Potential Security Issue With iPhone App

I recently decided to purchase an app from the iPhone app store. I do not do this often but I believe that this app would be extremely useful.

The app I decided to download was SSH Term Pro. As the name suggests this is a SSH terminal app for the iPhone and iPad. Of course this makes it extremely easy to manage your server on the move. The application allows you to add unlimited amount of servers details so you can quickly and easily connect up to a server that you manage. The application also allows you to lock it down so that you can only access the application fully once you have entered a password that you had set up.

Unfortunately on investigation everything is not as good as I had hoped:While browsing through the files on my iPhone I decided to have a look where this apps files were stored. I noticed that there was a file called SSLDB.sqlite. This is of course not unusual as most apps that store data store it within an SQLite database. What is disturbing however is what I found when I opened this file.

The database contains a table called SSLSITE. This table is used to store information such as site host, username, password and port. All of this data is NOT ENCRYPTED. You did read this correctly, the data is not encrypted meaning that it is plain text and can be read by anyone who manages to gain access to your iPhone. Now what I was expecting was that the handy little password that we used earlier was actually an encryption key but unfortunately this is not the case. Regardless of whether you used a password to lock the app or not the SSH password remains unencrypted.

This may be of little concern while the iPhone is under your control however if someone manages to steal your iPhone or if they manage to hook this up to a PC or Mac without your knowledge it would be a trivial task to copy those files.

If you use this app I strongly suggest you keep an eye on the iPhone. If you lose it ensure you change that SSH password immediately. I seriously hope that this issue is fixed in the next version.

On a side note while doing this I used some nifty tools. The first of these was IExplorer. IExplorer allows you to browse the files located within your iPhone with ease (the database file for example was in iPhone/apps/ssh term pro/library/SSLDB.sqlite).

The second tool I used was SQLiteManager which allows you to load an SQLite database into it and to read, modify or create SQLite databases. The tool is not free however you can use it to view the first 20 records in a table using the demo version.

2 thoughts on “Potential Security Issue With iPhone App”

Tell us your thoughts