0% found this document useful (0 votes)

39 views

iOS Environment Configuration

Uploaded by

es169371

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

39 views

iOS Environment Configuration

Uploaded by

es169371

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 222

v1.

MODULE 4

eLearnSecurity © 2014
2
iOS: Setting up a Test Environment

HOME PARENT REFERENCES VIDEO

3
4. Introduction

HOME PARENT REFERENCES VIDEO

4
4. Introduction

With Android, we can install the SDK and use the

emulator to create our test environment. With iOS,
things are a bit different. The iOS SDK is available
only for Mac OS. Also, in order to test our app on
physical devices, we must create and register an
Apple Developer account (unless we have a
jailbroken device).

HOME PARENT REFERENCES VIDEO

5
4.1. iOS SDK

HOME PARENT REFERENCES VIDEO

6
4.1. iOS SDK

The iOS SDK is a developer toolset for building Mac,

iPhone and iPad apps. The SDK comes with the
Xcode IDE, an iOS Simulator that can be used to
simulate both iPhone and iPad devices, and other
analysis and development tools.

HOME PARENT REFERENCES VIDEO

7
4.1. iOS SDK

It is important to note that a simulator is different

from an emulator (as on Android). A simulator
cannot run compiled iPhone or iPad applications
(.ipa files) because those apps do not contain a
binary for the x86 architecture (they are compiled
for ARM architectures).
The only apps that we will be able to run on the
simulator are the applications of projects that can
be opened within Xcode.

HOME PARENT REFERENCES VIDEO

8
4.1. iOS SDK

Let us look at how to install the SDK, how to use

the Xcode IDE, run simulated devices and interact
with them.
The first thing we have to do is to download and
install the SDK.

HOME PARENT REFERENCES VIDEO

9
4.1. iOS SDK
You can get it by searching for ‘Xcode’ in the Apple
store or by clicking the button ‘View in Mac Apple
Store’ at the following link:
developer.apple.com/xcode

HOME PARENT REFERENCES VIDEO

10
4.1. iOS SDK
Once you click, the Apple store should be
displayed. Follow the installation process by
clicking on the button ‘Install App’.

HOME PARENT REFERENCES VIDEO

11
4.1. iOS SDK

Once Xcode finishes

installing, you
should have a new
icon in the dock.
If not, you can
launch it by searching
for Xcode in spotlight or by running the Xcode app
located in the folder:
• Mac HD->Developer-> Applications->Xcode.

HOME PARENT REFERENCES VIDEO

12
4.1.1. Xcode IDE
To start creating your app, click on “Create a new
Xcode Project” and then choose the app template.

We can leave the

default config
and click next.

HOME PARENT REFERENCES VIDEO

13
4.1.1. Xcode IDE

In the next pane, choose the app name,

organization, etc. and click next.

HOME PARENT REFERENCES VIDEO

14
4.1.1. Xcode IDE

In the last pane,

select the
destination folder
for your project. In
this case, it will be
els.
Once we click
‘Create’ the Xcode
IDE will appear.

HOME PARENT REFERENCES VIDEO

15
4.1.1. Xcode IDE

This is the main Xcode window. Let us have a look.

HOME PARENT REFERENCES VIDEO

16
4.1.1. Xcode IDE

Xcode project name Editor button view

Run the app (Standard/Assistant/Version)

On the top we have the toolbar:

Scheme name
Activate/Deactivate Breakpoints View buttons
Hide/Show pane
Destination device

HOME PARENT REFERENCES VIDEO

17
4.1.1. Xcode IDE

On the left is the navigation pane. Here we can see

all the files in our project, search for specific text,
list issues, breakpoints and so on.

HOME PARENT REFERENCES VIDEO

18
4.1.1. Xcode IDE

Depending on the
resource selected in
the navigation pane,
in this area you will
find the source code
as well as project
options, app preview
and more.

HOME PARENT REFERENCES VIDEO

19
4.1.1. Xcode IDE

The last pane on the right is called the Utility Area.

This is divided into two more panes:
Inspector (top) Library (bottom)

HOME PARENT REFERENCES VIDEO

20
4.1.1. Xcode IDE
The inspector displays file metadata, detailed
information about a specific object, configuration
attributes, actions and more.

HOME PARENT REFERENCES VIDEO

21
4.1.1. Xcode IDE
Within the library we can access libraries of
resources that can be used in our project, such as
snippets, interface objects, and media files.

HOME PARENT REFERENCES VIDEO

22
4.1.1. Xcode IDE

This is just a brief overview of what Xcode is. We

suggest that you play with it in order to get the
most out of the tools and utilities that this IDE
offers. We will see a handful of them during the
course.
One of the next developer tools that we are going
to look at is iOS Simulator.

HOME PARENT REFERENCES VIDEO

23
4.1.2. iOS Simulator

The main purpose of the iOS Simulator is to help

developers run and test their applications and of
course it can be used for security tests!
As we will see later on, this can be very useful to
analyze app behavior and to intercept and analyze
network communications.

HOME PARENT REFERENCES VIDEO

24
4.1.2. iOS Simulator
We can start the simulator a few different ways.
From Xcode, we can click on the top menu: ‘Xcode -
> Open Developer Tool -> iOS Simulator’.

HOME PARENT REFERENCES VIDEO

25
4.1.2. iOS Simulator

We can also start it from the Xcode folder by

opening Content->Applications->iPhone Simulator

HOME PARENT REFERENCES VIDEO

26
4.1.2. iOS Simulator

Once the simulator starts,

you will see something like
the image on the right. We
can now interact with the
simulated device; we can
browse web pages, start
apps and so on.

HOME PARENT REFERENCES VIDEO

27
4.1.2. iOS Simulator
On the top menu we have several tools that we can
use to configure or interact with the simulator. For
example, you can choose a different device by
selecting Hardware->Device.

HOME PARENT REFERENCES VIDEO

28
4.1.2. iOS Simulator

The default path for the simulator files is:

• /Users/<your_user>/Library/Application
Support/iPhone Simulator/<Version>/

This may be useful in helping you understand how

information is stored on the device.

HOME PARENT REFERENCES VIDEO

29
4.1.2. iOS Simulator

Apps and device data are stored in this folder. For

example, browsing Safari we can see .plist and .db
files. Those files contain information like
bookmarks, searches, and history.

HOME PARENT REFERENCES VIDEO

30
4.1.2. iOS Simulator

The iOS Simulator is especially useful if we have to

perform security tests against an application or
analyze network traffic, but remember that we
need the app source code or at least the
application binaries (compiled for the simulator) to
test in this manner.
Let us look at how to create, run and import an app
on the simulated device.

HOME PARENT REFERENCES VIDEO

31
4.1.3. Writing an iOS app

Head back to Xcode and

open a new project. Right-
click on the navigation bar,
select ‘New Project’ and then follow the creation
steps. We can also open
File->New->Project.

HOME PARENT REFERENCES VIDEO

32
4.1.3. Writing an iOS app
We can leave the default project configuration
options unchanged and click on the navigation area,
on the MainStoryboard_iPhone.storyboard file.

HOME PARENT REFERENCES VIDEO

33
4.1.3. Writing an iOS app
The storyboard tool allows us to view our user
interface, showing us the app screens (scenes) and
their connections.

HOME PARENT REFERENCES VIDEO

34
4.1.3. Writing an iOS app

Since this is a basic app, let us start with a single

scene. What we want to create is a simple app that
displays a message when we click a button.
First of all we need to create two objects: a button
and a label. The label will display our message,
“Hello World.”

HOME PARENT REFERENCES VIDEO

35
4.1.3. Writing an iOS app

In the storyboard view, drag and drop the object

‘Round Rect Button’ from the library to the scene.

HOME PARENT REFERENCES VIDEO

36
4.1.3. Writing an iOS app

Now, edit the button properties in the inspector

pane. Set the button label to, “Click ME!”.

HOME PARENT REFERENCES VIDEO

37
4.1.3. Writing an iOS app

Do the same with a label object and set its Label

Text value to empty.

HOME PARENT REFERENCES VIDEO

38
4.1.3. Writing an iOS app

Now that we have our object on the screen, we

have to instruct Xcode that these objects can be
used in the project. The Xcode IDE allows us to do
that very simply. Drag and drop the object from the
storyboard view into our code. On the top left,
change your project view as follows:

HOME PARENT REFERENCES VIDEO

39
4.1.3. Writing an iOS app
With this configuration, we should be able to see
both the app preview and the code editor. Files
with a .h extension contain variable declarations,
classes and methods used by the code.

