NowSecure dynamic analysis: Keychain

[ivyv19]

Finding Description

Keychain interaction was observed during dynamic analysis. iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted.

Evaluation Criteria:

The evidence table lists all detected uses of the iOS Keychain:

• Name: operation to be done on iOS Keychain item.
• Locations: locations data including IDs that can be resolved using NowSecure Locations API. It represents the locations of the reported data within the app.
• Class: type of item in the iOS Keychain.
• Service Name: name of the service or scope the app is using, e.g., the app identifier or bundleIdentifier.
• Account: account identifier, e.g., username
• Match Limit: maximum number of results to return from an iOS Keychain item search.
• Return Data: boolean that indicates if data should be returned
• Return Attributes: boolean that indicates if attributes should be returned
• Context: additional context data related to the Keychain item.

Inspect the calls to the iOS Keychain and ensure that the intended behavior is being performed.

Steps to Reproduce

This section highlights any activity where the app calls the iOS Keychain. The table in this section displays when keychain items are created, deleted, or queried in some way.

Risk and Regulatory Information

Severity: info

Policy Category: Informational

• Risk OWASP: MSTG-STORAGE-1 (OWASP MASVS v1.5.0), MASVS-CRYPTO-2 (OWASP MASVS v2.1.0)
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII

Application

• Platform: ios
• Package: com.active911.universal

See more detail in the NowSecure Report

Evidence

| Name | Class | Match Limit | Return Attributes | Context | |---|---|---|---|---| | SecItemCopyMatching | inet | m_LimitAll | 1 | [object Object] | | SecItemCopyMatching | genp | m_LimitAll | 1 | [object Object] | | SecItemCopyMatching | cert | m_LimitAll | 1 | [object Object] | ... and 2 more