KEMBAR78
iOS Environment Configuration | PDF | Ios | I Cloud
Scribd
Upload
107 views222 pages

iOS Environment Configuration

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
107 views222 pages

iOS Environment Configuration

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 222

v1.

MODULE 4

eLearnSecurity © 2014
2
iOS: Setting up a Test Environment

HOME PARENT REFERENCES VIDEO


3
4. Introduction

HOME PARENT REFERENCES VIDEO


4
4. Introduction

With Android, we can install the SDK and use the


emulator to create our test environment. With iOS,
things are a bit different. The iOS SDK is available
only for Mac OS. Also, in order to test our app on
physical devices, we must create and register an
Apple Developer account (unless we have a
jailbroken device).

HOME PARENT REFERENCES VIDEO


5
4.1. iOS SDK

HOME PARENT REFERENCES VIDEO


6
4.1. iOS SDK

The iOS SDK is a developer toolset for building Mac,


iPhone and iPad apps. The SDK comes with the
Xcode IDE, an iOS Simulator that can be used to
simulate both iPhone and iPad devices, and other
analysis and development tools.

HOME PARENT REFERENCES VIDEO


7
4.1. iOS SDK

It is important to note that a simulator is different


from an emulator (as on Android). A simulator
cannot run compiled iPhone or iPad applications
(.ipa files) because those apps do not contain a
binary for the x86 architecture (they are compiled
for ARM architectures).
The only apps that we will be able to run on the
simulator are the applications of projects that can
be opened within Xcode.

HOME PARENT REFERENCES VIDEO


8
4.1. iOS SDK

Let us look at how to install the SDK, how to use


the Xcode IDE, run simulated devices and interact
with them.
The first thing we have to do is to download and
install the SDK.

HOME PARENT REFERENCES VIDEO


9
4.1. iOS SDK
You can get it by searching for ‘Xcode’ in the Apple
store or by clicking the button ‘View in Mac Apple
Store’ at the following link:
developer.apple.com/xcode

HOME PARENT REFERENCES VIDEO


10
4.1. iOS SDK
Once you click, the Apple store should be
displayed. Follow the installation process by
clicking on the button ‘Install App’.

HOME PARENT REFERENCES VIDEO


11
4.1. iOS SDK

Once Xcode finishes


installing, you
should have a new
icon in the dock.
If not, you can
launch it by searching
for Xcode in spotlight or by running the Xcode app
located in the folder:
• Mac HD->Developer-> Applications->Xcode.

HOME PARENT REFERENCES VIDEO


12
4.1.1. Xcode IDE
To start creating your app, click on “Create a new
Xcode Project” and then choose the app template.

We can leave the


default config
and click next.

HOME PARENT REFERENCES VIDEO


13
4.1.1. Xcode IDE

In the next pane, choose the app name,


organization, etc. and click next.

HOME PARENT REFERENCES VIDEO


14
4.1.1. Xcode IDE

In the last pane,


select the
destination folder
for your project. In
this case, it will be
els.
Once we click
‘Create’ the Xcode
IDE will appear.

HOME PARENT REFERENCES VIDEO


15
4.1.1. Xcode IDE

This is the main Xcode window. Let us have a look.

HOME PARENT REFERENCES VIDEO


16
4.1.1. Xcode IDE

Xcode project name Editor button view


Run the app (Standard/Assistant/Version)

On the top we have the toolbar:

Scheme name
Activate/Deactivate Breakpoints View buttons
Hide/Show pane
Destination device

HOME PARENT REFERENCES VIDEO


17
4.1.1. Xcode IDE

On the left is the navigation pane. Here we can see


all the files in our project, search for specific text,
list issues, breakpoints and so on.

HOME PARENT REFERENCES VIDEO


18
4.1.1. Xcode IDE

Depending on the
resource selected in
the navigation pane,
in this area you will
find the source code
as well as project
options, app preview
and more.

HOME PARENT REFERENCES VIDEO


19
4.1.1. Xcode IDE

The last pane on the right is called the Utility Area.


This is divided into two more panes:
Inspector (top) Library (bottom)

HOME PARENT REFERENCES VIDEO


20
4.1.1. Xcode IDE
The inspector displays file metadata, detailed
information about a specific object, configuration
attributes, actions and more.

HOME PARENT REFERENCES VIDEO


21
4.1.1. Xcode IDE
Within the library we can access libraries of
resources that can be used in our project, such as
snippets, interface objects, and media files.

HOME PARENT REFERENCES VIDEO


22
4.1.1. Xcode IDE

This is just a brief overview of what Xcode is. We


suggest that you play with it in order to get the
most out of the tools and utilities that this IDE
offers. We will see a handful of them during the
course.
One of the next developer tools that we are going
to look at is iOS Simulator.

HOME PARENT REFERENCES VIDEO


23
4.1.2. iOS Simulator

The main purpose of the iOS Simulator is to help


developers run and test their applications and of
course it can be used for security tests!
As we will see later on, this can be very useful to
analyze app behavior and to intercept and analyze
network communications.

HOME PARENT REFERENCES VIDEO


24
4.1.2. iOS Simulator
We can start the simulator a few different ways.
From Xcode, we can click on the top menu: ‘Xcode -
> Open Developer Tool -> iOS Simulator’.

HOME PARENT REFERENCES VIDEO


25
4.1.2. iOS Simulator

We can also start it from the Xcode folder by


opening Content->Applications->iPhone Simulator

HOME PARENT REFERENCES VIDEO


26
4.1.2. iOS Simulator

Once the simulator starts,


you will see something like
the image on the right. We
can now interact with the
simulated device; we can
browse web pages, start
apps and so on.

HOME PARENT REFERENCES VIDEO


27
4.1.2. iOS Simulator
On the top menu we have several tools that we can
use to configure or interact with the simulator. For
example, you can choose a different device by
selecting Hardware->Device.

HOME PARENT REFERENCES VIDEO


28
4.1.2. iOS Simulator

The default path for the simulator files is:

• /Users/<your_user>/Library/Application
Support/iPhone Simulator/<Version>/

This may be useful in helping you understand how


information is stored on the device.

HOME PARENT REFERENCES VIDEO


29
4.1.2. iOS Simulator

Apps and device data are stored in this folder. For


example, browsing Safari we can see .plist and .db
files. Those files contain information like
bookmarks, searches, and history.

HOME PARENT REFERENCES VIDEO


30
4.1.2. iOS Simulator

The iOS Simulator is especially useful if we have to


perform security tests against an application or
analyze network traffic, but remember that we
need the app source code or at least the
application binaries (compiled for the simulator) to
test in this manner.
Let us look at how to create, run and import an app
on the simulated device.

