NSFileProtectionNone
are encrypted with a key derived from the device UID and the user's passcode. As a result, decryption can happen only on the device itself and requires the correct passcode.kSecAttrAccessGroup
. Access to the Keychain is managed by the securityd
daemon, which grants access according to the app's Keychain-access-groups
, application-identifier
, and application-group
entitlements.SecItemAdd
SecItemUpdate
SecItemCopyMatching
SecItemDelete
kSecAttrAccessible
key in the call to SecItemAdd
or SecItemUpdate
. The following configurable accessibility values for kSecAttrAccessible are the Keychain Data Protection classes:kSecAttrAccessibleAlways
: The data in the Keychain item can always be accessed, regardless of whether the device is locked.kSecAttrAccessibleAlwaysThisDeviceOnly
: The data in the Keychain item can always be accessed, regardless of whether the device is locked. The data won't be included in an iCloud or local backup.kSecAttrAccessibleAfterFirstUnlock
: The data in the Keychain item can't be accessed after a restart until the device has been unlocked once by the user.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
: The data in the Keychain item can't be accessed after a restart until the device has been unlocked once by the user. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.kSecAttrAccessibleWhenUnlocked
: The data in the Keychain item can be accessed only while the device is unlocked by the user.kSecAttrAccessibleWhenUnlockedThisDeviceOnly
: The data in the Keychain item can be accessed only while the device is unlocked by the user. The data won't be included in an iCloud or local backup.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
: The data in the Keychain can be accessed only when the device is unlocked. This protection class is only available if a passcode is set on the device. The data won't be included in an iCloud or local backup.AccessControlFlags
define the mechanisms with which users can authenticate the key (SecAccessControlCreateFlags
):kSecAccessControlDevicePasscode
: Access the item via a passcode.kSecAccessControlBiometryAny
: Access the item via one of the fingerprints registered to Touch ID. Adding or removing a fingerprint won't invalidate the item.kSecAccessControlBiometryCurrentSet
: Access the item via one of the fingerprints registered to Touch ID. Adding or removing a fingerprint will invalidate the item.kSecAccessControlUserPresence
: Access the item via either one of the registered fingerprints (using Touch ID) or default to the passcode.kSecAccessControlBiometryAny
or kSecAccessControlBiometryCurrentSet
) are protected by the Secure Enclave: The Keychain holds a token only, not the actual key. The key resides in the Secure Enclave.kSecAttrKeyType
to indicate the type of algorithm you want to use the key with.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
attribute. From iOS 9 onward you can check whether a lock screen is set, using LAContext
:objection
command demonstrates this procedure:NSUserDefaults
without additional encryption.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
. This ensures the usage of hardware-backed storage mechanisms. Make sure that the AccessControlFlags
are set according to the security policy of the keys in the KeyChain.kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave
: this indicates that we want to use the Secure Enclave directly.):NSUserDefaults
NSUserDefaults
class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behavior according to user preferences. Data saved by NSUserDefaults
can be viewed in the application bundle. This class stores data in a plist file, but it's meant to be used with small amounts of data.NSData
: creates static data objects, while NSMutableData
creates dynamic data objects. NSData
and NSMutableData
are typically used for data storage, but they are also useful for distributed objects applications, in which data contained in data objects can be copied or moved between applications. The following are methods used to write NSData
objects:NSDataWritingWithoutOverwriting
NSDataWritingFileProtectionNone
NSDataWritingFileProtectionComplete
NSDataWritingFileProtectionCompleteUnlessOpen
NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication
writeToFile
: stores data as part of the NSData
classNSSearchPathForDirectoriesInDomains, NSTemporaryDirectory
: used to manage file pathsNSFileManager
: lets you examine and change the contents of the file system. You can use createFileAtPath
to create a file and write to it.complete
encrypted file using the FileManager
class. You can find more information in the Apple Developer Documentation "Encrypting Your App’s Files"​Core Data
is a framework for managing the model layer of objects in your application. It provides general and automated solutions to common tasks associated with object life cycles and object graph management, including persistence. Core Data can use SQLite as its persistent store, but the framework itself is not a database.https://\<firebaseProjectName\>.firebaseio.com/.json
PROJECT_ID
key stores the corresponding Firebase project name in GoogleService-Info.plist file./var/mobile/Containers/Data/Application/$APP_ID/
grep -iRn "USERID"
.$APP_NAME.imazing
. Rename it to $APP_NAME.zip
.Note that tools like iMazing don't copy data directly from the device. They try to extract data from the backups they create. Therefore, getting all the app data that's stored on the iOS device is impossible: not all folders are included in backups. Use a jailbroken device or repackage the app with Frida and use a tool like objection to access all the data and files.
This test is only available on macOS, as Xcode and the iOS simulator is needed.
