Mailbox iOS App is a Security Fail | Being A Dream Walker

# Update 1 After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this. I also need to check for on which iOS version this is secure. Because as per as I remember, this is definitely doable in earlier version of iOS. But the original problem still remains same. These files are unencrypted and unprotected and one can copy your entire mail contents if he/she has access to your phone. File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location. I am building some concept apps to try out few things. Stay tuned …

Last year I developed immense interest in iOS app security and discovered many interesting facts and tools about the same that I presented in my talk in GeekCamp.sg

I love iOS apps and developers. And it’s the apps that I love motivates me to write better codes. However, Mailbox is an exception. I like the UX of this application but I dislike its data protection approach more. As a matter of fact, there’s no data protection at all.

Apple discussed about “Protecting the User’s Data” in WWDC session 714. There you can get to know about all the data and file protection APIs a developer gets out of the box from their SDK.

Tools I used to extract the information

I used iExplorer, which is a tool that lets users to transfer music, movies and playlists from any iDevices to computers and iTunes. But wait it gives you more, it gives you access to an application’s Document and Library directories on your devices. These are the usual places, where iOS developers store their database, plist files or other resource files and can be extracted to a system if device is stolen. You don’t need to jailbreak the device, you do not even need to unlock the device.

So if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.

Information that I got from Mailbox app

On top level of the Documents directory there’s a folder called ‘Attachments‘. It consists of all the attachments that I received or sent. Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected, ready to be stolen if you lose your phone for some reason!

The same folder consists of a sqlite file which contains your email contacts, actual email contents and more.

One can just use any SQlite manager tool to open this file and see contents of it. There’s a table called ‘ZORCONTACT’ that contains details of your contacts and another table called ‘ZORITEM’ that contains details of your emails. Depending on what you do with your emails, this can be pretty scary!

How Mailbox can improve

Now for an app that I waited almost a month to get my hands on, I expect more.  I do not know if Mailbox is already working on adding these security features or not but this is something they should to retain their users. It’s all about adding few extra lines of codes to their iOS app to increase the security level. iOS SDK gives a developer a list data protection APIs (as displayed in the image below) for protecting documents, database and other sensitive files that consists of confidential information about your users. I would love to try my hands on a better Mailbox iOS app, that is more secure. Until then I have deleted my accounts from Mailbox.