HOME PARENT REFERENCES VIDEO

40
4.1.3. Writing an iOS app

Now, add the label to the code. To do that, hold the

ctrl key down and then drag and drop the label into
the editor pane.

HOME PARENT REFERENCES VIDEO

41
4.1.3. Writing an iOS app
A dialog box should appear as soon as you release
the mouse button. Here, insert the name ‘label’,
leave the remaining default configuration
unchanged and then click ‘Connect’. The label will
be added to the code.

HOME PARENT REFERENCES VIDEO

42
4.1.3. Writing an iOS app
Now, drag the button to the code. This time we will
drag it to right after the previous statement, and
we will choose the connection name “Action”.

HOME PARENT REFERENCES VIDEO

43
4.1.3. Writing an iOS app

Having done this, both label and button can be

used in the implementation file. Implementation
files have the extension .m and they contain the
actual code.
Open the file ViewController.m and we will write
our code.

HOME PARENT REFERENCES VIDEO

44
4.1.3. Writing an iOS app
As we can see, near the bottom of the
implementation file, there is a line similar to the
one created in the header file (.h). It is the method
that will contain the code to run when we click the
‘Click ME!’ button.
Implementation file Header file

HOME PARENT REFERENCES VIDEO

45
4.1.3. Writing an iOS app
Let us put our code in the buttonHello method. We
want the button press to cause the label to change
its content and display the message, “Hello
World!”. Edit the label content with the following
statement:

Sets the text property of the label object to

the string “Hello World!”

HOME PARENT REFERENCES VIDEO

46
4.1.3. Writing an iOS app

Our code is complete!

Click the run button on
the top left and wait
until Xcode builds the
project. Once it is done,
the simulator appears,
showing our application.

HOME PARENT REFERENCES VIDEO

47
4.1.3. Writing an iOS app

The previous code is obviously very simple. It is a

good idea to create more apps and become
familiar with Xcode and Objective-C.
Also note: apps that you have built before can be
found in the following folder:
“Users/<your_user>/Library/Application
Support/iPhone Simulator/<Version>/
Applications/<App_ID>”

HOME PARENT REFERENCES VIDEO

48
4.1.3. Writing an iOS app

The contents of this folder are useful if you want to

share the app without sharing the source code.
We can copy the app to another system (in the
same location!) and the iOS simulator will
automatically load the app.

HOME PARENT REFERENCES VIDEO

49
4.2. iOS Simulator and Xcode limitations

HOME PARENT REFERENCES VIDEO

50
4.2. iOS Simulator and Xcode limitations

As we pointed out earlier, many features available

on physical devices (such as device configurations
or apps) are not available on the iOS Simulator.
Also note that we cannot install third party
software unless we have the Xcode project or the
application compiled for the iOS simulator.
This also means that we cannot install apps from
the Apple Store on the simulator.

HOME PARENT REFERENCES VIDEO

51
4.2. iOS Simulator and Xcode limitations

Also, if we want to test our code on physical

devices, we need to sign up (and pay $99!) for a
developer account (or use a jailbroken device).

HOME PARENT REFERENCES VIDEO

52
4.2. iOS Simulator and Xcode limitations
Actually, if we try to build and run the app on a
physical, non-jailbroken device (without a
developer account), we will get a Code Sign error
like this one:
Actual device

HOME PARENT REFERENCES VIDEO

53
4.2. iOS Simulator and Xcode limitations

As we will see later on, if we do not have a

developer account, we can still sign our code (with
a custom certificate like a self-signed one) and run
the app on physical devices, but they must be
jailbroken.

HOME PARENT REFERENCES VIDEO

54
4.3. File System and Device Interaction

HOME PARENT REFERENCES VIDEO

55
4.3. File System and Device Interaction

Apple devices are far more locked down than

Android devices. By default, there is no file system
access (compared to ADB for Android).
The best way to deeply analyze our Apple device
requires that we jailbreak it and then connect via
SSH.

HOME PARENT REFERENCES VIDEO

56
4.3. File System and Device Interaction

If we do not have a jailbroken device we can still

access some information. We can use iTunes to
access files such as photos or music, or use third
party software to access application data,
documents, and backups; we will still not be able to
access or browse the entire file system.

HOME PARENT REFERENCES VIDEO

57
4.3. File System and Device Interaction

Let us see what kind of data we can access on a

non-jailbroken device. If you have an Apple device
you probably have iTunes installed on your
machine.
In case you do not, you can download it here
(Windows or Mac OS).

HOME PARENT REFERENCES VIDEO

58
4.3. File System and Device Interaction

Once iTunes is installed, run it and connect the

device. Note that if iCloud is not enabled on the
device, information such as photos, contacts, app
settings and more will be automatically backed up
to your machine.
Here you can find details about what data is backed
up and where it is stored. This is critical because
data may be stored without encryption.

HOME PARENT REFERENCES VIDEO

59
4.3. File System and Device Interaction

As you can see in the

following device snapshot,
when we enable iCloud, a
pop-up appears, warning us
that data will no longer be
automatically backed up by
iTunes.

HOME PARENT REFERENCES VIDEO

60
4.3. File System and Device Interaction
The first time we connect the device to our
machine, iTunes asks for some information and
then automatically syncs the data. Once the
process ends, we should be able to navigate device
data such as Music, Movies, Purchased and more.

HOME PARENT REFERENCES VIDEO

61
4.3. File System and Device Interaction

During this process, iTunes will ask to download

iCloud and will also ask for Apple ID credentials. If
we do not provide the credentials, some
information will not be displayed and some
features will be disabled. For example, we will not
be able to manage installed apps on the device.

HOME PARENT REFERENCES VIDEO

62
4.3. File System and Device Interaction
Information such as Contacts, Mails or Calendars
will be automatically synced using the relative app.
Here, for example, the iCal app on the Mac will be
synchronized with the iPhone calendar.

HOME PARENT REFERENCES VIDEO

63
4.3. File System and Device Interaction

Interestingly, though, a backup is automatically

created on the machine. If we navigate to
~/Library/Application Support/MobileSync/Backup/ , we
can see the backup data.

HOME PARENT REFERENCES VIDEO

64
4.3. File System and Device Interaction

There is not much interesting data that we can

access with iTunes, but there are other programs
that allow us to get more information from the
device. A couple are iExplorer and iFunBox (both
available for Mac and Windows).

Note that you will still need iTunes installed on your

machine.

HOME PARENT REFERENCES VIDEO

65
4.3.1. Directory Structure

Before using these tools, let us talk about the

iPhone app directory structure. When an app is
installed on a device, iOS creates the main app
directory, sub-directories and sets all the privileges
(for sandboxing purposes). The structure is the
same for every app; the main directory is created
as follows:
“ /var/mobile/App_name

”
HOME PARENT REFERENCES VIDEO
66
4.3.1. Directory Structure
This folder contains all the data and configuration
the app needs:

HOME PARENT REFERENCES VIDEO

67
4.3.1. Directory Structure

It is important to note that iPhone applications may

store critical information in these folders.
They can be stored as plist files, databases, cached
files or logs.

HOME PARENT REFERENCES VIDEO

68
4.3.2. Plist files

A property list (plist) file is structured as XML and is

used to store and access information.
Each entry in the plist is a key-value pair and may
be used by the application to get values such as the
name of the executable file, the version, the
platform, etc.

HOME PARENT REFERENCES VIDEO

69
4.3.2. Plist files

In this file, we generally find very disparate

information sets like user preferences,
configurations, sensitive information like
credentials, cookie values, URLs and so on.
Applications may use these values to make runtime
decisions (for example: an app may or may not
display information depending on a value stored in
the plist).

HOME PARENT REFERENCES VIDEO

70
4.3.2. Plist files

Since these files are

structured as XML,
they can be read with
any text editor, but if
we want better
output on Windows
we can use external
tools such as Plist Editor for Windows (Mac OS does
not need an external tool).

HOME PARENT REFERENCES VIDEO

71
4.3.3. Databases

Every app needs to store data and, just like in

Android, the best way to do this is using SQLite
databases. The reason why mobile OSs use SQLite
is that it treats databases as flat files: the OS does
not need to have a server running on the device. In
this way, each application can create its own
databases and interact with them with standard
SQL constructs such as SELECT, INSERT, UPDATE and
DELETE.

