Encrypt sensitive local data in the Orion ApplicationSupport folder with a Keychain-based credential

gp

Mac OS has a quite elegant keychain for storing secrets, which are tightly bound to app packages and/or developers (via their app signing key).

Recently, there have been some high profile compromises of logged-in sessions in browsers via on-device malware (usually affecting Windows users), which steals browser "cookie jars" to get logged-in session tokens, and send these remotely for use by the attacker.

Mac OS can, out the box, resist this attack fairly effectively - Chrome already stores a credential in the user keychain (Ref), tied to the Chrome browser app so other apps cannot use it. This means if malware gets access to the user's filesystem, they cannot steal their cookie jar in usable form.

Orion currently doesn't implement any kind of protection like this for the most readily stolen sensitive session data (cookies). It would be worth looking at getting to Chrome's level of protection, and encrypting this data via a random passphrase that's stored in the keychain.

Vlad

gp Can you expand on what data exactly should be encrypted and be more precise what are Safari and Chrome doing with it?

gp

Vlad

Sure - the most relevant example here is Chrome, since Safari protects this information using its tight integration with the system, so I'll start with Chrome.

If you look at the Cookies sqlite file from Chrome, the value field is empty (null) - there is an encrypted_value field in the sqlite database. This means that if an attacker scoops up your ~/Library/Application Support/Google/Chrome/Default/Cookies file, they cannot access your raw cookies. If you do this for Orion, you get the user's cookie store in plaintext.

An attacker that grabs this file can still see some information like what hosts you have cookies on, and names of cookies, but they won't actually get the cookie values! I believe they use the Chrome Safe Storage login keychain entry to encrypt this data. I'm not sure on the specifics of encryption (but that's less relevant as we can design a sensible encryption scheme for Orion from scratch easily enough).

For now, it looks like the Cookies db is the main thing they are encrypting.

In terms of Safari, the ~/Library/Cookies and ~/Library/Safari (among other) folders are protected by MacOS' built-in file access restrictions - if you try to open or list their contents in terminal, you won't be able to.

cd ~/Library/Cookies
> ls -al
total 0
ls: .: Operation not permitted

cd ~/Library/Safari
> ls -al
total 0
ls: .: Operation not permitted

If you give Terminal full disk access, you can then look into the ~/Library/Safari folder and look around. You get the idea - Apple is using the built-in system security stuff to protect browser data from what I can see.