~/Library/Developer/CoreSimulator/Devices
.ios plist cat plistFileName.plist
command to inspect the plist file.env
command. It will print out the locations of the applications Library, Caches and Documents directories:/var/mobile/Containers/Data/Application/<UUID>
) and go to /Library/Caches/<Bundle Identifier>
. The WebKit cache is also being stored in the Cache.db file. Objection can open and interact with the database with the command sqlite connect Cache.db
, as it is a normal SQLite database.removeAllCachedResponses
You can call this method as follows:URLCache.shared.removeAllCachedResponses()
An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.
NSLog
statements for development and debugging, then disable them before shipping the software. You can do this by adding the following code to the appropriate PREFIX_HEADER (*.pch) file:/private/var/mobile/Library/Keyboard/dynamic-text.dat
.var autocorrectionType: UITextAutocorrectionType
determines whether autocorrection is enabled during typing. When autocorrection is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property is UITextAutocorrectionTypeDefault
, which for most input methods enables autocorrection.var secureTextEntry: BOOL
determines whether text copying and text caching are disabled and hides the text being entered for UITextField
. The default value of this property is NO
.Interface Builder
of Xcode and verify the states of Secure Text Entry
and Correction
in the Attributes Inspector
for the appropriate object.textObject.autocorrectionType = UITextAutocorrectionTypeNo
directive in the desired UITextFields, UITextViews, and UISearchBars. For data that should be masked, such as PINs and passwords, set textObject.secureTextEntry
to YES
.Settings > General > Reset > Reset Keyboard Dictionary
.dynamic-text.dat
into the following directory (which might be different for iOS versions before 8.0): /private/var/mobile/Library/Keyboard/
launchd
. It is the most secure and flexible implementation of IPC on iOS and should be the preferred method. It runs in the most restricted environment possible: sandboxed with no root privilege escalation and minimal file system access and network access. Two different APIs are used with XPC Services:NSFileCoordinator
can be used to manage and send data to and from apps via files that are available on the local file system to various processes. NSFileCoordinator methods run synchronously, so your code will be blocked until they stop executing. That's convenient because you don't have to wait for an asynchronous block callback, but it also means that the methods block the running thread.connection.h
isSecureTextEntry
is set to "true". This option obscures the text input by showing dots.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
attribute is set can be decrypted only if the backup is restored to the backed up device. Someone trying to extract this Keychain data from the backup couldn't decrypt it without access to the crypto hardware inside the originating device.Library/Caches/
) and files in the app's private directory.Documents/
and Library/Application Support/
are always backed up by default, you can exclude files from the backup by calling NSURL setResourceValue:forKey:error:
with the NSURLIsExcludedFromBackupKey
key.iTunes is not available anymore from macOS Catalina onwards. Managing of an iOS device, including updates, backup and restore has been moved to the Finder app. The approach remains the same, as described above.
net.bither.plist
file which contains the pin_code
attribute. To remove the UI lock restriction, simply delete the pin_code
attribute and save the changes.net.bither.plist
back onto the device using the licensed version of iMazing.net.bither.plist
file. Go ahead and rename the file giving it a plist extension so Xcode can easily open it up for you.pin_code
attribute from the plist and save your changes. Rename the file back to the original name (i.e., without the plist extension) and perform your backup restore. When the restore is complete you'll see that Bither no longer prompts you for the PIN code when launched.applicationDidEnterBackground
method to determine whether the application sanitizes the screen before being backgrounded.overlayImage.png
) whenever the application is backgrounded, overriding the current view:overlayImage.png
whenever the application is backgrounded. It prevents sensitive data leaks because overlayImage.png
will always override the current view./var/mobile/Containers/Data/Application/$APP_ID/Library/SplashBoard/Snapshots/sceneID:$APP_NAME-default/
char []
and int []
, but not NSString
or String
. Whenever you try to modify an immutable object, such as a String
, you actually create a copy and change the copy.char
and int
, handling a complex type such as String
by value involves a hidden layer of objects, structures, or primitive arrays whose memory can't be directly accessed or modified. Certain types of usage may seem to create a mutable data object (and even be documented as doing so), but they actually create a mutable identifier (variable) instead of an immutable identifier (constant). For example, many think that the following results in a mutable String
in Swift, but this is actually an example of a variable whose complex value can be changed (replaced, not modified in place):Array
, Set
, and Dictionary
), on the other hand, may be acceptable if they collect primitive data types such as char
or int
and are defined as mutable (i.e., as variables instead of constants), in which case they are more or less equivalent to a primitive array (such as char []
). These collections provide memory management, which can result in unidentified copies of the sensitive data in memory if the collection needs to copy the underlying buffer to a different location to extend it.NSMutableString
, may also be acceptable, but these types have the same memory issue as Swift collections. Pay attention when using Objective-C collections; they hold data by reference, and only Objective-C data types are allowed. Therefore, we are looking, not for a mutable collection, but for a collection that references mutable objects.UITextField
as Secure Text Entry or not, it always returns data in the form of a String
or NSString
.String
and NSString
,strings
or rabin2 -zz
to extract those strings.strings.txt
in your favorite editor and dig through it to identify sensitive information./?
) for more information and a list of options. The following shows only a subset of them:\
after starting the session with r2 frida://usb//<name_of_your_app>
.