HOME PARENT REFERENCES VIDEO

72
4.3.3. Databases

Most applications use SQLite databases to store

large data sets; this makes databases one of the
best targets for security testing. In these, we can
find credentials, specific configurations and other
forms of sensitive information.
Since they are flat files, we can simply retrieve
them from the device and run SQL queries to read
data.

HOME PARENT REFERENCES VIDEO

73
4.3.3. Databases

There are many tools that we can use to navigate

or access data stored in a SQLite database.
Tools like SQLite Manager are very useful since they
offer a GUI to interact with the database. We can,
of course, use the sqlite command line shell to
query the database.

HOME PARENT REFERENCES VIDEO

74
4.3.3. Databases
For example, in the following screenshot, we can
see what types of data may be stored in a database
(Dropbox in this case).

HOME PARENT REFERENCES VIDEO

75
4.3.4. Logs and Cache files

All data needed for the application is stored in the

main folder. This includes log files, cache files,
documents, images, etc.
These files can reveal very useful information and
we have to investigate them during our security
tests and analyses.

HOME PARENT REFERENCES VIDEO

76
4.3.5. Browse Application Files and Folders

Now that we know how application folders are

organized and what data can be stored, let us see
how to get these files using one of the two tools
mentioned earlier: iFunBox.

HOME PARENT REFERENCES VIDEO

77
4.3.5. Browse Application Files and Folders

Once the device is connected to our machine, we

will be able to browse device information using the
tabs at the top. The most important tab is ‘iFunbox
Classic’ that allows us to browse part of the device
File System.
Here we can navigate app files, photos, raw files,
and device information like the device serial
number and software version.

HOME PARENT REFERENCES VIDEO

78
4.3.5. Browse Application Files and Folders

Not all applications can be browsed with these

tools (only user-installed apps). We will not be able
to inspect applications like Mail, Browser, iTunes, or
App Store.
To obtain full access, we need a jailbroken device;
we will talk about that later on.

HOME PARENT REFERENCES VIDEO

79
4.3.5. Browse Application Files and Folders

The following screenshot shows Dropbox files and

folder structures. These files are very important
and they can reveal very sensitive information like
usernames, passwords, and cookies.

HOME PARENT REFERENCES VIDEO

80
4.3.5.1. Plist

We may even be able to access information related

to the app by inspecting databases or plist files. For
example, in the plist file, we can see the Dropbox
username.

HOME PARENT REFERENCES VIDEO

81
4.3.5.1. Plist

In addition to plists (something that almost every

application stores), there are specific files that each
application stores in its folder that can reveal
sensitive data.
Let us use Dropbox as a target app and see what
kind of data we can gather.

HOME PARENT REFERENCES VIDEO

82
4.3.5.2. Databases

The Dropbox.sqlite file stored in the

Dropbox\Documents folder reveals the names and
the extensions of the files.

HOME PARENT REFERENCES VIDEO

83
4.3.5.3. Library and Caches

In the \Library\Caches\Dropbox folder we can find

the actual files the app stores. As we can see in the
following screenshot, there are some photos that
were taken with the phone.

HOME PARENT REFERENCES VIDEO

84
4.3.5.3. Library and Caches

In order to see
these pictures, we
just need to open
one of the folders
in the previous
screenshot and then
change the file extension based on the name of the
folder.

HOME PARENT REFERENCES VIDEO

85
4.3.5.4. Cookies.binarycookies

Many apps store their

cookies in a file named
Cookies.binarycookies. This file can be found in the
AppName\Library\Cookies folder but, since it has a
specific format, we need external tools to view its
content.

Here is more information about the binarycookie file.

HOME PARENT REFERENCES VIDEO

86
4.3.5.4. Cookies.binarycookies

Safari Forensics Tools (SFT) is a tool that can read

Cookies.binarycookies file contents. We can
download it here. It is available for Windows and
Linux systems and it can be run from the command
line with a simple command:

> safari_cookie_bin.exe path_to_Cookies.binarycookies

HOME PARENT REFERENCES VIDEO

87
4.3.5.4. Cookies.binarycookies

Once we run SFT, the tool gathers information

about the cookie like URL, name, creation date,
expiration date, path and content.

HOME PARENT REFERENCES VIDEO

88
4.3.6. Extract Files from a Device

By selecting any of the elements in this view we

can export folders and files to our machine. This is
very useful if we want to perform further tests on
binary files, databases, plists and more.

HOME PARENT REFERENCES VIDEO

89
4.3.7. Snapshots

You should know that every time the device home

button is pressed, iOS takes a snapshot of the
current state of the application (used for zoom-in
and zoom-out animations) and stores this snapshot
in the following folder:
- app_name/Library/Caches/Snapshots.

HOME PARENT REFERENCES VIDEO

90
4.3.7. Snapshots

Here we can see how easy it is to access these

snapshots by browsing the app folder.

HOME PARENT REFERENCES VIDEO

91
4.3.7. Snapshots

As you can imagine

this iOS feature can
lead to some data
leakage and we could
get information from
every app installed on
the device.

HOME PARENT REFERENCES VIDEO

92
4.3.8. Export Installed Apps

The Copy To PC
option allows us
to export installed
applications. Each
app folder contains a folder named app_name.app
that we can easily export. As we will see in the next
modules, even if it is not an .ipa file, the contents
of .app folders can be used to perform security
tests against the app.

HOME PARENT REFERENCES VIDEO

93
4.3.9. Install Applications

Another feature in iFunBox is the ability to install

applications on the device. We just need to click
Install App and select the .ipa file.

HOME PARENT REFERENCES VIDEO

94
4.3.9. Install Applications

As you can imagine, on non-jailbroken devices, the

installation process will fail if the .ipa package is
unsigned, unofficial or modified. In this case we
need to jailbreak the device and use AppSync from
Cydia.

HOME PARENT REFERENCES VIDEO

95
4.3.10. SSH Access

iFunBox also allows us to interact with the device

using an SSH connection, but this option is
available only if the device has the SSH service
running in the background (available if the device is
jailbroken).
We will see what data can be retrieved from
jailbroken devices later on.

HOME PARENT REFERENCES VIDEO

96
4.3.10. SSH Access

To open the shell we can open the tab, “Quick

Toolbox” and click on, “SSH Terminal”.

HOME PARENT REFERENCES VIDEO

97
4.3.10. SSH Access

This opens a new window in which we can run

commands directly on the device.

HOME PARENT REFERENCES VIDEO

98
4.3.10. SSH Access

It is important to know that on non-jailbroken

devices, not all files and folders are accessible and
writable. We cannot, for instance, write system or
application files.
Editing an application file, for example, would
cause the application to crash.

HOME PARENT REFERENCES VIDEO

99
4.3.11. Xcode Organizer

By opening the Organizer window in Xcode (top-

right) we can interact with the device and access
information like logs, applications and screenshots.

HOME PARENT REFERENCES VIDEO

100
4.3.11. Xcode Organizer

Here we can see console logs and we can also take

screenshots from the device.

HOME PARENT REFERENCES VIDEO

101
4.4. Backups

HOME PARENT REFERENCES VIDEO

102
4.4. Backups

What we have seen to this point is information that

we can gather directly from the device, but there is
much more information that we can obtain if we
are able to access backup files.
As you already know, if iCloud is not enabled, when
the device is connected to a PC or Mac, it will
automatically back up its data.

HOME PARENT REFERENCES VIDEO

103
4.4. Backups

Note that if the device is protected with a

passcode, iTunes will prompt us to enter it (on the
device) and only if the code is correct we will be
able to back up or synchronize the device.

HOME PARENT REFERENCES VIDEO

104
4.4. Backups

Starting with iOS 4, iTunes offers the ability to

encrypt backups. While this feature is useful for
restoring backups on different devices (impossible
if the backup is not encrypted), it is important to
know that by default this option is disabled. If this
option is not enabled, the keychain file containing
usernames and passwords is still encrypted using
hardware keys stored on the iPhone (but other
information will be available).

HOME PARENT REFERENCES VIDEO

105
4.4. Backups

iTunes will store the data in different locations

based on your machine’s OS:
Operating System Path
Mac ~/Library/Application Support/MobileSync/Backup/

Windows XP \Documents and Settings\(username)\Application Data\Apple

Computer\MobileSync\Backup\

Windows Vista and \Users\(username)\AppData\Roaming\Apple

Windows 7 Computer\MobileSync\Backup\

HOME PARENT REFERENCES VIDEO

106
4.4. Backups

All files stored in the backup folder are unreadable.

They have no file extension and their name is 40
hex characters long.

