Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Simplify Similar Syncs with ChronoSync Templates

You can create an unlimited number of ChronoSync documents with numerous settings and options that control your synchronizations. If you find yourself needing to create many similar ChronoSync documents, consider using templates.

Just create a ChronoSync document and set all the options the way you want them. Choose File > Save as Template to save the ChronoSync document as a template, and then open it in the future when creating a new ChronoSync document.

Search on "template" in ChronoSync Help for all the details.

Visit Econ Technologies

 
 

Secured iOS Backups Reduce Security, but Not by Much

Send Article to a Friend

At first, I thought Elcomsoft had discovered a major flaw in the way that iOS allows iTunes to back up the data of an iPhone, iPad, or iPod touch. The Russian security firm creates software designed to test the quality of passwords for many different software packages and systems by trying to crack them; it also markets its software for forensic use.

Elcomsoft offers iPhone Password Breaker software ($79 or $199, depending on features) to crack the password for an iTunes backup of an iOS device. Version 1.2 adds the capability to view the contents of an iOS device's keychain if a password is cracked. The iOS keychain, much like (or perhaps identical to) the one in Mac OS X, stores network, email, and other system passwords, as well as passwords from third-party apps that took Apple's advice to use the keychain.

Andrey Belenko of Elcomsoft explained how this new feature came about. Prior to iOS 4, iOS devices with a hardware encryption key always used that key to encrypt the keychain. So far, it has been impossible to recover the hardware encryption key from a device, and the key is strong enough to resist cracking. (Hardware encryption is found in all iOS devices released from 2009 on: all iPads, the iPhone 3GS and iPhone 4, and third-generation iPod touch models.)

The hardware key continues to be used in iOS 4 backups in iTunes, with an important exception. If you enable Encrypt iPhone Backup (or whatever iOS device is plugged in), iOS 4 switches from using the hardware key to a key derived from the password you enter for your backup.

Image

The reason, Belenko explains, is that iOS 4 then allows the transfer of the keychain to a device being restored from a backup. If your iPhone is lost, stolen, or destroyed, or if you upgrade from one iPhone to another, you can restore your last backup onto your new iPhone. Before iOS 4, the passwords weren't passed along. (Elcomsoft offers an extensive FAQ explaining this even further.)

It's a strange notion, that encrypting your backup might actually make your data less secure. But it's not really a security hole, nor does Elcomsoft see it that way.

In order to extract passwords from your iPhone keychain, a ne'er-do-well has to gain access to your computer in some fashion, physically or through a remote exploit. With that kind of access, a keystroke sniffer could be installed, and then all the keys to the kingdom would be available.

Further, if you've picked a good, strong password, the Elcomsoft breaker won't help. It's a brute-force method, and the company doesn't oversell the difficulty of recovering a password. Its FAQ has this amusing dialog:

(end of one question): ...Only relatively short and simple passwords can be recovered in a reasonable time.

Q: What do you mean by "time consuming" and "reasonable time"?

A: A lifetime? Seriously, with protection as good as that, it may take centuries to recover a long password.

And Elcomsoft goes on to note, "The iPhone backup encryption is good enough. Well, it is near perfect by our standards. That's to say, it's really secure."

Apparently, Apple was able to add flexibility without compromising security so long as you take care to create a reasonably long and strong password. Apple's one mistake? Not including the Password Assistant that's used in the Keychain Access program and a few other places in Mac OS X to assist you in creating the best password for your iOS backups.

(Thanks to TidBITS security editor Rich Mogull for his input on this article.)

 

READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <http://tidbits.com/member_benefits.html>
Special thanks to Thomas Speairs, Joyce Mastboom, Jeff, and Fredrik
Jonsson for their generous support!
 

Comments about Secured iOS Backups Reduce Security, but Not by Much
(Comments are closed.)

barefootguru  2010-08-09 15:58
I've assumed that when running FileVault the iPhone backup enjoys the same security as the rest of my home folder—without further encrypting it. Can anybody confirm this?
Glenn Fleishman  2010-08-09 16:15
Precisely the same: which is, if you're logged into your account, none at all.

FileVault's encryption is only worthwhile when you are not logged into your account.