iOS App Progress and Security Review

The FlowCrypt team is pleased to provide some major updates on our iOS app efforts. Our iOS app is currently available in Public Beta and can be downloaded through TestFlight. With security reviews like this and our related changes, we’re getting much closer to a production release.

iOS app security review

Related links

In-depth FlowCrypt iOS Security Review

The FlowCrypt iOS Github Repository

Recent FlowCrypt iOS Enhancements

Finally, we're soon to be unveiling our public security bounty program. The most recent recipient, Chris Baker, received USD 1 000 for discovering a browser extension vulnerability.

FlowCrypt iOS Architecture

First, our iOS pen testing security review is now complete. The security analysis firm Cure53 performed the review to test our iOS app for application security and cryptography. The cryptography was inspected both in terms of integration as well as implementation.

Cure53 is best suited for this security review because its team is intimately familiar with OpenPGP.

In addition, Cure53 has previously pen tested the JavasScript library OpenPGP.js, which is a core component of our software.

OpenPGP is the email encryption standard that FlowCrypt software uses.

The full iOS report is linked below, but just some of the major points that Cure53 tested for were:

• Importing malicious email payloads such as HTTPLeaks to email inboxes.
• Loading of remote content into the FlowCrypt iOS application was tested.
• The OpenPGP implementation of FlowCrypt was tested.
• The iOS app was tested for post-decryption XSS.
• The local storage of the FlowCrypt iOS application was examined via SSH.
• The local storage was scanned for sensitive credentials.
• The network communications of the mobile app were also reviewed.

This resulted in two high-priority and one medium-priority issues being found. These were:

• Lack of file-system protection. Some data files left exposed a private key. This particular issue would affect users if the attacker had physical access to an iDevice set to a locked screen AND a method of accessing the local storage, for instance, via SSH connection established via a jailbreak.

• RealmDB Encryption. In certain scenarios, the local app database file was found to be missing file encryption.

• Browser Extension HTTP leak. The FlowCrypt browser extension was vulnerable to HTTP leaks via a crafted email body. This allowed remote attackers to collect information about FlowCrypt users, including IP address, operating system, browser version, and the time an email was opened.

The complete Cure53 security report with much more details can be found here as a pdf file. The complete methodology of the testing that was done is fully discussed in this document.

The FlowCrypt Team corrected the above-mentioned issues during the auditing process.

Testing summary

The Cure53 testing effort was very helpful in finding a few problem areas as well as validating our approach to security in the iOS app.

Each of our application areas, such as the browser extensions and the Android app will receive the same level of review.

Our main goal remains to do our best to protect our users as much as we can.

New functionality and bug fixes

Secondly, we’ve closed a number of development issues since the start of the year. Some of the most important ones are:

Bug fix for copying text from the message body.
Added ability for searching the inbox.
Bug fix for storage losing encryption.
Added a dark mode, and many more.

The full list of closed issues will always be available on the flowcrypt-ios/issues page on GitHub.

We’re glad to receive your comments at human@flowcrypt.com. Also, if you’re passionate about software security, we have an open position for a remote security engineer/pen tester.