All posts in Security News


Apps for mobile devices, like tablets and smartphones replace more and more the traditional desktops and notebooks for internet-based services. For a solid number of apps in the various App Stores it is nearly every time mandatory for the users to authenticate against the App (for using the services the App provides). This often raises the question how to store the username and the password on the device securely. The easy answer to this is: unfortunately not possible. A Keychain to store sensitive data securely has been offered by iOS since version 2.0 and by Android since version 4.0, but you should keep in mind that it is still possible to read all those values stored there.

The problem:

Since the Keychain on Android was established in version 4.0 and apps often have to support older versions, the only possibility is to use the integrated AccountManager or the Shared Preferences folder, which every app has included. On iOS you can use the Keychain without hesitation. It is also possible to save informations within the app folder structure (preferences files or SQLite database).
The Keychain on both systems has a prevention against unauthorized access, but both systems are Linux/Unix-based and they share a user who has access to everything: root. By using a root exploit it is possible to read all stored secrets on a mobile device. Since Android is suffering from a complicated update policy it is much easier to achieve this: regarding the current statistics [1] still 9.6% of Android devices are using the old versions Froyo and Gingerbead (2.2 – 2.3.7). 33.9% are using KitKat (4.4) and the newest version Lollipop (5.0) isn’t even mentioned. Especially the devices with Gingerbead and Froyo won’t get any new updates to fix security vulnerabilities. On iOS it is often argued that there are no root expoits, but the Jailbreak community has found one for every single version and has published it. Currently team TaiG has found one for the newest iOS version 8.1.1. For iOS 8.0 team Pangu published it and for iOS 7 it was the Evasi0n team. A root exploit for iOS is sold on the black market for 500.000$ to 1.000.000$ [2]. Public authorities like the NSA are willing to pay such an amount. Nevertheless, this does not necessarily mean that there are no exploits if they aren’t publicly available.
Let’s have a quick look at the Keychains:



The Keychain file itself (keychain-2.db) is protected with the device key, which can be obtained through jailbreaking / root exploit. Every entry is encrypted with the passcode key. When unlocked the users passcode is encrypted many times using a modified PBKDF2 (Password-Based Key Derivation Function 2) algortihm (AES with the UID key) to generate the passcode key. This key is hold in memory till the device is locked. A lot of users are using just a 4 digits pin which makes it easy to brute-force (average time is about 15 minutes). Hopefully this get’s better with the new Touch ID feature, introduced with the iPhone 5S.



Each Keychain Entry is encrypted with the 128-bit AES master key in CBC mode. The master key is a 128-bit key created by reading from /dev/urandom. It is encrypted with a hash of the users lockscreen password created with the PBKDF2 function from the SSL library (till Android version 4.3.x). Since Android 4.4 (KitKat) the PBKDF2 key derivation function (KDF) is replaced with scrypt [3].

The solution:

The question for an app developer now is: How can you make sure that the customers can use the app with all features without storing the password on the device? The solution: a token-based approach like OAuth 2.0 [4]. During the first start-up of my app, the customer has to provide his username and  password once. Afterwards, the app receives a token from the server which is going to be used as authentication. This token can be stored encrypted in the Keychain. The advantage of this  approach is that if an invader gets access to the device or records the token via a Man-in- the-Middle attack, he only receives a restrictive token which is only usable for certain use-cases (like viewing only some content, synchronising contacts and so on). He won’t receive the password for an email account or maybe a bank account and so on. Tokens also have the advantage that they can be  revoked and only are valid for a certain time.


Currently there is no practical way to store a password safely on a mobile device. Only the token-based approach is helpful here.


Core members of the Tor project, the free online service that aims to cloak Internet users in anonymity, have admitted that it’s been compromised, leaving privacy advocates wondering if the service, which has built its reputation on trust, can continue. The announcement comes only a week after the hacking community was shaken by word that a scheduled presentation in which researchers would prove that it’s possible to find Tor users was mysteriously canceled.