HOME PARENT REFERENCES VIDEO

107
4.4. Backups
Each filename is the SHA1 hash value of the
domain name followed by the file path
(Domain-Path). For example, the SHA1 value of:

Domain Name File Path

HomeDomain-Library/Calendar/Calendar.sqlitedb
IS

2041457d5fe04d39d0ab481178355df6781e6858

HOME PARENT REFERENCES VIDEO

108
4.4. Backups

This information, and more, is stored in four files

contained in each backup:
• Info.plist
• Manifest.plist
• Manifest.mbdb
• Status.plist

HOME PARENT REFERENCES VIDEO

109
4.4. Backups
Info.plist
• Contains information like build version, GUID, IMEI, phone number, etc.

Manifest.plist
• Contains application details, BackupKeyBag, encryption information, etc.

Manifest.mbdb
• Binary file containing the list of file names contained in the backup.

Status.plist
• Contains information about the backup.

More information on this can be found here.

HOME PARENT REFERENCES VIDEO

110
4.4. Backups

Since backups are not just a copy of the files

contained on the device, we need external tools to
inspect iOS backups. There are many tools that
allow us to load, view and edit unencrypted
backups.
A couple are iExplorer or iBackupBot.

HOME PARENT REFERENCES VIDEO

111
4.4. Backups
Once we have a backup stored on our machine, we
just need to run one of these and they will
automatically load and organize the data for
viewing.
iExplorer

iBackupBot

HOME PARENT REFERENCES VIDEO

112
4.4. Backups

From here, we can browse user information such as

contacts, messages, and photos. We can also
inspect system and app files.

HOME PARENT REFERENCES VIDEO

113
4.4. Backups

As you can imagine, accessing this information is

very useful for security purposes.
We can inspect almost every piece of information
stored on the device and gather sensitive data like
usernames, passwords, contacts, photos, and
account data.

HOME PARENT REFERENCES VIDEO

114
4.4. Backups
When dealing with encrypted backups, these tools
may fail to access the data. As you can see in the
following screenshots, if we try to open an
encrypted backup, the tool prompts us for the
password.
iExplorer

iBackupBot

HOME PARENT REFERENCES VIDEO

115
4.4. Backups
Even if we enter the correct password there is still
some information that we can not access because
of an enforced encryption mechanism: keychain-
backup.plist

HOME PARENT REFERENCES VIDEO

116
4.4. Backups

Now we know how backups are stored and what

security features are implemented by iTunes and
iOS to protect the backup data.
Let us look at these files in greater detail and
discover how to manage encrypted backups,
decrypt them, recover passcodes or hardware keys,
access and edit all the data.

HOME PARENT REFERENCES VIDEO

117
4.5. Interact with Jailbroken Devices

HOME PARENT REFERENCES VIDEO

118
4.5. Interact with Jailbroken Devices

We already know how to interact with non-

jailbroken devices - what kind of information we
can gather and which tools we can use. It is time
for us to focus on what we can do with jailbroken
devices.
As you already know, the jailbreak disables some
security features implemented by iOS, allowing us
to install almost any application.

HOME PARENT REFERENCES VIDEO

119
4.5. Interact with Jailbroken Devices
Generally, jailbroken devices have the Cydia app
installed by default. As the developer says on his
website:

“Cydia is an alternative to Apple's App Store for

‘jailbroken’ devices, specializing in the distribution
of all that is not an ‘app’.”

Note that we can still use Apple’s App Store.

HOME PARENT REFERENCES VIDEO

120
4.5. Interact with Jailbroken Devices

Cydia is the one of most

important apps for us
because it allows us to install
applications, command-line
tools and much more.
Thanks to Cydia and its tools
we will be able to gain full
access to the device.

HOME PARENT REFERENCES VIDEO

121
4.5.1. SSH Access

The best way to interact with

the device is via SSH. By default,
SSH is not installed on jailbroken
devices but we can easily install
it by opening Cydia and
following the “Open SSH Access
How-to” instructions under the
User Guide section.

HOME PARENT REFERENCES VIDEO

122
4.5.1. SSH Access

Once we click on the entry we

will be redirected to a screen
with a step-by-step guide. As
the guide says, the first step is
to install OpenSSH by clicking
on the blue link to the package.

HOME PARENT REFERENCES VIDEO

123
4.5.1. SSH Access
On the OpenSSH package screen, click on ‘Install’ at
the top right corner and allow the install to complete.

HOME PARENT REFERENCES VIDEO

124
4.5.1. SSH Access

Once OpenSSH is installed, we can return to Cydia

and follow the next steps. In order to be able to
establish a connection we have to create a link
between the SSH server (iPhone) and the SSH
Client (our machine). This can be done using WiFi,
but we have to connect the iPhone to the same
network as our machine and find its IP address.

HOME PARENT REFERENCES VIDEO

125
4.5.1. SSH Access

To do this just open

Settings->Wi-Fi and click the
blue arrow to the right of your
attached network. On the next
screen, you will see the IP
address assigned to the device.
Write down this address as we
will need it to initiate the
connection.

HOME PARENT REFERENCES VIDEO

126
4.5.1. SSH Access

Now that the device is set up and we have all of the

information, we can establish the SSH connection.
To do this we can use any of a handful of tools. On
Windows, the most common SSH client is PuTTY,
while on Mac and Linux machines we can simply
open the terminal and use the SSH command
followed by the ip address of the server (the
iPhone in our case).

HOME PARENT REFERENCES VIDEO

127
4.5.1.1. SSH Access - Windows

Let us first see how to establish the connection in

Windows and then look at how to do this from
Mac/Linux OS.

Once you start PuTTY

you will see a screen
like the following.

HOME PARENT REFERENCES VIDEO

128
4.5.1.1. SSH Access - Windows
Enter the IP address in the Host Name field and
then click Open (at the bottom of the screen). If
everything goes well, you should see the PuTTY
command line asking for login credentials.

HOME PARENT REFERENCES VIDEO

129
4.5.1.1. SSH Access - Windows

The default credentials for OpenSSH on our iPhone

are username:root and password:alpine. Enter the
credentials and see if you are able to establish the
connection. If the credentials are correct, we will
see something like the following screen (meaning
we have root SSH access on the device).

HOME PARENT REFERENCES VIDEO

130
4.5.1.1. SSH Access - Windows

Please consider changing the default

password as soon as possible!

HOME PARENT REFERENCES VIDEO

131
4.5.1.2. SSH Access – Mac/Linux
Before running any shell commands, let us see how
to establish the connection with Mac/Linux OSs. As
we said before, we just need to open the terminal
and run one of the following commands:
>> ssh IP_address –l username >> ssh username@IP_address

where IP_address is the IP of the device and

username is root (default username).

HOME PARENT REFERENCES VIDEO

132
4.5.1.3. SSH Via Cable

TIP

If the Wi-Fi SSH connection is too slow, we can still

set up our machine to use the wired USB cable. We
first have to attach the iDevice via USB and then
download a tool called itunnel (or itnl).

The tool is available for both Windows and OSX.

HOME PARENT REFERENCES VIDEO

133
4.5.1.3. SSH Via Cable

To use itunnel, extract the files, open the terminal

(or command shell) and navigate to the location
where the files were extracted.

HOME PARENT REFERENCES VIDEO

134
4.5.1.3. SSH Via Cable

Once there, run the following command:

./itnl --lport 8888 --iport 22

where lport is the local port on our system and

iport is the remote iDevice port (22 for SSH).

HOME PARENT REFERENCES VIDEO

135
4.5.1.3. SSH Via Cable

Now we can connect via SSH by typing:

>>ssh [email protected] –p 8888

HOME PARENT REFERENCES VIDEO

136
4.5.1.3. SSH Via Cable

In this way we are forwarding the connection

through the USB cable and, as expected, the
connection will be much faster than Wi-Fi.

Note that itunnel works for VNC connections, too (we will see later
on how to set up a VNC server on the iDevice). We just need to set
the lport as desired and set the iport to 5900.

HOME PARENT REFERENCES VIDEO

137
4.5.1. SSH Access

With SSH access

to the device we
have complete
control of the
device; we can
navigate, inspect
or edit any file and folder on the device.

Note that the same operations can be performed with PuTTY

HOME PARENT REFERENCES VIDEO

138
4.5.1. SSH Access

For example, we can navigate to the SMS folder

and read all the text messages by querying sms.db.