HOME PARENT REFERENCES VIDEO


31
4.1.3. Writing an iOS app

Head back to Xcode and


open a new project. Right-
click on the navigation bar,
select ‘New Project’ and then follow the creation
steps. We can also open
File->New->Project.

HOME PARENT REFERENCES VIDEO


32
4.1.3. Writing an iOS app
We can leave the default project configuration
options unchanged and click on the navigation area,
on the MainStoryboard_iPhone.storyboard file.

HOME PARENT REFERENCES VIDEO


33
4.1.3. Writing an iOS app
The storyboard tool allows us to view our user
interface, showing us the app screens (scenes) and
their connections.

HOME PARENT REFERENCES VIDEO


34
4.1.3. Writing an iOS app

Since this is a basic app, let us start with a single


scene. What we want to create is a simple app that
displays a message when we click a button.
First of all we need to create two objects: a button
and a label. The label will display our message,
“Hello World.”

HOME PARENT REFERENCES VIDEO


35
4.1.3. Writing an iOS app

In the storyboard view, drag and drop the object


‘Round Rect Button’ from the library to the scene.

HOME PARENT REFERENCES VIDEO


36
4.1.3. Writing an iOS app

Now, edit the button properties in the inspector


pane. Set the button label to, “Click ME!”.

HOME PARENT REFERENCES VIDEO


37
4.1.3. Writing an iOS app

Do the same with a label object and set its Label


Text value to empty.

HOME PARENT REFERENCES VIDEO


38
4.1.3. Writing an iOS app

Now that we have our object on the screen, we


have to instruct Xcode that these objects can be
used in the project. The Xcode IDE allows us to do
that very simply. Drag and drop the object from the
storyboard view into our code. On the top left,
change your project view as follows:

HOME PARENT REFERENCES VIDEO


39
4.1.3. Writing an iOS app
With this configuration, we should be able to see
both the app preview and the code editor. Files
with a .h extension contain variable declarations,
classes and methods used by the code.

HOME PARENT REFERENCES VIDEO


40
4.1.3. Writing an iOS app

Now, add the label to the code. To do that, hold the


ctrl key down and then drag and drop the label into
the editor pane.

HOME PARENT REFERENCES VIDEO


41
4.1.3. Writing an iOS app
A dialog box should appear as soon as you release
the mouse button. Here, insert the name ‘label’,
leave the remaining default configuration
unchanged and then click ‘Connect’. The label will
be added to the code.

HOME PARENT REFERENCES VIDEO


42
4.1.3. Writing an iOS app
Now, drag the button to the code. This time we will
drag it to right after the previous statement, and
we will choose the connection name “Action”.

HOME PARENT REFERENCES VIDEO


43
4.1.3. Writing an iOS app

Having done this, both label and button can be


used in the implementation file. Implementation
files have the extension .m and they contain the
actual code.
Open the file ViewController.m and we will write
our code.

HOME PARENT REFERENCES VIDEO


44
4.1.3. Writing an iOS app
As we can see, near the bottom of the
implementation file, there is a line similar to the
one created in the header file (.h). It is the method
that will contain the code to run when we click the
‘Click ME!’ button.
Implementation file Header file

HOME PARENT REFERENCES VIDEO


45
4.1.3. Writing an iOS app
Let us put our code in the buttonHello method. We
want the button press to cause the label to change
its content and display the message, “Hello
World!”. Edit the label content with the following
statement:

Sets the text property of the label object to


the string “Hello World!”

HOME PARENT REFERENCES VIDEO


46
4.1.3. Writing an iOS app

Our code is complete!


Click the run button on
the top left and wait
until Xcode builds the
project. Once it is done,
the simulator appears,
showing our application.

HOME PARENT REFERENCES VIDEO


47
4.1.3. Writing an iOS app

The previous code is obviously very simple. It is a


good idea to create more apps and become
familiar with Xcode and Objective-C.
Also note: apps that you have built before can be
found in the following folder:
“Users/<your_user>/Library/Application
Support/iPhone Simulator/<Version>/
Applications/<App_ID>”

HOME PARENT REFERENCES VIDEO


48
4.1.3. Writing an iOS app

The contents of this folder are useful if you want to


share the app without sharing the source code.
We can copy the app to another system (in the
same location!) and the iOS simulator will
automatically load the app.

HOME PARENT REFERENCES VIDEO


49
4.2. iOS Simulator and Xcode limitations

HOME PARENT REFERENCES VIDEO


50
4.2. iOS Simulator and Xcode limitations

As we pointed out earlier, many features available


on physical devices (such as device configurations
or apps) are not available on the iOS Simulator.
Also note that we cannot install third party
software unless we have the Xcode project or the
application compiled for the iOS simulator.
This also means that we cannot install apps from
the Apple Store on the simulator.

HOME PARENT REFERENCES VIDEO


51
4.2. iOS Simulator and Xcode limitations

Also, if we want to test our code on physical


devices, we need to sign up (and pay $99!) for a
developer account (or use a jailbroken device).

HOME PARENT REFERENCES VIDEO


52
4.2. iOS Simulator and Xcode limitations
Actually, if we try to build and run the app on a
physical, non-jailbroken device (without a
developer account), we will get a Code Sign error
like this one:
Actual device

HOME PARENT REFERENCES VIDEO


53
4.2. iOS Simulator and Xcode limitations

As we will see later on, if we do not have a


developer account, we can still sign our code (with
a custom certificate like a self-signed one) and run
the app on physical devices, but they must be
jailbroken.

HOME PARENT REFERENCES VIDEO


54
4.3. File System and Device Interaction

HOME PARENT REFERENCES VIDEO


55
4.3. File System and Device Interaction

Apple devices are far more locked down than


Android devices. By default, there is no file system
access (compared to ADB for Android).
The best way to deeply analyze our Apple device
requires that we jailbreak it and then connect via
SSH.

HOME PARENT REFERENCES VIDEO


56
4.3. File System and Device Interaction

If we do not have a jailbroken device we can still


access some information. We can use iTunes to
access files such as photos or music, or use third
party software to access application data,
documents, and backups; we will still not be able to
access or browse the entire file system.

HOME PARENT REFERENCES VIDEO


57
4.3. File System and Device Interaction

Let us see what kind of data we can access on a


non-jailbroken device. If you have an Apple device
you probably have iTunes installed on your
machine.
In case you do not, you can download it here
(Windows or Mac OS).

HOME PARENT REFERENCES VIDEO


58
4.3. File System and Device Interaction

Once iTunes is installed, run it and connect the


device. Note that if iCloud is not enabled on the
device, information such as photos, contacts, app
settings and more will be automatically backed up
to your machine.
Here you can find details about what data is backed
up and where it is stored. This is critical because
data may be stored without encryption.

