CoverMe Private Text & Call iOS App Stores Passwords Insecurely

Background

The CoverMe Private Text & Call iOS app has a security problem--it exposes passwords in a cache on the phone.

This practice is unacceptable for any app, according to the OWASP https://github.com/OWASP/owasp-masvs, specifically, this item:

2.1 MSTG-STORAGE-1: System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.
I found this flaw using the recommended dynamic testing procedure:
The following steps can be used to determine how the application stores data locally on a jailbroken iOS device:
  1. Trigger the functionality that stores potentially sensitive data.
  2. Connect to the iOS device and navigate to its Bundle directory (this applies to iOS versions 8.0 and above): /var/mobile/Containers/Data/Application/$APP_ID/
  3. Execute grep with the data that you've stored, for example: grep -iRn "USERID".
  4. If the sensitive data is stored in plaintext, the app fails this test.
I used a jailbroken iPhone running iOS 12.4.4 with no passcode.

Testing Method

I installed and launched this app:

I created an account with these credentials:

Password Exposure

The password was stored locally on the phone in two files, as shown below.

Notification

I sent this message on 12-31-19:


Posted 12-31-19 by Sam Bowne