NEWS FROM THE LAB - Friday, July 30, 2010

Is your iPhone backup file secure? Posted by Sean @ 13:05 GMT

Tuesday's edition of the Wall Street Journal reported on a security flaw in Citi's mobile banking application for the iPhone.

Citi app

Customers are advised to update.

From the WSJ:

"Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones."

Oops — not good.

According to Charlie Miller, you'd need an exploit to access it remotely.

Here's a complete list of iOS vulnerabilities which you can also download as an Excel file. [XLSX] (Source)

Fortunately, the vulnerabilities are patched, a lot of them thanks to Miller.

Miller is also says that iPhone data files can also be gained by jailbreaking a lost or stolen phone.

Our thoughts?

Why go after data on the phone itself when you can target the synced backup file?


The files are not difficult to locate.

Where backups are stored

And they can be easily viewed with free software such as SQLite Database Browser.

iTunes offers encryption, but most people probably don't use it.

Encrypt iPod backup

We're glad that Citi discovered the flaw in their application instead of the bad guys, and we hope that the 117,600 affected customers will update soon (and then sync to update their backup file).

Do you encrypt your backup file?

Tell us in this poll: Do you encrypt your iPhone/iPod backup file?

Poll: iOS Encryption