HOME PARENT REFERENCES VIDEO


59
4.3. File System and Device Interaction

As you can see in the


following device snapshot,
when we enable iCloud, a
pop-up appears, warning us
that data will no longer be
automatically backed up by
iTunes.

HOME PARENT REFERENCES VIDEO


60
4.3. File System and Device Interaction
The first time we connect the device to our
machine, iTunes asks for some information and
then automatically syncs the data. Once the
process ends, we should be able to navigate device
data such as Music, Movies, Purchased and more.

HOME PARENT REFERENCES VIDEO


61
4.3. File System and Device Interaction

During this process, iTunes will ask to download


iCloud and will also ask for Apple ID credentials. If
we do not provide the credentials, some
information will not be displayed and some
features will be disabled. For example, we will not
be able to manage installed apps on the device.

HOME PARENT REFERENCES VIDEO


62
4.3. File System and Device Interaction
Information such as Contacts, Mails or Calendars
will be automatically synced using the relative app.
Here, for example, the iCal app on the Mac will be
synchronized with the iPhone calendar.

HOME PARENT REFERENCES VIDEO


63
4.3. File System and Device Interaction

Interestingly, though, a backup is automatically


created on the machine. If we navigate to
~/Library/Application Support/MobileSync/Backup/ , we
can see the backup data.

HOME PARENT REFERENCES VIDEO


64
4.3. File System and Device Interaction

There is not much interesting data that we can


access with iTunes, but there are other programs
that allow us to get more information from the
device. A couple are iExplorer and iFunBox (both
available for Mac and Windows).

Note that you will still need iTunes installed on your


machine.

HOME PARENT REFERENCES VIDEO


65
4.3.1. Directory Structure

Before using these tools, let us talk about the


iPhone app directory structure. When an app is
installed on a device, iOS creates the main app
directory, sub-directories and sets all the privileges
(for sandboxing purposes). The structure is the
same for every app; the main directory is created
as follows:
“ /var/mobile/App_name


HOME PARENT REFERENCES VIDEO
66
4.3.1. Directory Structure
This folder contains all the data and configuration
the app needs:

HOME PARENT REFERENCES VIDEO


67
4.3.1. Directory Structure

It is important to note that iPhone applications may


store critical information in these folders.
They can be stored as plist files, databases, cached
files or logs.

HOME PARENT REFERENCES VIDEO


68
4.3.2. Plist files

A property list (plist) file is structured as XML and is


used to store and access information.
Each entry in the plist is a key-value pair and may
be used by the application to get values such as the
name of the executable file, the version, the
platform, etc.

HOME PARENT REFERENCES VIDEO


69
4.3.2. Plist files

In this file, we generally find very disparate


information sets like user preferences,
configurations, sensitive information like
credentials, cookie values, URLs and so on.
Applications may use these values to make runtime
decisions (for example: an app may or may not
display information depending on a value stored in
the plist).

HOME PARENT REFERENCES VIDEO


70
4.3.2. Plist files

Since these files are


structured as XML,
they can be read with
any text editor, but if
we want better
output on Windows
we can use external
tools such as Plist Editor for Windows (Mac OS does
not need an external tool).

HOME PARENT REFERENCES VIDEO


71
4.3.3. Databases

Every app needs to store data and, just like in


Android, the best way to do this is using SQLite
databases. The reason why mobile OSs use SQLite
is that it treats databases as flat files: the OS does
not need to have a server running on the device. In
this way, each application can create its own
databases and interact with them with standard
SQL constructs such as SELECT, INSERT, UPDATE and
DELETE.

HOME PARENT REFERENCES VIDEO


72
4.3.3. Databases

Most applications use SQLite databases to store


large data sets; this makes databases one of the
best targets for security testing. In these, we can
find credentials, specific configurations and other
forms of sensitive information.
Since they are flat files, we can simply retrieve
them from the device and run SQL queries to read
data.

HOME PARENT REFERENCES VIDEO


73
4.3.3. Databases

There are many tools that we can use to navigate


or access data stored in a SQLite database.
Tools like SQLite Manager are very useful since they
offer a GUI to interact with the database. We can,
of course, use the sqlite command line shell to
query the database.

HOME PARENT REFERENCES VIDEO


74
4.3.3. Databases
For example, in the following screenshot, we can
see what types of data may be stored in a database
(Dropbox in this case).

HOME PARENT REFERENCES VIDEO


75
4.3.4. Logs and Cache files

All data needed for the application is stored in the


main folder. This includes log files, cache files,
documents, images, etc.
These files can reveal very useful information and
we have to investigate them during our security
tests and analyses.

HOME PARENT REFERENCES VIDEO


76
4.3.5. Browse Application Files and Folders

Now that we know how application folders are


organized and what data can be stored, let us see
how to get these files using one of the two tools
mentioned earlier: iFunBox.

HOME PARENT REFERENCES VIDEO


77
4.3.5. Browse Application Files and Folders

Once the device is connected to our machine, we


will be able to browse device information using the
tabs at the top. The most important tab is ‘iFunbox
Classic’ that allows us to browse part of the device
File System.
Here we can navigate app files, photos, raw files,
and device information like the device serial
number and software version.

HOME PARENT REFERENCES VIDEO


78
4.3.5. Browse Application Files and Folders

Not all applications can be browsed with these


tools (only user-installed apps). We will not be able
to inspect applications like Mail, Browser, iTunes, or
App Store.
To obtain full access, we need a jailbroken device;
we will talk about that later on.

HOME PARENT REFERENCES VIDEO


79
4.3.5. Browse Application Files and Folders

The following screenshot shows Dropbox files and


folder structures. These files are very important
and they can reveal very sensitive information like
usernames, passwords, and cookies.

HOME PARENT REFERENCES VIDEO


80
4.3.5.1. Plist

We may even be able to access information related


to the app by inspecting databases or plist files. For
example, in the plist file, we can see the Dropbox
username.

HOME PARENT REFERENCES VIDEO


81
4.3.5.1. Plist

In addition to plists (something that almost every


application stores), there are specific files that each
application stores in its folder that can reveal
sensitive data.
Let us use Dropbox as a target app and see what
kind of data we can gather.

HOME PARENT REFERENCES VIDEO


82
4.3.5.2. Databases

The Dropbox.sqlite file stored in the


Dropbox\Documents folder reveals the names and
the extensions of the files.

HOME PARENT REFERENCES VIDEO


83
4.3.5.3. Library and Caches

In the \Library\Caches\Dropbox folder we can find


the actual files the app stores. As we can see in the
following screenshot, there are some photos that
were taken with the phone.

HOME PARENT REFERENCES VIDEO


84
4.3.5.3. Library and Caches

In order to see
these pictures, we
just need to open
one of the folders
in the previous
screenshot and then
change the file extension based on the name of the
folder.

