False sense of security

For the past few years, I’ve been using a Mac application called Cha-Ching to handle my banking. I use it to track my checking and savings accounts, a couple of accounts I have for my kids, and my credit card usage.

(No, I’m not going to link to it. It’s made by Midnight Apps. You can Google it if you want to find it. I’m not sending them any traffic.)

When Cha-Ching starts up, it asks for a password to unlock the database.

Given that this application is intended to contain financial information, and goes to the trouble of asking for a password at startup, one would think the data is somehow protected by that password, probably even encrypted, right?

WRONG.

It turns out that the data is “locked” by the password, not encrypted at all. In fact, the only function of the password is to tell the application not to open the data unless you know the password. If you want to pick through the data file outside of the application, nothing is stopping you. In fact, the password is stored in the application’s preferences file. If you rename or delete that file, the password simply ceases to exist.

Here’s how easy it is to search through my banking data.

1
2
3
4
5
$ strings Cha_Ching.1ccdb  | grep dishes
35268605-6F44-4868-A1BA-74AA567E63DC2 sets of dishes (service for 4)
Outgoing562FA75C-114E-481B-B0C7-D2955DED510FAmazonNever
35268605-6F44-4868-A1BA-74AA567E63DC2 sets of dishes (service for 4)
Outgoing559BD5D9-F6BA-440C-A981-84F759309E49AmazonNever

There’s some extraneous text there, but I’m sure you easily figured out that I bought four sets of dishes from Amazon recently.

Oh, it gets worse. If you know how to use SQL, you can just ask the database for anything you like using standard tools.

1
2
3
4
5
6
7
8
9
10
11
$ sqlite3 Cha_Ching.1ccdb 
SQLite version 3.6.12
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select ztrans_title,ztrans_date,ztrans_amount from ztransentity
        where ztrans_title = 'Amazon' limit 5;
Amazon|206856000.0|-52.7999992370605
Amazon|207115200.0|-62.1100006103516
Amazon|203313600.0|-26.9699993133545
Amazon|187333200.0|-55.9500007629395
Amazon|209620800.0|-22.6000003814697

To make matters worse, the developers at Midnight Apps seem to have gone on permanent vacation. They have a public beta for Cha-Ching 2 out, and have for over a year, but there’s been nothing from them for the past several months. Nothing on their blog, their Twitter feed, not even their support forum.

Speaking of the beta, it’s all you can download. They don’t even have their 1.0 version up anymore (the only non-beta product they have). Huh? Since the beta is free, this means that not only can you not obtain their “production” version, it’s not currently possible for them to generate any sales.

I know what you’re thinking. They must have fixed this data encryption problem in version 2. Nope. The version 2 beta still just “locks” the data in the application. Looking around in their support forum, I found this amazing gem from the lead developer.

We have talked about this in the past…. The main issue is that we don’t want to ever permanently lock users out of their database.

If the database lock code is stored as part of the database itself then the user will not be able to access the database at all if they forget their password.

We are considering making some changes in this area but I can’t make any promises.

I am open to hearing suggestions though!

Yeah, if you don’t know the password, you can’t read the data. That’s the whole point! I wonder if this guy writes his PIN on the back of his ATM card.

Lessons learned:

  1. A password does not necessarily mean any protection exists.
  2. If you think something is encrypted, don’t assume it is, check.