December 22, 2014

Posted in:

Duo Mobile iOS Security Advisory

Duo Security recently released an update to their iOS application that Edge recommends users install. This update addresses an issue with how credentials are stored (unencrypted) in iTunes on a user’s local machine. It is recommended that all users of the Duo Mobile application for iOS go to the App Store and download the latest update.

Are you affected?

This only affects users who are using the Duo Two Factor Authentication application on iOS. If you’re not using the app on your iPhone and are receiving login codes via voice or SMS, you are not affected. Android users are not affected.

How do I obtain the latest update?

Download the latest update on your iPhone by going to the App Store and searching for Duo Security. Alternatively, here’s a direct link. The latest update is iOS 3.5.1 which was released on December 16, 2014.

How is this exploited?

Previous versions of the iOS application did not set a certain attribute and user-initiated encrypted backups of their iOS devices through iTunes via USB could potentially contain the user’s Duo Two Factor credentials. Unencrypted backups via iTunes, iCloud, and iCloud Keychain are not affected.

Go back