HOME PARENT REFERENCES VIDEO


85
4.3.5.4. Cookies.binarycookies

Many apps store their


cookies in a file named
Cookies.binarycookies. This file can be found in the
AppName\Library\Cookies folder but, since it has a
specific format, we need external tools to view its
content.

Here is more information about the binarycookie file.

HOME PARENT REFERENCES VIDEO


86
4.3.5.4. Cookies.binarycookies

Safari Forensics Tools (SFT) is a tool that can read


Cookies.binarycookies file contents. We can
download it here. It is available for Windows and
Linux systems and it can be run from the command
line with a simple command:

> safari_cookie_bin.exe path_to_Cookies.binarycookies

HOME PARENT REFERENCES VIDEO


87
4.3.5.4. Cookies.binarycookies

Once we run SFT, the tool gathers information


about the cookie like URL, name, creation date,
expiration date, path and content.

HOME PARENT REFERENCES VIDEO


88
4.3.6. Extract Files from a Device

By selecting any of the elements in this view we


can export folders and files to our machine. This is
very useful if we want to perform further tests on
binary files, databases, plists and more.

HOME PARENT REFERENCES VIDEO


89
4.3.7. Snapshots

You should know that every time the device home


button is pressed, iOS takes a snapshot of the
current state of the application (used for zoom-in
and zoom-out animations) and stores this snapshot
in the following folder:
- app_name/Library/Caches/Snapshots.

HOME PARENT REFERENCES VIDEO


90
4.3.7. Snapshots

Here we can see how easy it is to access these


snapshots by browsing the app folder.

HOME PARENT REFERENCES VIDEO


91
4.3.7. Snapshots

As you can imagine


this iOS feature can
lead to some data
leakage and we could
get information from
every app installed on
the device.

HOME PARENT REFERENCES VIDEO


92
4.3.8. Export Installed Apps

The Copy To PC
option allows us
to export installed
applications. Each
app folder contains a folder named app_name.app
that we can easily export. As we will see in the next
modules, even if it is not an .ipa file, the contents
of .app folders can be used to perform security
tests against the app.

HOME PARENT REFERENCES VIDEO


93
4.3.9. Install Applications

Another feature in iFunBox is the ability to install


applications on the device. We just need to click
Install App and select the .ipa file.

HOME PARENT REFERENCES VIDEO


94
4.3.9. Install Applications

As you can imagine, on non-jailbroken devices, the


installation process will fail if the .ipa package is
unsigned, unofficial or modified. In this case we
need to jailbreak the device and use AppSync from
Cydia.

HOME PARENT REFERENCES VIDEO


95
4.3.10. SSH Access

iFunBox also allows us to interact with the device


using an SSH connection, but this option is
available only if the device has the SSH service
running in the background (available if the device is
jailbroken).
We will see what data can be retrieved from
jailbroken devices later on.

HOME PARENT REFERENCES VIDEO


96
4.3.10. SSH Access

To open the shell we can open the tab, “Quick


Toolbox” and click on, “SSH Terminal”.

HOME PARENT REFERENCES VIDEO


97
4.3.10. SSH Access

This opens a new window in which we can run


commands directly on the device.

HOME PARENT REFERENCES VIDEO


98
4.3.10. SSH Access

It is important to know that on non-jailbroken


devices, not all files and folders are accessible and
writable. We cannot, for instance, write system or
application files.
Editing an application file, for example, would
cause the application to crash.

HOME PARENT REFERENCES VIDEO


99
4.3.11. Xcode Organizer

By opening the Organizer window in Xcode (top-


right) we can interact with the device and access
information like logs, applications and screenshots.

HOME PARENT REFERENCES VIDEO


100
4.3.11. Xcode Organizer

Here we can see console logs and we can also take


screenshots from the device.

HOME PARENT REFERENCES VIDEO


101
4.4. Backups

HOME PARENT REFERENCES VIDEO


102
4.4. Backups

What we have seen to this point is information that


we can gather directly from the device, but there is
much more information that we can obtain if we
are able to access backup files.
As you already know, if iCloud is not enabled, when
the device is connected to a PC or Mac, it will
automatically back up its data.

HOME PARENT REFERENCES VIDEO


103
4.4. Backups

Note that if the device is protected with a


passcode, iTunes will prompt us to enter it (on the
device) and only if the code is correct we will be
able to back up or synchronize the device.

HOME PARENT REFERENCES VIDEO


104
4.4. Backups

Starting with iOS 4, iTunes offers the ability to


encrypt backups. While this feature is useful for
restoring backups on different devices (impossible
if the backup is not encrypted), it is important to
know that by default this option is disabled. If this
option is not enabled, the keychain file containing
usernames and passwords is still encrypted using
hardware keys stored on the iPhone (but other
information will be available).

HOME PARENT REFERENCES VIDEO


105
4.4. Backups

iTunes will store the data in different locations


based on your machine’s OS:
Operating System Path
Mac ~/Library/Application Support/MobileSync/Backup/

Windows XP \Documents and Settings\(username)\Application Data\Apple


Computer\MobileSync\Backup\

Windows Vista and \Users\(username)\AppData\Roaming\Apple


Windows 7 Computer\MobileSync\Backup\

HOME PARENT REFERENCES VIDEO


106
4.4. Backups

All files stored in the backup folder are unreadable.


They have no file extension and their name is 40
hex characters long.

HOME PARENT REFERENCES VIDEO


107
4.4. Backups
Each filename is the SHA1 hash value of the
domain name followed by the file path
(Domain-Path). For example, the SHA1 value of:

Domain Name File Path

HomeDomain-Library/Calendar/Calendar.sqlitedb
IS

2041457d5fe04d39d0ab481178355df6781e6858

HOME PARENT REFERENCES VIDEO


108
4.4. Backups

This information, and more, is stored in four files


contained in each backup:
• Info.plist
• Manifest.plist
• Manifest.mbdb
• Status.plist

HOME PARENT REFERENCES VIDEO


109
4.4. Backups
Info.plist
• Contains information like build version, GUID, IMEI, phone number, etc.

Manifest.plist
• Contains application details, BackupKeyBag, encryption information, etc.

Manifest.mbdb
• Binary file containing the list of file names contained in the backup.

Status.plist
• Contains information about the backup.

More information on this can be found here.

HOME PARENT REFERENCES VIDEO


110
4.4. Backups

Since backups are not just a copy of the files


contained on the device, we need external tools to
inspect iOS backups. There are many tools that
allow us to load, view and edit unencrypted
backups.
A couple are iExplorer or iBackupBot.

HOME PARENT REFERENCES VIDEO


111
4.4. Backups
Once we have a backup stored on our machine, we
just need to run one of these and they will
automatically load and organize the data for
viewing.
iExplorer

iBackupBot

HOME PARENT REFERENCES VIDEO


112
4.4. Backups

From here, we can browse user information such as


contacts, messages, and photos. We can also
inspect system and app files.