HOME PARENT REFERENCES VIDEO

139
4.5.1. SSH Access

It is important to note that some commands (such

as id and more) are not available by default.
There are a set of other tools that we will need for
our security tests later on. Since we want a fully
functional SSH shell we will have to install these
command line apps separately.

HOME PARENT REFERENCES VIDEO

140
4.5.1.4. BigBoss Recommended Tools

One of the most important

packages that we need on
our jailbroken device is the
BigBoss Recommended
Tools. To install it, open
Cydia, move to the Search
tab and search for BigBoss
Recommended Tools.

HOME PARENT REFERENCES VIDEO

141
4.5.1.4. BigBoss Recommended Tools
BigBoss, together with other apps, allows us to
install tools that are very useful for inspecting and
interacting with the device. As we can see in the
following screenshot we now have many more tools
and commands that we can run from the SSH shell:

HOME PARENT REFERENCES VIDEO

142
4.5.2. SFTP

Now you know how to access the device via SSH

and how to inspect almost every file on the device.
As you can imagine, sometimes it may be useful to
download these files from the device in order to
inspect them on our machine.
We need a way to send and retrieve files between
our machine and the device.

HOME PARENT REFERENCES VIDEO

143
4.5.2. SFTP

Since we already have SSH enabled on the iDevice,

one method to browse remote files is to use a
client that supports the SSH File Transfer Protocol
(SFTP). This can be done with software such as
Filezilla (Win/Mac/Linux) or Cyberduck (Win/Mac).
Tools such as iFunBox or iExplorer (from earlier) are
also able to navigate, export and import files to and
from jailbroken devices.

HOME PARENT REFERENCES VIDEO

144
4.5.2. SFTP

With Cyberduck, we need to click on “Open Connection” at

the top left of the window, select SFTP from the dropdown
menu and then insert the same information that we used
for SSH: IP address of the device, username (root)
and password (alpine by
default, but you should
change this to something
long and complex for
security reasons).

HOME PARENT REFERENCES VIDEO

145
4.5.2. SFTP

Once we click on
connect we will be
able to browse the
entire device in the
lower pane of the
app.

HOME PARENT REFERENCES VIDEO

146
4.5.2. SFTP
In a very similar way, we can use Filezilla with the
following settings:

- Host: Device IP
- Username: root
- Password:
<your carefully
chosen password>
- Port: 22

HOME PARENT REFERENCES VIDEO

147
4.5.2. SFTP

We can now just drag and drop files and folders

from our device to our machine and vice-versa.
As you will soon see, this is very useful because we
will be able to inspect specific files with external
tools that cannot be run on the device itself.

HOME PARENT REFERENCES VIDEO

148
4.5.3. Explorer Software

So, a jailbroken device allows third party software

such as iFunBox, iExplorer and others to view and
retrieve the entire contents of the device. As you
can see in the following screenshots, we are able to
navigate, edit and view everything on the device.
We just need to attach the device to our machine
(no Wi-Fi needed) through the cable.

HOME PARENT REFERENCES VIDEO

149
4.5.3. Explorer Software

HOME PARENT REFERENCES VIDEO

150
4.5.3. Explorer Software

Tools such as iFunBox also allow a connection to

devices via SSH. The difference between the
iFunBox SSH client and the classic SSH shell is that
with iFunBox we do not need a Wi-Fi connection.

We just need to attach the device via USB and then

open the SSH Terminal in iFunBox.

HOME PARENT REFERENCES VIDEO

151
4.5.3. Explorer Software

Here, for example, we can open the tab Quick

Toolbox and then click on ‘SSH Terminal’:

HOME PARENT REFERENCES VIDEO

152
4.5.4. VNC

Another very useful way we have

to interact with the device is to
use Virtual Network Computing
(VNC).
By default, VNC is not installed
on the device so we have to
install it by adding (via Cydia) the
package named Veency.

HOME PARENT REFERENCES VIDEO

153
4.5.4. VNC

Once Veency is installed, we

can edit its configuration by
opening Settings->Veency.
Here, we can enable/disable
the VNC service or change the
password used to connect.

HOME PARENT REFERENCES VIDEO

154
4.5.4. VNC

After the package has been installed and

configured, we have to install a VNC viewer on our
machine. This way we will be able to interact with
the device more quickly, because of the USB cable
and the faster human interaction that the keyboard
and mouse of a desktop computer provide.
One of the best tools available is Real VNC Viewer.
It is free and cross-platform.

HOME PARENT REFERENCES VIDEO

155
4.5.4. VNC

Since VNC is not very fast, using it via Wi-Fi may be

too slow; we are going to look at how to configure
our machine to use VNC via cable.
We already know how to use itunnel to establish a
SSH connection. We will use the same method to
hook up VNC.

HOME PARENT REFERENCES VIDEO

156
4.5.4. VNC
Since we know that VNC uses port 5900, we are
going to run the following command:

This allows us to forward the VNC connection from

our host to the device through the cable.
HOME PARENT REFERENCES VIDEO
157
4.5.4. VNC

Now we just need to start VNC Viewer, start the

connection to the host 127.0.0.1 and type the
password set in VNC settings (on the device).

HOME PARENT REFERENCES VIDEO

158
4.5.4. VNC

If the connection is successful, we should see the

following screen on the device:

HOME PARENT REFERENCES VIDEO

159
4.5.4. VNC

Now, using the mouse and keyboard, we can

interact with the device without touching it. We
can simulate every interaction with the device
using the mouse buttons:
• left click: touch screen
• middle click: lock button
• right click: menu button

HOME PARENT REFERENCES VIDEO

160
Video: iOS Device Interaction

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO

161
4.5.5. Run Apps without a Developer Account

You may remember that we were not able to run

our first app on a physical device due to the code
signing limitation. On a jailbroken device these
security features are no longer in place.
This means that we are now able to create, build
and run our own apps on the device.

HOME PARENT REFERENCES VIDEO

162
4.5.5. Run Apps without a Developer Account

There are many ways to run apps on jailbroken

devices. We can configure Xcode to sign the app
with a custom self-signed certificate, we can set
Xcode to just build the app without signing or we
can use other tools like AppSync to install .ipa files.

Do not code sign Self-Signed Certificate

HOME PARENT REFERENCES VIDEO

163
4.5.5.1. Do not code sign

Let us first see how to

configure Xcode to
avoid signing the
application.
This will allow us to
successfully build our
app for jailbroken devices. The first step is to edit
the SDKSettings.plist file located at:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Develo
per/SDKs/iPhoneOS6.1.sdk/

HOME PARENT REFERENCES VIDEO

164
4.5.5.1. Do not code sign
In the plist file, change the value of
CODE_SIGNING_REQUIRED to NO and save.

HOME PARENT REFERENCES VIDEO

165
4.5.5.1. Do not code sign

Now open Xcode (or close and reopen it) and set
the project Build Settings to “Do not code sign” in
the Code Signing Identity tree:

HOME PARENT REFERENCES VIDEO

166
4.5.5.1. Do not code sign

We should be able
to successfully
build the project by
clicking Project->
Build. If it succeeds,
the app_name.app
in the left panel will
turn black.

HOME PARENT REFERENCES VIDEO

167
4.5.5.1. Do not code sign
Now we have to upload the app_name.app to our
device. This can be done via SFTP, SSH or any other
way (iFunBox, iExplorer, etc.) First, locate the app
we have just built by right-clicking the
app_name.app and select ‘Show in Finder’.

HOME PARENT REFERENCES VIDEO

168
4.5.5.1. Do not code sign

Next, copy the

file into the
/Applications
folder on the
device. (Once
again, use SFTP,
SSH or third
party software).

HOME PARENT REFERENCES VIDEO

169
4.5.5.1. Do not code sign

So, we have stored our app, but it appears that

nothing really changed on the device. There is no
icon launcher for the new app because we have to
refresh SpringBoard (the iOS app that manages the
Home Screen). We can use external tools available
in Cydia to do that. So let us head back to Cydia,
search for the app named Respring and install it.

HOME PARENT REFERENCES VIDEO

170
4.5.5.1. Do not code sign

Once the app is

installed we should
have a new icon
named Respring.
Just click it and wait
until it finishes.

HOME PARENT REFERENCES VIDEO

171
4.5.5.1. Do not code sign

Now we have to
unlock the device
and we should see
our HelloWorldiOS
app on the home
screen.

HOME PARENT REFERENCES VIDEO

172
4.5.5.1. Do not code sign

If the app crashes at startup, access the device

using SSH and set the privileges on the file in the
app folder to 755 with the following command:

chmod –R 755 /Application/your_app.app

HOME PARENT REFERENCES VIDEO

173
4.5.5.2. Self-Signed Certificate

The other way to build and run custom applications

on jailbroken devices is to use a self-signed
certificate.
In the next slides, we will explain this method.

