Comments on: Extracting the File System from iPhone/iPad/iPod Touch Devices

By: Faye

Faye — Tue, 29 May 2012 19:55:17 +0000

Hi just wondering if u can advise in best product to buy? I made a backup of my iPhone 4 on my windows 7 pc, I need a password and told that there will be a file called keychain which has it?

By: Jezza

Jezza — Sat, 19 Nov 2011 16:03:08 +0000

Does this mean that: as long as you can neither break the passcode nor the backup encryption password, the data is safe (both on device and/or computer)?

(i.e. from a user point of view a strong passcode and strong backup encryption password is enough to avoid having the data protection cracked?)

Any point in further encrypting the actual sync folder used by the iTunes?

By: Andrey Belenko

Andrey Belenko — Sat, 12 Nov 2011 10:50:54 +0000

Yes, a little: more files are protected with the passcode and escrow keybag can’t be used instead of the passcode for decryption.

By: JK

JK — Wed, 09 Nov 2011 13:39:56 +0000

Does iOS 5 mitigate any of this?

By: Andrey Belenko

Andrey Belenko — Fri, 04 Nov 2011 06:56:09 +0000

1. What you are saying is generally true when getting data from the device itself and not from the backup. Keychain items protected with classes above the kSecAttrAccessibleAlways are impossible to decrypt without the passcode (or the escrow keys in iOS 4). EPPB, however, works only with the backups and the story is slightly different there.
If backup is encrypted and backup password is known then all keychain items from the backup can be decrypted (except for those with …ThisDeviceOnly protection classes). Device passcode protection does not matter here.

2. For developers I’d suggest to use standard system services for storing sensitive data (i.e. use Keychain and do not re-invent the ~~wheel~~ crypto) and to use the most restrictive protection classes for both keychain items and application data files.
For users – use complex passcode, do not connect the device to third-party PCs, use backup encryption.

By: Jerome

Jerome — Thu, 03 Nov 2011 05:38:26 +0000

1) I would assume that if passcode is complex and if the application is storing credentials in keychain with adequate protection attributes (I would assume all attributes would do the job, except the kSecAttrAccessibleAlways), then this information is not accessible by your tool (EBBP). I am correct ?
2) If not, or more generally, do you have some best practices to follow for users AND developers to make sure the information (in keychain items, files, iTunes backup, etc) are well protected and not accessible by your tool ?

By: Devon

Devon — Sun, 11 Sep 2011 22:13:40 +0000

Thanks for this useful information, I will be refering to it for my mobile forensics project. @bob the “wipe device after 10 failed passcode attempts” is useless as the device cracking will be performed in off-line mode if I’m correct?

By: Paul Creswici

Paul Creswici — Thu, 16 Jun 2011 22:05:50 +0000

@Andrey,
It’s precisely that I have to enter the complex password many times a day that makes it workable – repetition of a complex string makes it memorable and practise makes it easy to enter rather than annoying.

By: Andrey Belenko

Andrey Belenko — Mon, 30 May 2011 19:26:12 +0000

@Bob,
1) Escrow keybag is not required. Without both escrow keybag and the passcode we can decrypt almost every file and significant part of the Keychain. Let me say this again: having only the device and not knowing the passcode nor having escrow keybag we can decrypt very significant part of its device contents. FDE on your PC does not help.
2) Do you REALLY use complex alphanumeric passcode (passcode – and not backup password)? You have to enter it like dozens of times a day and I don’t think many people are using something really complex. That quickly becomes annoying. Also, the ‘wipe device after 10 attempts’ is irrelevant here, too, since we bypass all sort of such protections. And it is a ‘game over’ for iOS 4 in some environments with certain security requirements.

By: Bob Walder

Bob Walder — Mon, 30 May 2011 18:31:26 +0000

They did NOT find the keys…. the toolkit relies on 1) Possession of the escrow keybag which is stored on any host PC which has sync’d to the device via iTunes (good luck with that if I store my iTunes backups on an encrypted volume, BTW!) or 2) Brute force attack on the device to break the passcode. What they have done that is cool is shown that they can do this. HOWEVER, since any sensible user with data to protect will use a complex passcode consisting of a larger number of alphanumeric & special characters and NOT a simple 4 digit passcode, then my guess is that on-device cracking of the passcode is not realistic. ALSO, if user has set “wipe device after 10 failed passcode attempts” then…. this stuff makes for good headlines but it is not “game over” for iOS 4 users by any stretch of the imagination