HOME PARENT REFERENCES VIDEO


113
4.4. Backups

As you can imagine, accessing this information is


very useful for security purposes.
We can inspect almost every piece of information
stored on the device and gather sensitive data like
usernames, passwords, contacts, photos, and
account data.

HOME PARENT REFERENCES VIDEO


114
4.4. Backups
When dealing with encrypted backups, these tools
may fail to access the data. As you can see in the
following screenshots, if we try to open an
encrypted backup, the tool prompts us for the
password.
iExplorer

iBackupBot

HOME PARENT REFERENCES VIDEO


115
4.4. Backups
Even if we enter the correct password there is still
some information that we can not access because
of an enforced encryption mechanism: keychain-
backup.plist

HOME PARENT REFERENCES VIDEO


116
4.4. Backups

Now we know how backups are stored and what


security features are implemented by iTunes and
iOS to protect the backup data.
Let us look at these files in greater detail and
discover how to manage encrypted backups,
decrypt them, recover passcodes or hardware keys,
access and edit all the data.

HOME PARENT REFERENCES VIDEO


117
4.5. Interact with Jailbroken Devices

HOME PARENT REFERENCES VIDEO


118
4.5. Interact with Jailbroken Devices

We already know how to interact with non-


jailbroken devices - what kind of information we
can gather and which tools we can use. It is time
for us to focus on what we can do with jailbroken
devices.
As you already know, the jailbreak disables some
security features implemented by iOS, allowing us
to install almost any application.

HOME PARENT REFERENCES VIDEO


119
4.5. Interact with Jailbroken Devices
Generally, jailbroken devices have the Cydia app
installed by default. As the developer says on his
website:

“Cydia is an alternative to Apple's App Store for


‘jailbroken’ devices, specializing in the distribution
of all that is not an ‘app’.”

Note that we can still use Apple’s App Store.

HOME PARENT REFERENCES VIDEO


120
4.5. Interact with Jailbroken Devices

Cydia is the one of most


important apps for us
because it allows us to install
applications, command-line
tools and much more.
Thanks to Cydia and its tools
we will be able to gain full
access to the device.

HOME PARENT REFERENCES VIDEO


121
4.5.1. SSH Access

The best way to interact with


the device is via SSH. By default,
SSH is not installed on jailbroken
devices but we can easily install
it by opening Cydia and
following the “Open SSH Access
How-to” instructions under the
User Guide section.

HOME PARENT REFERENCES VIDEO


122
4.5.1. SSH Access

Once we click on the entry we


will be redirected to a screen
with a step-by-step guide. As
the guide says, the first step is
to install OpenSSH by clicking
on the blue link to the package.

HOME PARENT REFERENCES VIDEO


123
4.5.1. SSH Access
On the OpenSSH package screen, click on ‘Install’ at
the top right corner and allow the install to complete.

HOME PARENT REFERENCES VIDEO


124
4.5.1. SSH Access

Once OpenSSH is installed, we can return to Cydia


and follow the next steps. In order to be able to
establish a connection we have to create a link
between the SSH server (iPhone) and the SSH
Client (our machine). This can be done using WiFi,
but we have to connect the iPhone to the same
network as our machine and find its IP address.

HOME PARENT REFERENCES VIDEO


125
4.5.1. SSH Access

To do this just open


Settings->Wi-Fi and click the
blue arrow to the right of your
attached network. On the next
screen, you will see the IP
address assigned to the device.
Write down this address as we
will need it to initiate the
connection.

HOME PARENT REFERENCES VIDEO


126
4.5.1. SSH Access

Now that the device is set up and we have all of the


information, we can establish the SSH connection.
To do this we can use any of a handful of tools. On
Windows, the most common SSH client is PuTTY,
while on Mac and Linux machines we can simply
open the terminal and use the SSH command
followed by the ip address of the server (the
iPhone in our case).

HOME PARENT REFERENCES VIDEO


127
4.5.1.1. SSH Access - Windows

Let us first see how to establish the connection in


Windows and then look at how to do this from
Mac/Linux OS.

Once you start PuTTY


you will see a screen
like the following.

HOME PARENT REFERENCES VIDEO


128
4.5.1.1. SSH Access - Windows
Enter the IP address in the Host Name field and
then click Open (at the bottom of the screen). If
everything goes well, you should see the PuTTY
command line asking for login credentials.

HOME PARENT REFERENCES VIDEO


129
4.5.1.1. SSH Access - Windows

The default credentials for OpenSSH on our iPhone


are username:root and password:alpine. Enter the
credentials and see if you are able to establish the
connection. If the credentials are correct, we will
see something like the following screen (meaning
we have root SSH access on the device).

HOME PARENT REFERENCES VIDEO


130
4.5.1.1. SSH Access - Windows

Please consider changing the default


password as soon as possible!

HOME PARENT REFERENCES VIDEO


131
4.5.1.2. SSH Access – Mac/Linux
Before running any shell commands, let us see how
to establish the connection with Mac/Linux OSs. As
we said before, we just need to open the terminal
and run one of the following commands:
>> ssh IP_address –l username >> ssh username@IP_address

where IP_address is the IP of the device and


username is root (default username).

HOME PARENT REFERENCES VIDEO


132
4.5.1.3. SSH Via Cable

TIP

If the Wi-Fi SSH connection is too slow, we can still


set up our machine to use the wired USB cable. We
first have to attach the iDevice via USB and then
download a tool called itunnel (or itnl).

The tool is available for both Windows and OSX.

HOME PARENT REFERENCES VIDEO


133
4.5.1.3. SSH Via Cable

To use itunnel, extract the files, open the terminal


(or command shell) and navigate to the location
where the files were extracted.

HOME PARENT REFERENCES VIDEO


134
4.5.1.3. SSH Via Cable

Once there, run the following command:

./itnl --lport 8888 --iport 22

where lport is the local port on our system and


iport is the remote iDevice port (22 for SSH).

HOME PARENT REFERENCES VIDEO


135
4.5.1.3. SSH Via Cable

Now we can connect via SSH by typing:


>>ssh root@127.0.0.1 –p 8888

HOME PARENT REFERENCES VIDEO


136
4.5.1.3. SSH Via Cable

In this way we are forwarding the connection


through the USB cable and, as expected, the
connection will be much faster than Wi-Fi.

Note that itunnel works for VNC connections, too (we will see later
on how to set up a VNC server on the iDevice). We just need to set
the lport as desired and set the iport to 5900.

HOME PARENT REFERENCES VIDEO


137
4.5.1. SSH Access

With SSH access


to the device we
have complete
control of the
device; we can
navigate, inspect
or edit any file and folder on the device.

