Passbook: A Security Flaw?

By Amsys

In the third week of September 2012, Apple released the much anticipated iOS version 6 for it’s iOS devices (that includes the iPads, iPhones and iPod Touches). One of the new features included was a little App called Passbook. This App allowed a single location for all of your passes, tickets and coupons, as well as location-based reminders.
One of the abilities was to provide, at the lock screen, a relevant ‘pass’ upon reaching the location where it would be used. My first chance to experience this was last week when Starbucks UK (finally) updated their UK App to provide Passbook integration. Over the last week or two I’ve been fortunate enough to be working with a client based in London City and so have taken advantage of this moment to put it through it’s paces.

How’d it go?

Well overall, the Passbook App works great. In the Starbucks App I have to set which ‘card’ I would like in Passbook, and which of my favourite stores I’d want to use it in. These stores are only the ones that prompt at the lock screen, there’s nothing stopping me use the Passbook card at any other Starbucks’.
Each morning, I’d walk into the nearest favourite Starbucks, place my order, and pull out my iPhone with the card already on the lock screen for use. Admittedly, sometimes it would be a few seconds behind, and the free cloud WiFi caused problems as it required a webpage authentication but still let the iPhone connect but overall not a bad experience.
However, after a few days, I started to notice a particular issue. If I was at my favourite store, and the iPhone provided the Passbook card, a simple swipe showed the balance and the bar-code, ready for use. Helpful, yes, but this didn’t seem secure…

Security

Like most iOS users, I have contacts, calendars and emails relating to my work that could cause issues if lost. Additionally I do have personal details that would cause no actual damage but large amounts of inconvenience if lost. One way to protect them is to set a passcode lock. This simple step will dissuade most thieves in even bothering to break in (resulting in it wiped, but at least your data is safe!). You could also pair this with the “Wipe after ‘X’ failed passcode attempts” to assist in data leak prevention.
What I found with the Passbook Apps is that once it has appeared on the screen, anyone with their hands on the phone could use the card without knowing or even being prompted for my passcode.
OK, so this isn’t as bad as say, access to a multinational companies financial records but still:

I load money, real money, onto that card prior to use.
It can be used repeatedly as long as the Passbook App is open.

Being the sort of person who doesn’t like to be cut short I’ll typically try and keep at least £10 on there. This would mean that any thief would have access to at least £10 of my money, in addition to my ~ £400 handset!

How likely is that?

To be fully honest, it is a lot of “ifs and buts” but the possibility is still there, and just from normal, standard, everyday use of the App and features. I’m also not trying to scare anyone away from iOS, or fully using the features, but this raises questions for the everyday end user. The full circumstances are:

Theft of the physical iOS device.
Installation and use of the Starbucks Passbook App card.
Knowledge of the victims ‘favourite’ Starbucks Stores.
Presence at one of these stores.

The use is also limited to just Starbucks, but it gets you thinking about the possibility of other Apps having the same vulnerability, with the blame resting on Passbook.

Can I turn off the lock-screen portion of Passbook?

Yes, and this would prevent the scenario above, but with loss of functionality so is a trade off.

Go into the main Passbook App
Look for a small ‘i’ symbol, typically in the lower right corner of the ‘card’. Click it.
On there would be the option to “Show on Lock Screen”. Turn this off.

Summary

I hope this hasn’t worried you too much, but it is something to give at least some thought too.
What if you were a regular in one store, and you left behind your iOS device? Could you trust that one of the other regulars wouldn’t try ad get a few free coffees on your cash?
How do you feel about this? Is there anything further that can be done? Let us know in the comments below and I’ll try to respond to as many as I can.

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.