I sent Threema an email disclosing this and got an auto-reply saying that they commonly take a week to reply to customer messages. Since I hate waiting for things and its not a total remote RCE flaw, lets just put it here for now.
The flaw allows gaining local access to a user’s Threema application, bypassing the local authentication (PIN), and the ‘delete data after 10 failed attempts’ setting.
Firstly, if you have 2 minutes watch this video Threema_bypass as it shows the issue much better than I am about to explain it:
Essentially, the crux of the issue is that Threema doesn’t actually delete anything when it says it has in the pop-up message after 10 failed logins.. instead, that instruction happens after the user has clicked ‘ok’ in the message box. Which, if you are an attacker trying to get into someone’s application data, you might be inclined not to click (well done.. you are half-way in!).
Because of this the only thing stopping people from interacting with Threema at this point, is the message box itself which becomes the only usable UI element while it exists.
HOWEVER.. the behaviour of pop-up messages on iOS apps is a bit special.. when you have an application which has given you a pop-up and you close it and re-open it again, the ‘pop-up’ animation is re-rendered. And in the half-second before the message-box is fully shown users can still click on other UI elements in the application.
So by using that short time we have to manipulate the UI, we can fairly quickly brute-force the PIN (a 4 digit number to protect sensitive data is a bit of a joke).. and then its business as usual. We just have to navigate around one click at a time, opening and closing the application.
This is a really poor bug to have for an app touting itself as ‘secure’.. you can have all the solid crypto in the world, but at the end of the day.. if someone steals/detains my phone and can sit there and guess the pin to all my chat in a few hours, its game-over for my privacy, and anyone’s whom I’ve been chatting with.
This *almost* smells like a back-door to me, what do you think?
EDIT: Someone tweeted Mr Steve Gibson about this and he was kind enough to talk about it on the Security Now pod-cast – episode 445, skip to 38m:15s.