iOS Security Review and progress
The FlowCrypt team is pleased to provide some major updates on our iOS app efforts. Our iOS app is currently available in Public Beta, and can be downloaded through TestFlight. With security reviews like this and our related changes, we are getting much closer to a production release.
iOS App Security Review
We will soon be unveiling our public security bounty publicly. The most recent recipient, Chris Baker, received $1,000 USD for discovering a browser extension vulnerability.
First, our iOS pentesting security review is now complete. This review was done by the security analysis firm Cure53 to test our iOS app for application security and cryptography. The cryptography was inspected both in terms of integration as well as implementation.
Cure53 are best suited for this security review because they are intimately familiar with OpenPGP. OpenPGP is the email encryption standard that FlowCrypt software uses.
In addition, Cure53 has previously pentested the JavasScript library OpenPGP.js; which is a core component of our software.
The full iOS report is linked below, but just some of the major points that Cure53 tested for were:
- Importing malicious email payloads such as HTTPLeaks to email inboxes.
- Loading of remote content into the FlowCrypt iOS application was tested.
- The OpenPGP implementation of FlowCrypt was tested.
- The iOS app was tested for post-decryption XSS.
- The local storage of the FlowCrypt iOS application was examined via SSH.
- The local storage was scanned for sensitive credentials.
- The network communications of the mobile app were also reviewed.
This resulted in two high priority and one medium priority issue being found. These were:
Lack of file-system protection. Some data files left exposed a private key (which the FlowCrypt Team corrected during the auditing process). This particular issue would affect users “if the attacker had physical access to an iDevice set to a locked screen AND a method of accessing the local storage, for instance, via SSH connection established via a jailbreak”.
RealmDB Encryption. In certain scenarios, the local app database file was found to be missing file encryption (which the FlowCrypt Team corrected during the auditing process). As with each of these bullet points, much more detail is available in the actual Cure53 report.
Browser Extension HTTP leak. The FlowCrypt browser extension was vulnerable to HTTP leaks via a crafted email body. This allowed remote attackers to collect information about FlowCrypt users, including IP address, operating system, browser version and the time an email was opened. The FlowCrypt Team corrected this issue during the auditing process.
The complete Cure53 security report can be found here as a pdf file. The complete methodology of the testing that was done is fully discussed in this document.
The Cure53 testing effort was very helpful in finding a few problem areas as well as validating our approach to security in the iOS app.
Each of our application areas, such as the browser extensions and the Android app will receive the same level of review.
Please know that our driving goal remains to best protect our users, however that we are able.
New Functionality and Bug Fixes
Secondly, we have closed a number of development issues since the beginning of the year. Some of the most important ones are:
- Bug fix for copying text from message body
- Added ability for searching the inbox
- Bug fix for storage losing encryption
- Added dark mode
- And many more.
The full list of closed issues will always be at this link.
Your comments are welcome at email@example.com. Also, if software security is your thing, we have an open position for a remote security engineer / pen tester.