Note that the same operations can be performed with PuTTY

HOME PARENT REFERENCES VIDEO


138
4.5.1. SSH Access

For example, we can navigate to the SMS folder


and read all the text messages by querying sms.db.

HOME PARENT REFERENCES VIDEO


139
4.5.1. SSH Access

It is important to note that some commands (such


as id and more) are not available by default.
There are a set of other tools that we will need for
our security tests later on. Since we want a fully
functional SSH shell we will have to install these
command line apps separately.

HOME PARENT REFERENCES VIDEO


140
4.5.1.4. BigBoss Recommended Tools

One of the most important


packages that we need on
our jailbroken device is the
BigBoss Recommended
Tools. To install it, open
Cydia, move to the Search
tab and search for BigBoss
Recommended Tools.

HOME PARENT REFERENCES VIDEO


141
4.5.1.4. BigBoss Recommended Tools
BigBoss, together with other apps, allows us to
install tools that are very useful for inspecting and
interacting with the device. As we can see in the
following screenshot we now have many more tools
and commands that we can run from the SSH shell:

HOME PARENT REFERENCES VIDEO


142
4.5.2. SFTP

Now you know how to access the device via SSH


and how to inspect almost every file on the device.
As you can imagine, sometimes it may be useful to
download these files from the device in order to
inspect them on our machine.
We need a way to send and retrieve files between
our machine and the device.

HOME PARENT REFERENCES VIDEO


143
4.5.2. SFTP

Since we already have SSH enabled on the iDevice,


one method to browse remote files is to use a
client that supports the SSH File Transfer Protocol
(SFTP). This can be done with software such as
Filezilla (Win/Mac/Linux) or Cyberduck (Win/Mac).
Tools such as iFunBox or iExplorer (from earlier) are
also able to navigate, export and import files to and
from jailbroken devices.

HOME PARENT REFERENCES VIDEO


144
4.5.2. SFTP

With Cyberduck, we need to click on “Open Connection” at


the top left of the window, select SFTP from the dropdown
menu and then insert the same information that we used
for SSH: IP address of the device, username (root)
and password (alpine by
default, but you should
change this to something
long and complex for
security reasons).

HOME PARENT REFERENCES VIDEO


145
4.5.2. SFTP

Once we click on
connect we will be
able to browse the
entire device in the
lower pane of the
app.

HOME PARENT REFERENCES VIDEO


146
4.5.2. SFTP
In a very similar way, we can use Filezilla with the
following settings:

- Host: Device IP
- Username: root
- Password:
<your carefully
chosen password>
- Port: 22

HOME PARENT REFERENCES VIDEO


147
4.5.2. SFTP

We can now just drag and drop files and folders


from our device to our machine and vice-versa.
As you will soon see, this is very useful because we
will be able to inspect specific files with external
tools that cannot be run on the device itself.

HOME PARENT REFERENCES VIDEO


148
4.5.3. Explorer Software

So, a jailbroken device allows third party software


such as iFunBox, iExplorer and others to view and
retrieve the entire contents of the device. As you
can see in the following screenshots, we are able to
navigate, edit and view everything on the device.
We just need to attach the device to our machine
(no Wi-Fi needed) through the cable.

HOME PARENT REFERENCES VIDEO


149
4.5.3. Explorer Software

HOME PARENT REFERENCES VIDEO


150
4.5.3. Explorer Software

Tools such as iFunBox also allow a connection to


devices via SSH. The difference between the
iFunBox SSH client and the classic SSH shell is that
with iFunBox we do not need a Wi-Fi connection.

We just need to attach the device via USB and then


open the SSH Terminal in iFunBox.

HOME PARENT REFERENCES VIDEO


151
4.5.3. Explorer Software

Here, for example, we can open the tab Quick


Toolbox and then click on ‘SSH Terminal’:

HOME PARENT REFERENCES VIDEO


152
4.5.4. VNC

Another very useful way we have


to interact with the device is to
use Virtual Network Computing
(VNC).
By default, VNC is not installed
on the device so we have to
install it by adding (via Cydia) the
package named Veency.

HOME PARENT REFERENCES VIDEO


153
4.5.4. VNC

Once Veency is installed, we


can edit its configuration by
opening Settings->Veency.
Here, we can enable/disable
the VNC service or change the
password used to connect.

HOME PARENT REFERENCES VIDEO


154
4.5.4. VNC

After the package has been installed and


configured, we have to install a VNC viewer on our
machine. This way we will be able to interact with
the device more quickly, because of the USB cable
and the faster human interaction that the keyboard
and mouse of a desktop computer provide.
One of the best tools available is Real VNC Viewer.
It is free and cross-platform.

HOME PARENT REFERENCES VIDEO


155
4.5.4. VNC

Since VNC is not very fast, using it via Wi-Fi may be


too slow; we are going to look at how to configure
our machine to use VNC via cable.
We already know how to use itunnel to establish a
SSH connection. We will use the same method to
hook up VNC.

HOME PARENT REFERENCES VIDEO


156
4.5.4. VNC
Since we know that VNC uses port 5900, we are
going to run the following command:

This allows us to forward the VNC connection from


our host to the device through the cable.
HOME PARENT REFERENCES VIDEO
157
4.5.4. VNC

Now we just need to start VNC Viewer, start the


connection to the host 127.0.0.1 and type the
password set in VNC settings (on the device).

HOME PARENT REFERENCES VIDEO


158
4.5.4. VNC

If the connection is successful, we should see the


following screen on the device:

HOME PARENT REFERENCES VIDEO


159
4.5.4. VNC

Now, using the mouse and keyboard, we can


interact with the device without touching it. We
can simulate every interaction with the device
using the mouse buttons:
• left click: touch screen
• middle click: lock button
• right click: menu button

HOME PARENT REFERENCES VIDEO


160
Video: iOS Device Interaction

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO


161
4.5.5. Run Apps without a Developer Account

You may remember that we were not able to run


our first app on a physical device due to the code
signing limitation. On a jailbroken device these
security features are no longer in place.
This means that we are now able to create, build
and run our own apps on the device.

HOME PARENT REFERENCES VIDEO


162
4.5.5. Run Apps without a Developer Account

There are many ways to run apps on jailbroken


devices. We can configure Xcode to sign the app
with a custom self-signed certificate, we can set
Xcode to just build the app without signing or we
can use other tools like AppSync to install .ipa files.

Do not code sign Self-Signed Certificate

HOME PARENT REFERENCES VIDEO


163
4.5.5.1. Do not code sign

Let us first see how to


configure Xcode to
avoid signing the
application.
This will allow us to
successfully build our
app for jailbroken devices. The first step is to edit
the SDKSettings.plist file located at:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develo
per/SDKs/iPhoneOS6.1.sdk/

HOME PARENT REFERENCES VIDEO


164
4.5.5.1. Do not code sign
In the plist file, change the value of
CODE_SIGNING_REQUIRED to NO and save.

