Yesterday, I saw lots of reports on "Google finds vulnerabilities affecting all iPhones...". Some users may worry about the impact on ID Guard Offline. "Can those vulnerabilities be used to steal passwords stored in our app?" So we did this quick analysis.
Google's Project Zero published the issues on their blog Fuzzing ImageIO. All 6 issues are in ImageIO framework which is a basic framework processing image formats on macOS and iOS. One of the vulnerabilities is fixed before submitting to Apple, and two of them shares the same root cause, thus there are 4 Common Vulnerabilities and Exposures(CVE) assigned. 3 of those got HIGH scores according to Common Vulnerability Scoring System(CVSS) version 3, CVE-2020-3827，CVE-2020-3826 and CVE-2020-3878.
CVE-2020-3827, the issue of the most popular image format
JPEG is macOS only. So it has no impact on the iOS version of ID Guard Offline.
DDS of CVE-2020-3826 and PVR of CVE-2020-3878 formats are rare used daily. The first one is an out of bound memory read bug which can be used to leak data in runtime memory to hacker. The later one is an out of bound memory write bug which can lead to Remote Code Execution(RCE) if combined with other attacks.
ID Guard Offline does not use ImageIO directly. However, it is a basic framework in iOS that all apps use it to display icons, images, logos indirectly.
ID Guard Offline does not use DDS or PVR images.
All images bundled in ID Guard Offline are JPEG and PNG images. The reported JPEG issue does not affect iOS.
ID Guard Offline does not download images from the Internet.
Some password managers download logos and other assets from the Internet. This can expose two attack surfaces.
ID Guard Offline does not expose this largest attack surface at all by not using network. So all network related attacks are useless on ID Guard Offline.
ID Guard Offline does not choose DDS/PVR images as attachments or logos.
ID Guard Offline allow user to choose images as attachments or logos from the iOS photo albums. However, user cannot import DDS/PVR images from system albums, because the iOS photo app does not support these formats.
ID Guard Offline cannot open DDS/PVR files.
User can choose an app to open files by AirDrop or other apps. ID Guard Offline can only open CSV and ZIP files now. The app can open CSV file to import passwords from Chrome browser, and restore backup file with the ZIP format. Some password managers support all kind of files which expose a very large attack surface and can be vulnerable.
ID Guard Offline adds an second protection layer for passwords.
Suppose, very unlikely, some bad app can read memory data of ID Guard Offline, will my saved passwords be leaked?
ID Guard Offline adds one more layer of encryption for secret data like passwords, OTP keys, recovery codes and security answers. No passwords are decrypted on unlocking the app. Passwords saved in one account are decrypted only when a user touches the account to view its details. So the bad app can only read memory to get passwords of the displayed account, while other accounts stay secure.
Lots of password managers does not add additional encryption for passwords. If a user unlocks it, it decrypts all passwords in the vault. All passwords can be disclosed in some circumstance.
Our users can have peace in mind. There is no impact on ID Guard Offline. With the minimal attack surface in mind design, most attacks cannot hit ID Guard Offline at all.
Even though an evil programme can read runtime memory of ID Guard Offline, it cannot grab your passwords due to the additional protection for secret data saved inside.
Last, all the published vulnerabilities are fixed by Apple. I recommend that users upgrade the system to protect other apps.