############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Email+ for iOS # Vendor: MobileIron # CSNC ID: CSNC-2018-030 # CVE ID: CVE-2018-18474 # Subject: Cleartext Storage of Sensitive Information # Risk: Medium # Effect: Locally exploitable # Author: Sylvain Heiniger # Date: 31.07.2019 # ############################################################# Introduction: ------------- MobileIron Email+ is a cross-platform, secure PIM application for iOS and Android. It provides government-grade encryption, certificate-based authentication, S/MIME, application-level encryption, and passcode enforcement. [1] Compass Security discovered a security flaws in the Email+ iOS application [2] which makes data available unencrypted outside the MobileIron secure container. An attacker who can jailbreak a device can access this potentially sensitive data. Affected: --------- Vulnerable: * All Email+ for iOS versions up to and including 3.5.0 [3] Not vulnerable: * All Email+ for Android [4] * All Email+ for iOS versions starting at 3.7 (according to the vendor) Technical Description --------------------- By default on iOS, NSURLRequest will cache responses in a Cache.db file in the application's folder under Library/Caches/com.mobileiron.ios.emailplus/Cache.db [5]. To prevent this insecure behavior, calls to NSURLRequest must explicitly disable caching. The file Library/Caches/com.mobileiron.ios.emailplus/Cache.db is not encrypted by MobileIron and the synchronized data hence leaks out of the secure container. The responses from ActiveSync may contain synchronized e-mails, contacts, calendar entries, notes and tasks. Workaround / Fix: ----------------- Install the updated version of the application. Vendor information: Set the cachePolicy property of the NSURLRequest to disable the caching of requests and responses. One solution is described in the article "NSURLConnection Delegate Returns Null" on Stack Overflow [6]. Timeline: --------- 2018-10-17: Discovery by Sylvain Heiniger 2018-10-18: Assigned CVE-2018-18474 2018-10-19: Initial vendor notification 2018-10-19: Initial vendor response 2018-11-16: Vulnerability Acknowledgement 2019-01-22: Release of fixed Version / Patch 2019-07-31: Publishing of advisory References: ----------- [1] https://www.mobileiron.com/en/resources-library/datasheets/email-plus [2] https://itunes.apple.com/us/app/mobileiron-email/id951239192?mt=8 [3] https://apps.apple.com/us/app/mobileiron-email/id951239192 [4] https://play.google.com/store/apps/details?id=com.mobileiron.client.android.pim [5] https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/CachePolicies.html [6] https://stackoverflow.com/questions/30667340/nsurlconnection-delegate-returns-null