HOME PARENT REFERENCES VIDEO


165
4.5.5.1. Do not code sign

Now open Xcode (or close and reopen it) and set
the project Build Settings to “Do not code sign” in
the Code Signing Identity tree:

HOME PARENT REFERENCES VIDEO


166
4.5.5.1. Do not code sign

We should be able
to successfully
build the project by
clicking Project->
Build. If it succeeds,
the app_name.app
in the left panel will
turn black.

HOME PARENT REFERENCES VIDEO


167
4.5.5.1. Do not code sign
Now we have to upload the app_name.app to our
device. This can be done via SFTP, SSH or any other
way (iFunBox, iExplorer, etc.) First, locate the app
we have just built by right-clicking the
app_name.app and select ‘Show in Finder’.

HOME PARENT REFERENCES VIDEO


168
4.5.5.1. Do not code sign

Next, copy the


file into the
/Applications
folder on the
device. (Once
again, use SFTP,
SSH or third
party software).

HOME PARENT REFERENCES VIDEO


169
4.5.5.1. Do not code sign

So, we have stored our app, but it appears that


nothing really changed on the device. There is no
icon launcher for the new app because we have to
refresh SpringBoard (the iOS app that manages the
Home Screen). We can use external tools available
in Cydia to do that. So let us head back to Cydia,
search for the app named Respring and install it.

HOME PARENT REFERENCES VIDEO


170
4.5.5.1. Do not code sign

Once the app is


installed we should
have a new icon
named Respring.
Just click it and wait
until it finishes.

HOME PARENT REFERENCES VIDEO


171
4.5.5.1. Do not code sign

Now we have to
unlock the device
and we should see
our HelloWorldiOS
app on the home
screen.

HOME PARENT REFERENCES VIDEO


172
4.5.5.1. Do not code sign

If the app crashes at startup, access the device


using SSH and set the privileges on the file in the
app folder to 755 with the following command:

chmod –R 755 /Application/your_app.app

HOME PARENT REFERENCES VIDEO


173
4.5.5.2. Self-Signed Certificate

The other way to build and run custom applications


on jailbroken devices is to use a self-signed
certificate.
In the next slides, we will explain this method.

HOME PARENT REFERENCES VIDEO


174
4.5.5.2. Self-Signed Certificate
The first step is to create a self-signed certificate
that Xcode will use to sign our apps. To do this,
open ‘Keychain Access’ and then select:
Keychain Access->Certificate Assistant->Create a Certificate

HOME PARENT REFERENCES VIDEO


175
4.5.5.2. Self-Signed Certificate
In the next window, choose a name for the
certificate (iPhone Developer is the default option),
select ‘Code Signing’ in the last dropdown menu
and check the box ‘Let me override defaults’.

HOME PARENT REFERENCES VIDEO


176
4.5.5.2. Self-Signed Certificate

With these settings, click on continue and then set


the Serial Number and Validity Period as desired
(both fields are numeric).

HOME PARENT REFERENCES VIDEO


177
4.5.5.2. Self-Signed Certificate

Now click on continue and enter the last bit of


information. You can leave all the settings as they
are and continue until it creates the certificate.

HOME PARENT REFERENCES VIDEO


178
4.5.5.2. Self-Signed Certificate
Once the creation process is complete, we should
see a few new entries in the Keychain Access
window; we will use this new certificate to sign our
app in Xcode.

HOME PARENT REFERENCES VIDEO


179
4.5.5.2. Self-Signed Certificate

Now that we have the


certificate, we need to
configure Xcode. In
order to display the
certificate in the build
settings we have to edit the info.plist file located in
the following path:

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform

HOME PARENT REFERENCES VIDEO


180
4.5.5.2. Self-Signed Certificate

We have to change
every occurrence of

XCiPhoneOSCodeSignContext
with
XCCodeSignContext

(three changes total)

HOME PARENT REFERENCES VIDEO


181
4.5.5.2. Self-Signed Certificate
Now, save the plist and open our Xcode project. If
everything has been set up correctly, we should be
able to choose the new certificate in the Build
Settings tab.

HOME PARENT REFERENCES VIDEO


182
4.5.5.2. Self-Signed Certificate

Now, set your


certificate
(eLS_Certificate) in
each entry of Code
Signing Identity and
build your project. Xcode should pop up a message
that asks you to allow the certificate. Click Always
Allow in this window and your build should
succeed.

HOME PARENT REFERENCES VIDEO


183
4.5.5.2. Self-Signed Certificate
As we can see in the left pane, the file
app_name.app is now black (instead of red).

HOME PARENT REFERENCES VIDEO


184
4.5.5.2. Self-Signed Certificate

Now that we have our .app file


built, you can transfer it to the
device (the same way you did for
the unsigned app) and then use
Respring (or reboot the device)
to reload the home screen. If
everything goes well, we will see
the app in the home screen and
be able to run it.

HOME PARENT REFERENCES VIDEO


185
4.5.5.3. Create and Run Custom Applications

There are many other ways to install applications to


the device. For example, we can create an .ipa file
that contains the application itself. Then, we can
install it the same way as all other applications.
We can also install and run applications directly
from Xcode.

HOME PARENT REFERENCES VIDEO


186
4.5.5.3. Create and Run Custom Applications

If we jailbreak the device and then try to install our


applications from iTunes, iFunBox or Xcode, the
installation process can fail.
To resolve this issue, you need to install AppSync
from Cydia. The package is present in the
AppAddict repository (http://cydia.appaddict.org).

HOME PARENT REFERENCES VIDEO


187
4.5.5.3. Create and Run Custom Applications

Open the Manage tab


in Cydia and then open
Sources->
AppAddict.org and
select AppSync for iOS.

HOME PARENT REFERENCES VIDEO


188
4.5.5.3. Create and Run Custom Applications

From now on, installing and running applications


will be much easier and faster. We can run
applications from within Xcode by selecting the
physical device and then clicking Run.

HOME PARENT REFERENCES VIDEO


189
4.5.5.3. Create and Run Custom Applications

With AppSync installed on the device, you can use


iTunes or other third party software like iFunBox to
install your applications.
Once you have built the application, you can simply
drag it into iTunes and install it to the device.

HOME PARENT REFERENCES VIDEO


190
4.5.5.3. Create and Run Custom Applications

1) Drag the .app file into iTunes

HOME PARENT REFERENCES VIDEO


191
4.5.5.3. Create and Run Custom Applications

2) Click on Install on the App Device view

HOME PARENT REFERENCES VIDEO


192
4.5.5.3. Create and Run Custom Applications

3) Click on Apply to confirm the changes

HOME PARENT REFERENCES VIDEO


193
4.5.5.3. Create and Run Custom Applications

4) Once all the operations are complete, we should


have the app installed, ready to launch.