HOME PARENT REFERENCES VIDEO

174
4.5.5.2. Self-Signed Certificate
The first step is to create a self-signed certificate
that Xcode will use to sign our apps. To do this,
open ‘Keychain Access’ and then select:
Keychain Access->Certificate Assistant->Create a Certificate

HOME PARENT REFERENCES VIDEO

175
4.5.5.2. Self-Signed Certificate
In the next window, choose a name for the
certificate (iPhone Developer is the default option),
select ‘Code Signing’ in the last dropdown menu
and check the box ‘Let me override defaults’.

HOME PARENT REFERENCES VIDEO

176
4.5.5.2. Self-Signed Certificate

With these settings, click on continue and then set

the Serial Number and Validity Period as desired
(both fields are numeric).

HOME PARENT REFERENCES VIDEO

177
4.5.5.2. Self-Signed Certificate

Now click on continue and enter the last bit of

information. You can leave all the settings as they
are and continue until it creates the certificate.

HOME PARENT REFERENCES VIDEO

178
4.5.5.2. Self-Signed Certificate
Once the creation process is complete, we should
see a few new entries in the Keychain Access
window; we will use this new certificate to sign our
app in Xcode.

HOME PARENT REFERENCES VIDEO

179
4.5.5.2. Self-Signed Certificate

Now that we have the

certificate, we need to
configure Xcode. In
order to display the
certificate in the build
settings we have to edit the info.plist file located in
the following path:

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform

HOME PARENT REFERENCES VIDEO

180
4.5.5.2. Self-Signed Certificate

We have to change
every occurrence of

XCiPhoneOSCodeSignContext
with
XCCodeSignContext

(three changes total)

HOME PARENT REFERENCES VIDEO

181
4.5.5.2. Self-Signed Certificate
Now, save the plist and open our Xcode project. If
everything has been set up correctly, we should be
able to choose the new certificate in the Build
Settings tab.

HOME PARENT REFERENCES VIDEO

182
4.5.5.2. Self-Signed Certificate

Now, set your

certificate
(eLS_Certificate) in
each entry of Code
Signing Identity and
build your project. Xcode should pop up a message
that asks you to allow the certificate. Click Always
Allow in this window and your build should
succeed.

HOME PARENT REFERENCES VIDEO

183
4.5.5.2. Self-Signed Certificate
As we can see in the left pane, the file
app_name.app is now black (instead of red).

HOME PARENT REFERENCES VIDEO

184
4.5.5.2. Self-Signed Certificate

Now that we have our .app file

built, you can transfer it to the
device (the same way you did for
the unsigned app) and then use
Respring (or reboot the device)
to reload the home screen. If
everything goes well, we will see
the app in the home screen and
be able to run it.

HOME PARENT REFERENCES VIDEO

185
4.5.5.3. Create and Run Custom Applications

There are many other ways to install applications to

the device. For example, we can create an .ipa file
that contains the application itself. Then, we can
install it the same way as all other applications.
We can also install and run applications directly
from Xcode.

HOME PARENT REFERENCES VIDEO

186
4.5.5.3. Create and Run Custom Applications

If we jailbreak the device and then try to install our

applications from iTunes, iFunBox or Xcode, the
installation process can fail.
To resolve this issue, you need to install AppSync
from Cydia. The package is present in the
AppAddict repository (http://cydia.appaddict.org).

HOME PARENT REFERENCES VIDEO

187
4.5.5.3. Create and Run Custom Applications

Open the Manage tab

in Cydia and then open
Sources->
AppAddict.org and
select AppSync for iOS.

HOME PARENT REFERENCES VIDEO

188
4.5.5.3. Create and Run Custom Applications

From now on, installing and running applications

will be much easier and faster. We can run
applications from within Xcode by selecting the
physical device and then clicking Run.

HOME PARENT REFERENCES VIDEO

189
4.5.5.3. Create and Run Custom Applications

With AppSync installed on the device, you can use

iTunes or other third party software like iFunBox to
install your applications.
Once you have built the application, you can simply
drag it into iTunes and install it to the device.

HOME PARENT REFERENCES VIDEO

190
4.5.5.3. Create and Run Custom Applications

1) Drag the .app file into iTunes

HOME PARENT REFERENCES VIDEO

191
4.5.5.3. Create and Run Custom Applications

2) Click on Install on the App Device view

HOME PARENT REFERENCES VIDEO

192
4.5.5.3. Create and Run Custom Applications

3) Click on Apply to confirm the changes

HOME PARENT REFERENCES VIDEO

193
4.5.5.3. Create and Run Custom Applications

4) Once all the operations are complete, we should

have the app installed, ready to launch.

HOME PARENT REFERENCES VIDEO

194
4.5.5.3. Create and Run Custom Applications
In the following screenshot we can see that our
application is now installed in the User/Applications
folder. We no longer need to copy the app into the
/Applications folder and then restart Springboard
as we did, previously.

HOME PARENT REFERENCES VIDEO

195
4.5.5.4. From .app to .ipa

Some applications (e.g. iFunBox) may require an

.ipa file to install the app to the device. Let us check
out the steps to create an .ipa file from an .app file.

Note that we will have to use the same structure

used by other applications.

HOME PARENT REFERENCES VIDEO

196
4.5.5.4. From .app to .ipa

To do this, first create a new folder with the name

‘Payload’ and copy the .app file in it.

HOME PARENT REFERENCES VIDEO

197
4.5.5.4. From .app to .ipa

Now right click on the Payload folder and select

‘Compress’. This will create a new folder named
Payload.zip.

HOME PARENT REFERENCES VIDEO

198
4.5.5.4. From .app to .ipa

Of course, .ipa files are just compressed files. So,

we could potentially change the file name from
Payload.zip to OurAppName.ipa:

HOME PARENT REFERENCES VIDEO

199
4.5.5.4. From .app to .ipa

Now that we have our .ipa file, we can start

iFunBox, click the option Install App and then select
the .ipa file we just created.

HOME PARENT REFERENCES VIDEO

200
4.5.5.4. From .app to .ipa

If everything goes well, after a

few seconds the installation
process will complete and we
will have the app installed on
the device!

HOME PARENT REFERENCES VIDEO

201
4.5.5.4. From .app to .ipa

WARNING

Please note that installing .ipa applications through

AppSync may sometimes result in a device crash.
For this reason, we discourage this technique in
favor of the first method we saw: create the .app
file, copy it to the /Application folder and then run
Respring.

HOME PARENT REFERENCES VIDEO

202
4.5.6. Edit existing Application files

Again, on jailbroken devices, some of the security

features implemented by iOS are disabled. For
instance, we can edit application files without
causing the apps to crash.
If we wanted, we could edit all the images in the
Dropbox app folder to permanently put our own
logo on the main screen of the app.

HOME PARENT REFERENCES VIDEO

203
4.5.6. Edit existing Application files

We just need to download the files we want to edit

to our machine and then upload the new version.
In this case we can use iFunBox to browse the app
folder, download
the .png files we
need and then
upload again.

HOME PARENT REFERENCES VIDEO

204
4.5.6. Edit existing Application files

Once we edit and upload back

to the device, running the
application will show us that
the changes have been
applied.
The app images now displays
the eLearnSecurity logo.
Simple!

HOME PARENT REFERENCES VIDEO

205
4.5.6. Edit existing Application files

Even though this is a small change, you can imagine

how useful it could be if we applied the process to
other application files.
As we will see later on, patching the app, editing
.plists files and other tricks will be very important
for security testing.

HOME PARENT REFERENCES VIDEO

206
4.5.7. Keychain dumper

You may remember that a keychain is an encrypted

container that holds passwords, cryptographic keys,
certificates and text strings for multiple
applications and services.

In iOS, each application has access only to its own

keychain items.

HOME PARENT REFERENCES VIDEO

207
4.5.7. Keychain dumper

The keychain is an encrypted sqlite file that

contains sensitive data like email addresses,
passwords, OAuth-tokens, Wi-Fi passwords, SIM
PIN and on and on. As you know, accessing this
information is one of the most important steps
while analyzing any iDevice.

If you want to know more about keychains, app permissions and so

on, please take a peek at the Apple documentation here and here.

