Touch ID Support for STRIP

2015-06-29 12:00:00 -0400

If you take a look at the iTunes App Store US reviews for STRIP for iPhone, you’ll see this sentiment in a number of the more recent ones:

It’s a good app, however it’s missing a big thing here which other security apps have…simply NOT supporting “Touch ID” …whyyy!! Once this integrated will pump up the rate to 5*

I hope we’ve finally earned that fifth star, Kokiiiz78! Today we’re excited to announce that Touch ID authentication is now available in STRIP for iPhone and STRIP for iPad version 2.5.0.

TouchID Login for STRIP from Zetetic on Vimeo.

The feature is optional, disabled by default, and simple to use.

To enable Touch ID authentication:

  1. Update STRIP to 2.5.0
  2. Login to STRIP and tap on the Settings view tab
  3. On the Settings view tap on Login Settings
  4. Tap on the switch labeled “Enable Touch ID login”
  5. You may be prompted to authenticate with your Touch ID by iOS
  6. That’s it! The next time you are asked to login to STRIP you will be prompted for your Touch ID

As an aside, this feature works nicely in conjunction with the Auto Lock Timer preference, which allows you to keep STRIP unlocked for a chosen interval.

Changes in this version:

  • Provides new “Enable Touch ID login” feature under Settings -> Login Settings
  • Search view now searches your records as you type
  • Password Generator view maintains state when leaving STRIP

Additional changes to the iPad version:

  • Fixes search bar disappearing when tapped twice quickly

Thanks so much to our beta testers for helping us to identify bugs and edge cases early in the process. Your efforts and repeatedly installing beta builds over the last month really helped us as we vetted this version for release.

As always, if there are any issues please let us know. If you’d like to tell us what you think consider stopping by our discussion forum.

STRIP, Keychain, and XARA

2015-06-23 10:00:00 -0400

A customer wrote us regarding recent reports of vulnerabilities to the Keychain in iOS and OS X and whether or not these affect STRIP password manager:

Is STRIP for iOS vulnerable to this “0 days flaw” in Apple software and allows “cross-app resource access (XARA) attacks”? Is the password for the iOS STRIP app stored in the keychain of the iOS or anywhere else in the iOS system other than in the STRIP app itself?

STRIP does not store the user’s master password in the iOS or OS X Keychain (back to this in a moment).

However, STRIP makes use of the Dropbox and Google-supplied frameworks for authenticating against their services for sync if you choose either of these sync modes. Both of those frameworks store the OAUTH authentication credential in the iOS and OS X Keychains (open Keychain Access on your Mac and search for “STRIP” to have a look).

Touch ID Authentication on iOS

In the soon-to-be-released version of STRIP for iPhone and for iPad we’ve added the oft-requested feature of Touch ID login. This feature is completely optional, disabled by default, and only available on devices with Touch ID. The feature works by storing your master password for STRIP encrypted in the Secure Enclave on the device, through the Keychain.

Are these Keychain items vulnerable to attack?

It depends. There’s a great article on iMore.com explaining the attacks and what’s vulnerable (emphasis theirs):

Contrary to what some reports have said, while a malicious app cannot read your existing keychain entries, it can delete existing keychain entries, and it can create new keychain entries that are readable and writeable by other, legitimate apps. This means a malicious app can effectively trick other apps into saving all new password entries to a keychain it controls, and then can read.

iOS is unaffected:

The researchers note that one of the reasons iOS is unaffected by this is that iOS doesn’t have ACLs (access control lists) for keychain entries. Keychain items on iOS may only be accessed by an app with a matching bundle ID, or group bundle ID (for shared keychain items). If a malicious app created a keychain item that it owned, it would be inaccessible by any other app, making it entirely useless as any sort of honeypot.

Using the Touch ID login feature in the next version of STRIP for iPhone and iPad should not leave you vulnerable to this exploit.

