Boxer FastSync: Securing Background Updates on iOS
By Tal Raichman and Ratna Paul Saka
Problem Statement: Performing background app refresh while keeping user data secure offers some unique challenges:
- Apps are generally not guaranteed to be running at all times due to iOS system limitations.
- Background fetch is not always performed from a suspended state, limiting actions the app can perform securely.
In this article we outline a solution adopted in Boxer, a secure Email Client that allows the app to perform periodic sync in the background while keeping the user’s data secure.
Boxer is a Secure Email Client and since inception supported securing data at rest using an encrypted database. This is an added security measure on top of the built-in device encryption provided by iOS in case the device is compromised. To secure the user’s data, a database is encrypted with a key derived from a user provided password. It is important to note that Boxer is not able to sync email while the database is locked. Asking the user to enter a password on each application start does not provide a good user experience and over time additional methods for unlocking the user data were added, such as Biometric authentication and Single-Sign-on authentication.
As an Email Client it is desirable that the user’s mailbox stay updated and synchronized with the remote server without requiring the user to launch and authenticate the application. VMware’s Email Notification Service (ENS) is a solution that adds push notification support to Exchange. It allows the user to receive Push Notifications when new emails arrive in the user’s Inbox. However, Boxer still requires the user to launch the app in order to download the complete set of new messages.
When using Apple Push Notification Service (APNS), it is possible for iOS to wake up the app in the background when a new notification is received, the challenge before Boxer is to grant the app access to the user’s data without requiring user authentication. To solve this problem, Boxer creates a temporary entryway to the user’s data. The process of creating and securing this entryway is described below.
All the data in Boxer (including the database) is secured using a Master Encryption Key (MEK). This key is only available after the user authenticates successfully. To allow background access, Boxer creates a temporary Key Encryption Key (KEK) that is used to encrypt the MEK using a symmetric encryption algorithm.
The KEK is never stored on the device, it is instead escrowed to ENS using a secure channel. The KEK also has an expiration date associated with it added as a way to limit the amount of time a would-be attacker would have to intercept the key. Boxer starts a session when the key is created and will stop using it when it expires. On the server side, ENS will also stop using the key on expiration. Renewing the KEK requires that the user re-authenticate (Passcode, FaceID, etc.).
Direct communication between ENS and Boxer is secured using a private/public key pair. The key pairs are generated by ENS and the public key is shared with Boxer via dedicated API endpoints.
On the ENS side, the new KEK is received in a payload encrypted with the above public key, ENS uses the unique private key associated with the user that allows it to decrypt the payload and extract the KEK. It then saves the key together with its expiration date on the server and sends back a success/failure response to the device (Boxer).
When ENS is alerted that the user Inbox has new mail, it retrieves the KEK and expiration date from storage, if the key has not expired it is added to the APNS payload that is sent along with the user-facing notification.
Back in Boxer, a notification is received while the app is suspended — iOS wakes up Boxer with the notification payload. If the session has not expired it unwraps the MEK with the KEK embedded in the payload. It will then continue to perform a sync with the Email Server and close the database connection once the sync is complete.
Summary
In this post we have outlined how Boxer and ENS work together to provide a cohesive and consistent experience using FastSync. More information regarding VMware’s Email Notification Service can be found here.
We hope you have found this useful!