HOME PARENT REFERENCES VIDEO

208
4.5.7. Keychain dumper

The sqlite file is stored at the following location:

/private/var/Keychains/keychain-2.db

but remember, some of its contents are encrypted

and can only be read with root permissions.

HOME PARENT REFERENCES VIDEO

209
4.5.7. Keychain dumper
Let us try to read its content using sqlite3 from
SSH:

HOME PARENT REFERENCES VIDEO

210
4.5.7. Keychain dumper

We can also download the file to our machine and

use any sqlite viewer/browser tool.

HOME PARENT REFERENCES VIDEO

211
4.5.7. Keychain dumper

As you can see from the previous screenshots,

things did not go so well.
Some of the data contained in the sqlite database is
encrypted, but since on jailbroken devices some of
the security features are disabled, it is possible to
get unencrypted data from the keychain.

HOME PARENT REFERENCES VIDEO

212
4.5.7. Keychain dumper

A very useful and easy-to-use tool that allows us to

gather cleartext data from the keychain is
keychain_dumper.

It can be downloaded at this link.

HOME PARENT REFERENCES VIDEO

213
4.5.7. Keychain dumper

Once we download and open the archive, we can

see that we have a few files. The one we need is
the binary named keychain_dumper.

HOME PARENT REFERENCES VIDEO

214
4.5.7. Keychain dumper
What we have to do now is to copy this file onto
our device. In our case, we will store it in the root
folder using Cyberduck (SFTP).

HOME PARENT REFERENCES VIDEO

215
4.5.7. Keychain dumper

Once the binary is on the device, make sure that it

is marked as executable (if not, run chmod +x
keychain_dumper) and then we can run it with the
following command:

root# ./keychain_dumper

(Also, be sure that the file keychain2.db is readable)

HOME PARENT REFERENCES VIDEO

216
4.5.7. Keychain dumper

If everything works, we should be able to see well-

organized keychain content in cleartext:

HOME PARENT REFERENCES VIDEO

217
4.5.7. Keychain dumper

The keys are organized by

categories. Here we can
see Generic Password as
well as Internet Password.
This is the default dump
from the tool but we can
set other flags to dump
additional information.

HOME PARENT REFERENCES VIDEO

218
4.5.7. Keychain dumper

The -h option returns

all the flags available,
while issuing the tool
with the -a flag will
return all the entries
stored in the keychain
database.

HOME PARENT REFERENCES VIDEO

219
References

iOS SDK iTunes

iOS Backups iExplorer

iFunBox Putty

VNC Viewer Plist Editor (Win OS)

