twofas / 2fas-ios

Source code for 2FAS iOS app
GNU General Public License v3.0
549 stars 38 forks source link

iCloud Sync encryption? #22

Closed grantwest closed 1 year ago

grantwest commented 1 year ago

I don't see the ability to add an encryption password when enabling iCloud Sync. Does this mean the files are stored unencrypted in iCloud, meaning they can be accessed from any of my authenticated Apple devices?

I assume this means if my Macbook was compromised for example, it would be possible for the 2FAS files to be stolen even though I only ever use 2FAS on my iPhone? This seems like a serious risk. Every additional Apple device I authenticate on is an additional risk of having my TOTP codes compromised.

It seems like an encryption password should be used when enabling iCloud Sync.

adocyn commented 1 year ago

Hi @grantwest, 2FAS is not using iCloud Drive to store files, so there's no file to be stolen. It's using CloudKit, a database. Secrets stored there are encrypted and can be read only using 2FAS app. You can't just open it using Finder. We'll add in future an option to setup own password for that encryption.

grantwest commented 1 year ago

Reading the documentation it seems the keys for CloudKit private data are stored in iCloud Keychain. Which brings us back to any authenticated device being able to access the data. It may not be a file stored in iCloud Drive, but a device compromised with something like MacStealer could still give up the secrets. As it is, turning on iCloud Sync when you have a Macbook significantly diminishes the effective security of your 2FA protected accounts.

adocyn commented 1 year ago

@grantwest Keys from iCloud Keychain are not enough. You have to have the app. Currently it won't run on Mac. But yes, if someone would stole your credentials then yes, it has access to your mail, payments, calendars, contacts, bought apps, media, photos, messages, passwords, 2FA secrets from Keychain and can very easily lock you out of your account. And yes, it can then access 2FA secrets from 2FAS. Feature where you can set your own password for Sync data in CloudKit is in the backlog and should be ready Q3 or Q4.

grantwest commented 1 year ago

Certainly the requests from the app could be spoofed by malware. There is no way for the CloudKit servers to verify that the requesting app running locally on your machine is an authentic un-modified version of 2FAS, or even a version of 2FAS at all. Given that this is such a popular TOTP generator, I would not be surprised to find malware that uses specifically crafted requests to check for a steal this information.

adocyn commented 1 year ago

@grantwest That's not that simple πŸ˜„ App encrypts entries in CloudKit using own certificate and they are not available on github (obviously). But even if you would get them from the app binary somehow and create a similar app it will have different bundle id and will be signed with different certificate. So you can't just download from App Store a malware e.g. a game which will steal CloudKit data which doesn't belong to it. It's hard to send data from one app to another as it is πŸ˜„ Like legally and using available API. Not to mention that there's no way to steal other apps data if the device is not jailbroken.

There is no way for the CloudKit servers to verify that the requesting app running locally on your machine is an authentic un-modified version of 2FAS, or even a version of 2FAS at all.

Every iOS app is encrypted and digitally signed using a lot of cryptography which in the end identify this app as the 2FAS and not e.g. Instagram. And you can't release a modify version of 2FAS without access to developer certificates, developer account etc. To break that mechanism you would have to jailbreak the device. But to do that using malware it would have to be an app, downloaded from App Store obviously, which would jailbreak the device and then override internal certificate storage and some of the system binaries. No such attack was ever registered and it was way easier to do years ago when iOS didn't have all the protections it has now πŸ™‚

So no, no malware on iOS downloaded from the App Store. Probably in future you will find a 2FAS clone build from this source code and Apple is notorious for slow removal of such clones, but it won't have access to 2FAS data.

adocyn commented 1 year ago

Also if you're interested in this topic I would suggest our Discord πŸ˜„ https://discord.gg/q4cP6qh2g5 They're smart people there πŸ™‚

grantwest commented 1 year ago

Unsigned code can be run on mac. I'd be willing to bet unsigned code could make a request to CloudKit to fetch the 2FAS data. This is certainly a potential attack vector on Mac. The attack may require a victim to scan a fingerprint or type a password, but tricking most users into doing that is definitely a possibility.

adocyn commented 1 year ago

@grantwest Yes, unsigned code can run on mac but only apps from Mac App Store have access to CloudKit. To be distributed in MAS they have to be signed and then they have access only to their own CloudKit and data containers. So until we won't release a Mac version it's not a working vector of attack.

grantwest commented 1 year ago

Only apps from the Mac App Store have easy access to CloudKit through the intended documented methods. At the end of the day CloudKit servers will reply with information to any request signed by the right keys. And then that data can be decrypted with the right keys. Those keys all exist on an authenticated Mac. I'm not an Apple expert, but the security you are describing is physically impossible and you are putting too much faith in Apple's documentation/services.

Maybe someone like @fransr (experience finding CloudKit vulns) can convince you.

adocyn commented 1 year ago

@grantwest But you're talking about non-existing vulnerabilities and breaking encryption or chain of trust on the Mac just to get a blob of encrypted data using custom client to which you have to have another set of AES GCM keys πŸ˜„ I'm not saying it's impossible, but I've never seen that much effort taken outside state-sponsored actors which have unlimited money and manpower. Again:

So no, the Mac attack vector is improbable.

Also if someone has your stuff, passwords etc. then maybe security of 2FA keys is least of your problems πŸ˜„ security (xkcd.com πŸ˜„)

I'm not an Apple expert, but the security you are describing is physically impossible and you are putting too much faith in Apple's documentation/services

We have "some" experience in working with this APIs/platform. So no, we have no trust in the "lower levels" of security. That's why contents of CloudKit is encrypted using another certificate. And yes, we'll add custom password in future. Currently we're focusing on iOS/iPadOS platforms and there the protection is more than adequate and hasn't been broken without jailbreak.

grantwest commented 1 year ago
  • they would have to have your Apple ID + one of your devices to allow for 2FA login

You continue to dismiss the possibility of malware running on Mac. In this case the attacker would not need your login to Apple, they are already running on an authenticated device.

  • then they would have to create a dummy app to read the data from CloudKit (it's in some sort of a format so you have to have a software to read it)

You are claiming that the data format is security? Even if the app was proprietary this would be a joke, but this app is open source...

  • then they would have to either have our keys to encrypt this app AND our credentials to login to apple developer portal AND our devices to allow for 2FA to login to that portal AND release this dummy app instead of original 2FAS app AND have access to 2FAS encryption certificates (they're not on the github) OR

The attacker needs to get keys from 2 places:

  1. Extract from iOS app
  2. Trick user into allowing the malware to fetch keys from iCloud Keychain on Mac.
  • Also if someone has your stuff, passwords etc. then maybe security of 2FA keys is least of your problems

The entire point of 2FA is to protect you in the event your other secrets are compromised. It is very concerning that the developer of the "the Internet’s favorite open-source two-factor authenticator" doesn't seem to understand this or take it seriously.

  • I'm not saying it's impossible, but I've never seen that much effort taken outside state-sponsored actors which have unlimited money and manpower.

If you really have 5 million users protecting accounts like Binance and Coinbase, and god forbid other developers using this to protect accounts used to upload open source packages to the likes of npm and other package repositories, then there would be significant incentives to create this attack.