security analyst with Elcomsoft and co-author of the study. “With open-source strong-crypto libraries everyone and their dog can write a password keeper” and claim that it provides secure protection. But “a good security model takes the whole system into account including the user himself – and not just the strength of the encryption algorithm alone.”

Elcomsoft advises iOS and Blackberry users to use the devices’ own built-in security features. Apple users should set up a passcode and a complex backup password, and an unlocked device should not be connected to an untrusted computer. Unencrypted backups should not be created. Blackberry users should set up a device password and make sure that media card encryption is off or set to “Encrypt using Device Key” or “Encrypt using Device Key and Device Password” to prevent attackers from recovering the device password based on what’s stored on the media card. Unencrypted device backups should not be created.

What’s hot on Infosecurity Magazine?