Continued…

HOME PARENT REFERENCES VIDEO

220
References

Sqlite Sqlite Master

BinaryCookies Safari Forensics Tools

iTunes Backup iBackupBot

Cydia iTunnel
Continued…

HOME PARENT REFERENCES VIDEO

221
References
BigBoss
Filezilla
Recommended Tools

CyberDuck Veency

Keychain Service iOS Security Doc

Keychain Dumper

HOME PARENT REFERENCES VIDEO

222
Video

HOME PARENT REFERENCES VIDEO

macOS App Development: The SwiftUI Way
From Everand
macOS App Development: The SwiftUI Way
Grace Huang
No ratings yet
iOS Development Guide
100% (1)
iOS Development Guide
104 pages
Android App Development Tutorial . Build your first app.
From Everand
Android App Development Tutorial . Build your first app.
Vignesh
No ratings yet
iOS Programming: Starter Guide: What Every Programmer Needs to Know About iOS Programming
From Everand
iOS Programming: Starter Guide: What Every Programmer Needs to Know About iOS Programming
Jason Scotts
2/5 (1)
iOS Development Guide
No ratings yet
iOS Development Guide
100 pages
UNIT4 Ios
No ratings yet
UNIT4 Ios
73 pages
SITX 1402 - Mobile Application Development Unit - 4 Introduction To iOS
No ratings yet
SITX 1402 - Mobile Application Development Unit - 4 Introduction To iOS
73 pages
Coding Basics with Microsoft Visual Studio: A Step-by-Step Guide to Microsoft Cloud Services
From Everand
Coding Basics with Microsoft Visual Studio: A Step-by-Step Guide to Microsoft Cloud Services
Kiet Huynh
No ratings yet
Creating An Aplication S
No ratings yet
Creating An Aplication S
44 pages
IOS Development Guide
No ratings yet
IOS Development Guide
100 pages
iOS Programming For Beginners: The Ultimate iOS App Developer's Guide
From Everand
iOS Programming For Beginners: The Ultimate iOS App Developer's Guide
Joseph Joyner
3/5 (1)
Iphone Development Guide
No ratings yet
Iphone Development Guide
104 pages
Start Developing iOS Apps Today
No ratings yet
Start Developing iOS Apps Today
133 pages
Roadmap Ios
No ratings yet
Roadmap Ios
131 pages
iOS Basis
No ratings yet
iOS Basis
44 pages
PDF Hello iOS Development 1st Edition Lou Franco download
100% (7)
PDF Hello iOS Development 1st Edition Lou Franco download
61 pages
So You Want To Be an iOS Developer
From Everand
So You Want To Be an iOS Developer
Kent Franks
No ratings yet
Unit 8 Introduction To IOS Programming
No ratings yet
Unit 8 Introduction To IOS Programming
12 pages
Download Full Hello iOS Development 1st Edition Lou Franco PDF All Chapters
100% (13)
Download Full Hello iOS Development 1st Edition Lou Franco PDF All Chapters
50 pages
Xcode Quick Start Guide
No ratings yet
Xcode Quick Start Guide
54 pages
Immediate download Hello iOS Development 1st Edition Lou Franco ebooks 2024
No ratings yet
Immediate download Hello iOS Development 1st Edition Lou Franco ebooks 2024
51 pages
Hello iOS Development 1st Edition Lou Franco - Quickly access the ebook and start reading today
100% (1)
Hello iOS Development 1st Edition Lou Franco - Quickly access the ebook and start reading today
42 pages
Buy ebook iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski cheap price
100% (1)
Buy ebook iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski cheap price
61 pages
Iphone Ilearn Beginners Developer Course
No ratings yet
Iphone Ilearn Beginners Developer Course
65 pages
Instant Download iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski PDF All Chapters
100% (6)
Instant Download iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski PDF All Chapters
50 pages
WhatsNewIn iPhoneOS5
No ratings yet
WhatsNewIn iPhoneOS5
74 pages
Swift 2 Blueprints - Sample Chapter
No ratings yet
Swift 2 Blueprints - Sample Chapter
29 pages
Unit - 8 Introduction To IOS Programming
No ratings yet
Unit - 8 Introduction To IOS Programming
37 pages
Iphone App Programming Guide
No ratings yet
Iphone App Programming Guide
114 pages
Xcode 4 Transition Guide: Tools & Languages: Ides
No ratings yet
Xcode 4 Transition Guide: Tools & Languages: Ides
98 pages
Complete Download iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski PDF All Chapters
No ratings yet
Complete Download iPhone SDK Application Development Building Applications for the AppStore 1st Edition Jonathan Zdziarski PDF All Chapters
51 pages
How To Create An App
From Everand
How To Create An App
Duong Tran
3/5 (8)
Seminar Essay Ios
No ratings yet
Seminar Essay Ios
11 pages
Learn Ios7 Programming Preview
No ratings yet
Learn Ios7 Programming Preview
61 pages
IOS Programming For Beginners: The Simple Guide to Learning IOS Programming Fast!
From Everand
IOS Programming For Beginners: The Simple Guide to Learning IOS Programming Fast!
Tim Warren
No ratings yet
Learn To Code iOS Apps 1: Welcome To Pro-Gramming: Mike Jaoudi
No ratings yet
Learn To Code iOS Apps 1: Welcome To Pro-Gramming: Mike Jaoudi
14 pages
Roadmap Ios
No ratings yet
Roadmap Ios
141 pages
Xcode Quick Start Guide
No ratings yet
Xcode Quick Start Guide
54 pages
Beginning Your Iphone Programming Journey
No ratings yet
Beginning Your Iphone Programming Journey
40 pages
My First Iphone App: 1. Tutorial Overview
No ratings yet
My First Iphone App: 1. Tutorial Overview
23 pages
iOS Syllabus PDF
No ratings yet
iOS Syllabus PDF
5 pages
Mobile Application Laboratory pdf copy1
No ratings yet
Mobile Application Laboratory pdf copy1
9 pages
How To Program A Mobile Game
From Everand
How To Program A Mobile Game
Duong Tran
4/5 (1)
iOS (Objective C) and Xcode: Submitted By: Nidhi Narang 10900190 Btech CSE
No ratings yet
iOS (Objective C) and Xcode: Submitted By: Nidhi Narang 10900190 Btech CSE
20 pages
Basics of iOS Application Development - Beginning DevOps On AWS For iOS Development - Xcode, Jenkins, and Fastlane Integration On The Cloud
No ratings yet
Basics of iOS Application Development - Beginning DevOps On AWS For iOS Development - Xcode, Jenkins, and Fastlane Integration On The Cloud
10 pages
Hello iOS Development 1st Edition Lou Franco pdf download
No ratings yet
Hello iOS Development 1st Edition Lou Franco pdf download
62 pages
Headfirst Into IOS Development
No ratings yet
Headfirst Into IOS Development
66 pages
51754
No ratings yet
51754
47 pages
iOS in Practice Bear Cahill - The ebook in PDF format is ready for immediate access
100% (1)
iOS in Practice Bear Cahill - The ebook in PDF format is ready for immediate access
49 pages
iOS in Practice Bear Cahill - Get the ebook instantly with just one click
100% (2)
iOS in Practice Bear Cahill - Get the ebook instantly with just one click
42 pages
Xcode 4
No ratings yet
Xcode 4
19 pages
Solution Manual For Java How To Program Late Objects 10th Edition Deitel 0132575655 9780132575652
100% (48)
Solution Manual For Java How To Program Late Objects 10th Edition Deitel 0132575655 9780132575652
36 pages
Download ebooks file iOS 5 by Tutorials Volumes 1 and 2 2nd Edition Ray Wenderlich all chapters
100% (7)
Download ebooks file iOS 5 by Tutorials Volumes 1 and 2 2nd Edition Ray Wenderlich all chapters
77 pages
Ios Tutorial
No ratings yet
Ios Tutorial
198 pages
Beginning Iphone Development
No ratings yet
Beginning Iphone Development
25 pages
Xcode 4
From Everand
Xcode 4
Richard Wentk
2/5 (1)
Game and Graphics Programming for iOS and Android with OpenGL ES 2.0
From Everand
Game and Graphics Programming for iOS and Android with OpenGL ES 2.0
Romain Marucchi-Foino
No ratings yet
Building Android Applications for Beginners
From Everand
Building Android Applications for Beginners
Steve Taylor
No ratings yet
Build a Whatsapp Like App in 24 Hours: Create a Cross-Platform Instant Messaging for Android
From Everand
Build a Whatsapp Like App in 24 Hours: Create a Cross-Platform Instant Messaging for Android
Arjun Subburaj
3.5/5 (5)
Visual Studio Tips and Tricks: I
From Everand
Visual Studio Tips and Tricks: I
Priyanka Agarwal
No ratings yet
02 Intrusion Detection by Analyzing Traffic Part2
No ratings yet
02 Intrusion Detection by Analyzing Traffic Part2
190 pages
iOS Network Analysis
No ratings yet
iOS Network Analysis
72 pages
Lab 11.0 - Client-Side Exploitation
No ratings yet
Lab 11.0 - Client-Side Exploitation
16 pages
Google Dorking Introduction @shivistclayanam
No ratings yet
Google Dorking Introduction @shivistclayanam
6 pages
03 Preparing and Defending Against Exploitation
No ratings yet
03 Preparing and Defending Against Exploitation
112 pages
04 Preparing and Defending Against Post Exploitation
No ratings yet
04 Preparing and Defending Against Post Exploitation
198 pages
4 Classess Modules and Exception
No ratings yet
4 Classess Modules and Exception
169 pages
Other Attacks
No ratings yet
Other Attacks
110 pages
9 Hunting Empire
No ratings yet
9 Hunting Empire
11 pages
01 Preparing and Defending Against Reconnaissance and Information Gathering
No ratings yet
01 Preparing and Defending Against Reconnaissance and Information Gathering
60 pages
5 Pentesters Prerequisites
No ratings yet
5 Pentesters Prerequisites
143 pages
4-Hunting Web Shells Part 1
No ratings yet
4-Hunting Web Shells Part 1
25 pages
5 Other Common Web Attacks
No ratings yet
5 Other Common Web Attacks
143 pages
16 Securing Web Applications
No ratings yet
16 Securing Web Applications
34 pages
Section 3 Module 2 PowerShell Fundamentals
No ratings yet
Section 3 Module 2 PowerShell Fundamentals
134 pages
14 Applied Secure Coding Principles
No ratings yet
14 Applied Secure Coding Principles
34 pages
Mobile OS Architectures Security Models
No ratings yet
Mobile OS Architectures Security Models
114 pages
14.applied Secure Coding Principles
No ratings yet
14.applied Secure Coding Principles
94 pages
11 Web Services
No ratings yet
11 Web Services
94 pages
8.data Validation
No ratings yet
8.data Validation
320 pages
Introductory Mba I 2020-21
No ratings yet
Introductory Mba I 2020-21
29 pages
Computer Science Jefrin Beno
No ratings yet
Computer Science Jefrin Beno
46 pages
Design A Database
No ratings yet
Design A Database
65 pages
EB022 Sunbird Ebook DataCenterCMDB
No ratings yet
EB022 Sunbird Ebook DataCenterCMDB
12 pages
Database-Management-System (Set 12)
No ratings yet
Database-Management-System (Set 12)
22 pages
Designing Instagram - Grokking The System Design Interview
No ratings yet
Designing Instagram - Grokking The System Design Interview
12 pages
Unit 5 HRM in Retailing: 1. Societal Objectives
No ratings yet
Unit 5 HRM in Retailing: 1. Societal Objectives
20 pages
ESRI Geodatabase
50% (2)
ESRI Geodatabase
15 pages
MongoDB Atlas Datasheet
No ratings yet
MongoDB Atlas Datasheet
2 pages
S/4HANA Configuration Case Phase 0-: Submitted By: Faria Mehboob L191634 Sohaib Bhatti L191641
No ratings yet
S/4HANA Configuration Case Phase 0-: Submitted By: Faria Mehboob L191634 Sohaib Bhatti L191641
15 pages
Table Replication Using Materialized View in Oracle 11g
No ratings yet
Table Replication Using Materialized View in Oracle 11g
3 pages
SUKIRIT
No ratings yet
SUKIRIT
2 pages
Oracle Resume
No ratings yet
Oracle Resume
4 pages
Evaluation 1 of Software Engineering
No ratings yet
Evaluation 1 of Software Engineering
9 pages
SAP User Guide Certificazione Unica 2021
No ratings yet
SAP User Guide Certificazione Unica 2021
68 pages
Cobol Mainframe Mania
No ratings yet
Cobol Mainframe Mania
42 pages
Installing YSoft SafeQ Management Server On External MSSQL Using Domain Users-V49-20230227 - 101800
No ratings yet
Installing YSoft SafeQ Management Server On External MSSQL Using Domain Users-V49-20230227 - 101800
18 pages
TelAlert Installation Guide-V7.0
No ratings yet
TelAlert Installation Guide-V7.0
39 pages
Ain Shams Engineering Journal: Mohammad M. Abdellatif, Noura H. Elshabasy, Ahmed E. Elashmawy, Mohamed Abdelraheem
No ratings yet
Ain Shams Engineering Journal: Mohammad M. Abdellatif, Noura H. Elshabasy, Ahmed E. Elashmawy, Mohamed Abdelraheem
6 pages
Finance
No ratings yet
Finance
57 pages
(200+) Pega Interview Questions and Answers - All Interview Questions
No ratings yet
(200+) Pega Interview Questions and Answers - All Interview Questions
13 pages
1 DIgSI Presentation v15
No ratings yet
1 DIgSI Presentation v15
16 pages
Reading Sample Sappress 1481 Sap System Security Guide
No ratings yet
Reading Sample Sappress 1481 Sap System Security Guide
39 pages
Derek Nexus
No ratings yet
Derek Nexus
4 pages
Infobright Community Edition-User Guide
100% (4)
Infobright Community Edition-User Guide
90 pages
Santhoshi Musku
No ratings yet
Santhoshi Musku
8 pages
What Is Server?
No ratings yet
What Is Server?
4 pages
Group Assignment
No ratings yet
Group Assignment
3 pages
Information Technology-P1 - (NOV-08), ICAB
No ratings yet
Information Technology-P1 - (NOV-08), ICAB
1 page
10985C 01
No ratings yet
10985C 01
24 pages