[CVE-2013-5112] Evernote Android Insecure Storage of PIN data / Bypass of PIN protection

Evernote Android Insecure Storage of PIN data / Bypass of PIN protection

Product: Evernote (Android)
Project Homepage: evernote.com
Internal Advisory ID: c22-2013-03 / c22-2013-04
Vulnerable Version(s): Android version 5.5.0 (and prior)
Tested Version: Android 5.x (Android 4.2/4.3)
Vendor Notification: Aug 13, 2013
Public Disclosure: December 07, 2013
Vulnerability Type: Authentication Bypass Issues [CWE-592]
CVE Reference: CVE-2013-5112
Issue Severity: Important impact
CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N)
Discovery: Chris John Riley ( http://blog.c22.cc )

Advisory Details:

Effected versions of Evernote on the Android platform allow
for users with limited access via the ADB (Android Debug Bridge)
interface of an Android device (USB debugging enabled, no root access
required) to perform backup and restore of applications and application
data. The ADB backup functionality requires an Android device running
the Ice-Cream Sandwich version of Android (4.x) or above.
Evernote Premium on Android allows the user to set PIN protection on the
the Android container to prevent unauthorized access in the event the
device is lost or stolen. Due to the way recent versions of Android
implements the backup and restore process, the implemented PIN
protection can be avoided and entirely bypassed to allow attackers the
ability to clear or recover the PIN from application settings data
stored in com.evernote_preferences.xml.

Using a simple process, it is possible for an attacker with physical
access to a device to backup the Evernote Android container and either
recvoerd the PIN (encoded with a simele XOR encryption) or remove any
PIN protections present on the application container. The result of this
attack is the exposure of any data stored within the Evernote Android
container acquired by an attacker.

Impact:
Attackers can extract and possibly maintain access to a user's Evernote
data from a lost or stolen device.

Evernote have released a new version to the Google Play store that
corrects these issue by disabling the ability to perform an ADB backup
of the Evernote container. Additional changes have been made to the way
Evernote stores the PIN within the XML configuration file.
It has been confirmed that the version 5.5.1 is no longer directly
susceptible to this attack method.

References:
At this time Evernote have not provided an advisory discussing the issue
http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2
http://blog.c22.cc/2013/08/01/bsideslv-android-backup-unpacker-release

Vulnerability Timeline:

May, 2013 - Initial discovery of vulnerability
Aug 13, 2013 - Evernote contacted with request for secure communications
Aug 13, 2013 - Response from Evernote setting up secure communications
Aug 13, 2013 - Details reported to Evernote
Aug 15, 2013 - Response from Evernote confirming issues being examined
Aug 16, 2013 - CVE numbers sent to Evernote
Aug 27, 2013 - Name added to Evernote acknowledgements page
Nov 13, 2013 - Requested update from Evernote
Nov 15, 2013 - Response from Evernote - issues still being tracked
Nov 22, 2013 - Confirmation of fix for XOR PIN
Nov 25, 2013 - Asked for confirmation on other issues
Nov 25, 2013 - Confirmation that both issues had been address in 5.5.1
Dec 07, 2013 - Advisory released (delayed)