In the end you always want to avoid suspicious, maliciously crafted software; once a host operating system is compromised it becomes very difficult to keep your data secure. Watch out for phishing attacks, where email is crafted to trick you into visiting a malicious website or downloading malware posing as normal attachments. On OS X you can limit the apps allowed to run on your Mac to those signed by Apple or by Apple-identified developers (like Zetetic):

If you are concerned about malicious keychain entries you can check for them easily:

  1. Open Keychain Access
  2. Search for “STRIP”
  3. Select the Keychain item in the right pane and select File -> Get Info (or type command+i)
  4. Select Access Control
  5. In the list of allowed applications you should only see STRIP

What about WebSockets?

While STRIP on the Mac provides a utility function for looking up your passwords and inserting them in other applications, it does not include a browser plugin and makes no use of WebSockets, another point of vulnerability detailed in the recently announced exploits.

Tempo Time Tracking is Closing

2015-05-11 08:00:00 -0400

Update, July 9th: We will be shutting down Tempo permanently on Monday, July 13th, to give our customers a couple more days for the transition.

After many happy years we have made the difficult decision to stop operation of the Tempo time tracking system in the near future.

When we started Tempo in 2007, the marketplace for online time tracking systems was limited. Existing systems were rigid and inflexible, often using antiquated desktop interfaces without mobile support. Tempo’s core ideas like flexible tagging, time entry via email / SMS / Twitter, and detailed trend reports, were fresh.

Since then, however, the number of cloud-based time trackers and mobile apps has grown substantially, and an increasing number of people have moved to consolidated project and billing platforms, or implemented their own time tracking solutions using simple and free cloud services. We believe strongly in working on projects that are sustainable and, unfortunately, Tempo is no longer sustainable in the long term.

Starting today we will be blocking new account registrations on Tempo. The system will be turned off permanently on July 10th, 2015. We will not be billing accounts during the transition period, so if you are a paying customer on a premium plan you will not be charged again for Tempo service.

In order to help you get data out of Tempo, you can use a new full account export feature to download a single compressed file containing the exports of your account’s time entries. The included CSV file can be easily opened by a spreadsheet program for manipulation, long-term historical archiving, or to provide a base data set to migrate to another system. The export function is now available to account owners and managers on the Accounts tab in Tempo.

All exports are refreshed daily and contain all of the information from the start of your account to the previous day. Please be sure to make a copy of your critical data before the system is shut off.

There are several other excellent project and time tracking systems that you might consider switching to. While we can’t recommend any particular system, we encourage you to try out a few over the coming weeks to see what you like. Some systems that we have seen recommended in the past include Harvest and Freckle, especially for advanced users.

Tempo is the only system that Zetetic is shutting down. Our other solutions, including SQLCipher, STRIP, and our Identity and Access Management services are unaffected. Despite Tempo’s lack of growth, Zetetic is still doing very well as a company, continuing to grow, and approaching our 10th year in business.

Finally, we want to say thank you to all of our Tempo users for providing feedback along the way, and helping to spread the word. We really appreciate you as customers and sincerely apologize for any inconvenience this difficult decision may cause. If there is anything we can do to help make the transition easier please don’t hesitate to let us know.

SQLCipher for Cordova

2015-03-30 08:00:00 -0400

We are happy to announce the availability of commercial licenses to SQLCipher for Cordova. Cordova allows a developer to quickly develop mobile applications using JavaScript and now secure database storage via SQLCipher is available as a commercially supported platform. SQLCipher for Cordova provides support for integrating a SQLCipher database within a Cordova project running on iOS, Android, and Windows Phone. All interactions will the database are perform through a simple JavaScript API. Now available for purchase or as a trial.

SQLCipher 3.3.0 Release

2015-03-26 08:00:00 -0400

We are happy to announce the availability of SQLCipher 3.3.0. This release is based on the upstream SQLite 3.8.8.3 release which included many beneficial updates including a general performance increase of over 20% for the same number of CPU cycles from the previous release. Specifics for the SQLite 3.8.8.3 release are covered here.

Directly within SQLCipher we have included a few additional items as well. First, we introduced a new PRAGMA, cipher_default_page_size, a mechanism which facilitates setting a non-default page size value to be used when attaching databases. Next we have added API hooks to support FIPS integration within the OpenSSL crypto provider. SQLCipher for Android has also been updated with community edition binaries available here. Binaries that ship with support for OpenSSL have been upgraded to the latest 1.0.2a release. Commercial binary updates to be available soon.