Tor — which stands for “The Onion Router,” implying multiple layers of security for users – said in a blog post Wednesday that users who operated or accessed hidden services from Jan. 30 through July 4 of this year should assume that their identity has been compromised. The anonymity network, which is accessible via a browser plug-in, is used by activists, criminals and hackers wishing to avoid the gaze of government monitors or targeted advertising. Made up by a network of volunteers who redirect an individual’s Internet connection, Tor can be used to provide uncensored Internet in unfree countries as well as to make a murder-for-hire plot possible.

“From what we found during our investigation, the attackers seemed to target people who operate or access Tor hidden services,” a spokesman for Tor told International Business Times. “By running a number of relays in the Tor network and modifying the traffic that these relays sent, the attackers attempted to learn about some Tor users visiting hidden services. Unfortunately, it is still unclear how much information the attackers were able to learn.”

The Tor spokesman refused to speculate on who the guilty party might be, but a growing swell of online speculation is pointing the finger squarely at researchers affiliated with CERT Division of Carnegie Mellon’s Software Engineering Institute in Pittsburgh. In February of this year CERT researchers requested and were later authorized to deliver a presentation at the Black Hat cybersecurity conference in Las Vegas, promising to reveal a security vulnerability in Tor that rendered users susceptible to identification.

Tor, learning of the scheduled presentation, asked the researchers to turn over their evidence, though CERT would only hand over a small amount of information. An abstract of the research was also posted on the Black Hat conference’s website.

Using the fragment of information provided by CERT, Tor discovered on July 4 that an attack had been going on since shortly before CERT asked to deliver the presentation. Three weeks later, on July 21, the CERT presentation was canceled, with Black Hat releasing a statement saying only that “the materials that [the presenters] would be speaking about have not yet been approved by CMU/SEI for public release.”

The most recent update observers have is Wednesday’s announcement from Tor, which provided a more detailed explanation of the attack and a security update that aimed to address the vulnerability in question. CERT issued a firm “no comment” for this story, but Wednesday’s post from Tor has drawn more attention than the usual Deep Web drama, with experts like Ed Felten, a professor of computer science and public affairs at Princeton University, calling for an explanation.

“This story raises some serious questions of research ethics,” he wrote onFreedom to Tinker, Princeton’s Center for Information Technology Policy blog. “I’m hard pressed to think of previous examples where legitimate researchers carried out a large-scale attack lasting for months that aimed to undermine the security of real users.

“That in itself is ethically problematic at least,” Fenten went on. “The waters get even darker when we consider the data that the researchers might have gathered – data that would undermine the security of Tor users. Did the researchers gather and keep that data? With whom have they shared it? If they still have it, what are they doing to protect it?”

No one seems to know, and those who do are keeping their lips sealed. But there are other, no less pertinent questions. The number of Tor users skyrocketed following last year’s revelations from Edward Snowden, which showed that the U.S. National Security Agency is conducting daily, indiscriminate surveillance on Americans and international residents alike.

With that sudden influx, though, came increased scrutiny. First, in July, the FBI acknowledged that it subverted control of Tor and launched a mass malware attack to find the proprietor of a despicable child pornography ring. Then, just a few months later, the FBI was again able to infiltrate the supposedly ironclad network to identify and arrest the alleged owner of the Silk Road, a shadowy online bazaar that made it possible to find everything from an illegal firearm to drugs to child porn.

Complicating the matter even further is Tor’s admission that that U.S. government provided more than $1.8 million in funding in 2013 alone, all while the NSA and British GCHQ intelligence service reportedly sought to infiltrate the network. This news might be alarming to Internet anarchists and tech-first libertarians, but Tor in fact began as a U.S. military project with the goal of shielding intelligence agents conducting espionage in the aforementioned totalitarian regimes.

“A branch of the U.S. Navy uses Tor for open-source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently,” reads the Tor fine print, as highlighted by Pando Daily. “Law enforcement uses Tor for visiting or surveilling websites without leaving government IP addresses in their web logs, and for security during sting operations.”

Whether the government’s support will be enough to convince Tor users to continue trusting the network or dump it entirely remains to be seen.