HOME PARENT REFERENCES VIDEO


194
4.5.5.3. Create and Run Custom Applications
In the following screenshot we can see that our
application is now installed in the User/Applications
folder. We no longer need to copy the app into the
/Applications folder and then restart Springboard
as we did, previously.

HOME PARENT REFERENCES VIDEO


195
4.5.5.4. From .app to .ipa

Some applications (e.g. iFunBox) may require an


.ipa file to install the app to the device. Let us check
out the steps to create an .ipa file from an .app file.

Note that we will have to use the same structure


used by other applications.

HOME PARENT REFERENCES VIDEO


196
4.5.5.4. From .app to .ipa

To do this, first create a new folder with the name


‘Payload’ and copy the .app file in it.

HOME PARENT REFERENCES VIDEO


197
4.5.5.4. From .app to .ipa

Now right click on the Payload folder and select


‘Compress’. This will create a new folder named
Payload.zip.

HOME PARENT REFERENCES VIDEO


198
4.5.5.4. From .app to .ipa

Of course, .ipa files are just compressed files. So,


we could potentially change the file name from
Payload.zip to OurAppName.ipa:

HOME PARENT REFERENCES VIDEO


199
4.5.5.4. From .app to .ipa

Now that we have our .ipa file, we can start


iFunBox, click the option Install App and then select
the .ipa file we just created.

HOME PARENT REFERENCES VIDEO


200
4.5.5.4. From .app to .ipa

If everything goes well, after a


few seconds the installation
process will complete and we
will have the app installed on
the device!

HOME PARENT REFERENCES VIDEO


201
4.5.5.4. From .app to .ipa

WARNING

Please note that installing .ipa applications through


AppSync may sometimes result in a device crash.
For this reason, we discourage this technique in
favor of the first method we saw: create the .app
file, copy it to the /Application folder and then run
Respring.

HOME PARENT REFERENCES VIDEO


202
4.5.6. Edit existing Application files

Again, on jailbroken devices, some of the security


features implemented by iOS are disabled. For
instance, we can edit application files without
causing the apps to crash.
If we wanted, we could edit all the images in the
Dropbox app folder to permanently put our own
logo on the main screen of the app.

HOME PARENT REFERENCES VIDEO


203
4.5.6. Edit existing Application files

We just need to download the files we want to edit


to our machine and then upload the new version.
In this case we can use iFunBox to browse the app
folder, download
the .png files we
need and then
upload again.

HOME PARENT REFERENCES VIDEO


204
4.5.6. Edit existing Application files

Once we edit and upload back


to the device, running the
application will show us that
the changes have been
applied.
The app images now displays
the eLearnSecurity logo.
Simple!

HOME PARENT REFERENCES VIDEO


205
4.5.6. Edit existing Application files

Even though this is a small change, you can imagine


how useful it could be if we applied the process to
other application files.
As we will see later on, patching the app, editing
.plists files and other tricks will be very important
for security testing.

HOME PARENT REFERENCES VIDEO


206
4.5.7. Keychain dumper

You may remember that a keychain is an encrypted


container that holds passwords, cryptographic keys,
certificates and text strings for multiple
applications and services.

In iOS, each application has access only to its own


keychain items.

HOME PARENT REFERENCES VIDEO


207
4.5.7. Keychain dumper

The keychain is an encrypted sqlite file that


contains sensitive data like email addresses,
passwords, OAuth-tokens, Wi-Fi passwords, SIM
PIN and on and on. As you know, accessing this
information is one of the most important steps
while analyzing any iDevice.

If you want to know more about keychains, app permissions and so


on, please take a peek at the Apple documentation here and here.

HOME PARENT REFERENCES VIDEO


208
4.5.7. Keychain dumper

The sqlite file is stored at the following location:


/private/var/Keychains/keychain-2.db

but remember, some of its contents are encrypted


and can only be read with root permissions.

HOME PARENT REFERENCES VIDEO


209
4.5.7. Keychain dumper
Let us try to read its content using sqlite3 from
SSH:

HOME PARENT REFERENCES VIDEO


210
4.5.7. Keychain dumper

We can also download the file to our machine and


use any sqlite viewer/browser tool.

HOME PARENT REFERENCES VIDEO


211
4.5.7. Keychain dumper

As you can see from the previous screenshots,


things did not go so well.
Some of the data contained in the sqlite database is
encrypted, but since on jailbroken devices some of
the security features are disabled, it is possible to
get unencrypted data from the keychain.

HOME PARENT REFERENCES VIDEO


212
4.5.7. Keychain dumper

A very useful and easy-to-use tool that allows us to


gather cleartext data from the keychain is
keychain_dumper.

It can be downloaded at this link.

HOME PARENT REFERENCES VIDEO


213
4.5.7. Keychain dumper

Once we download and open the archive, we can


see that we have a few files. The one we need is
the binary named keychain_dumper.

HOME PARENT REFERENCES VIDEO


214
4.5.7. Keychain dumper
What we have to do now is to copy this file onto
our device. In our case, we will store it in the root
folder using Cyberduck (SFTP).

HOME PARENT REFERENCES VIDEO


215
4.5.7. Keychain dumper

Once the binary is on the device, make sure that it


is marked as executable (if not, run chmod +x
keychain_dumper) and then we can run it with the
following command:

root# ./keychain_dumper

(Also, be sure that the file keychain2.db is readable)

HOME PARENT REFERENCES VIDEO


216
4.5.7. Keychain dumper

If everything works, we should be able to see well-


organized keychain content in cleartext:

HOME PARENT REFERENCES VIDEO


217
4.5.7. Keychain dumper

The keys are organized by


categories. Here we can
see Generic Password as
well as Internet Password.
This is the default dump
from the tool but we can
set other flags to dump
additional information.

HOME PARENT REFERENCES VIDEO


218
4.5.7. Keychain dumper

The -h option returns


all the flags available,
while issuing the tool
with the -a flag will
return all the entries
stored in the keychain
database.

HOME PARENT REFERENCES VIDEO


219
References

iOS SDK iTunes

iOS Backups iExplorer

iFunBox Putty

VNC Viewer Plist Editor (Win OS)


Continued…

HOME PARENT REFERENCES VIDEO


220
References

Sqlite Sqlite Master

BinaryCookies Safari Forensics Tools

iTunes Backup iBackupBot

Cydia iTunnel
Continued…

HOME PARENT REFERENCES VIDEO


221
References
BigBoss
Filezilla
Recommended Tools

CyberDuck Veency

Keychain Service iOS Security Doc

Keychain Dumper

HOME PARENT REFERENCES VIDEO


222
Video

HOME PARENT REFERENCES VIDEO

You might also like