Tampering iOS backups
Introduction
In the previous post we talked about how Mobile Verification ToolKit (MVT) automates the process of gathering forensic traces of Pegasus (NSO Group), and how it can be tampered executing a simple Python script. In this post we will show the technical details on how an iPhone backup could be tampered.
Creating a backup with Finder
In order to make an iPhone backup with macOS Catalina or later, it is needed to open Finder and follow the next steps:
- Connect your device to your computer with an USB cable.
- If asked, insert your device passcode and accept “Trust This Computer” message.
- Select your device on your computer. (1)
- Select “Back up all of the data on your iPhone to this Mac” checkbox. (2)
- If you want to save Safari history from your device you also need to encrypt your backup. (3)
- Click “Back Up Now”. (4)
- When the process ends, you can check if the backup finished successfully. The date and time of your last backup will be shown. (4)
Find backup folder on your Mac
iPhone’s backups are stored in the following path ~/Library/Application Support/MobileSync/Backup/
In the backup folder, there is a single folder per device backed up, named as a SHA-1 hash. This is the Unique Identifier for this device. Even if it is renamed, or backed up to another computer with a different Apple ID, it will have the same SHA-1 hash folder name.
Backup structure
Inside the backup folder, there are different folders, all of them named with two characters, from 00 to ff. Each of them containing files with no extension.
In addition to these folders there are also four information files: Info.plist, Manifest.plist, Manifest.db and Status.plist
Info.plist
Info.plist is a plain text plist which stores the device details like device name, build version, IMEI, phone number, last backup date, product version, product type, serial number, sync settings and a list of application names that are installed on the device among others.
Manifest.plist
Manifest.plist is a binary file which provides information about the backup itself:
- IsEncrypted: flag to identify if the iTunes backup is encrypted or not.
- WasPasscodeSet: flag to mark if the device has a password lock.
- Date: stores the first sync date for the device.
- Lockdown/com.apple.mobile.data_sync
- ManifestKey & BackupKeyBag
- Applications: installed applications
$ plistutil -i Manifest.plist
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version=”1.0">
<dict>
<key>IsEncrypted</key>
<true/>
<key>Version</key>
<string>10.0</string>
<key>Date</key>
<date>2022–01–24T15:35:25Z</date>
<key>SystemDomainsVersion</key>
<string>24.0</string>
<key>ManifestKey</key>
<data>
BASE64_KEY
</data>
<key>WasPasscodeSet</key>
<true/>
<key>Lockdown</key>
<dict>
<key>com.apple.MobileDeviceCrashCopy</key>
<dict/>
…
…
<key>ProductVersion</key>
<string>14.1</string>
<key>ProductType</key>
<string>iPhone11,2</string>
<key>BuildVersion</key>
<string>18B92</string>
<key>com.apple.mobile.iTunes.accessories</key>
<dict/>
<key>com.apple.mobile.wireless_lockdown</key>
<dict/>
<key>UniqueDeviceID</key>
<string>FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF</string>
<key>SerialNumber</key>
<string>FFFFFFFFFFFF</string>
<key>DeviceName</key>
<string>iPhone</string>
</dict>
<key>Applications</key>
<dict>
…
…
</dict>
<key>BackupKeyBag</key>
<data>
BASE64_KEY
<data>Status.plist
Status.plist is a binary plist which contains fewer data than the previous files. It contains details about the backup such as:
- IsFullBackup: indicates if the backup is a complete backup or a partial one.
- Version: indicates backup version (2.4, 3.2, etc). This field can be used to find out the structure of the rest of the backup.
For version 2.4 (seen on iOS 9 Devices): all the files are contained in the same directory.
For version 3.2, 3.3: backup Files are separated into folders based on the first two characters of the filename. - UUID: device UUID.
- Date: date when the backup was made.
- BackupState: new.
- SnapshotState: finished, in progress, etc.
$ plistutil -i Status.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IsFullBackup</key>
<false/>
<key>Version</key>
<string>3.3</string>
<key>UUID</key>
<string>FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</string>
<key>Date</key>
<date>2020-10-01T16:58:07Z</date>
<key>BackupState</key>
<string>new</string>
<key>SnapshotState</key>
<string>finished</string>
</dict>
</plist>Manifest.db
It is a SQLite database which contains two tables:
- Files: Files table contains every single file that is backed up to the computer.
- fileIDs which correlate to a folder and a file in the directory where the backups are stored.
- domain is the specific app that the file is coming from.
- relativePath is the actual file or folder that resided on the device.
- flags shows if the item is a file or a folder: 1 = File, 2 = Folder, 4 = Unknown, and not actually present in the backup folders.
- file is actually a plist inside the database for each file and folder, which contains other data.
- Properties: This table has two fields: key TEXT PRIMARY KEY and value BLOB. There is not any metadata stored in the backup analyzed.
Understanding hashed file names in iOS backups
When a backup is performed, important data is saved into different files within the backup folder. The filenames are encoded as sha-1 hashes of the file’s “Domain” concatenated with its relative path: sha1(domain + ‘-’ + relative_filename). The following ones are the most relevant within our tool:
3d0d7e5fb2ce288813306e4d4636395e047a3d28:
Library/SMS/sms.db
1a0e7afc19d307da602ccdcece51af33afe92c53:
Library/Safari/History.db
faf971ce92c3ac508c018dce1bef2a8b8e9838f1:
Library/Application Support/Google/Chrome/Default/History
a690d7769cce8904ca2b67320b107c8fe5f79412:
Library/Caches/locationd/clients.plist
0d609c54856a9bb2d56729df1d68f2958a88426b:
Library/Databases/DataUsage.sqlite
64d0019cb3d46bfc8cce545a8ba54b93e7ea9347:
Library/TCC/TCC.db
f65b5fafc69bbd3c60be019c6e938e146825fa83:
Library/Preferences/com.apple.osanalytics.addaily.plist
3a47b0981ed7c10f3e2800aa66bac96a3b5db28e:
Library/Safari/BrowserState.dbModifying iOS backup
In order to modify iPhone backup’s files it is necessary to perform the following operations:
- Create an iPhone Backup via Finder.
- Check if the backup is encrypted: read the Manifest.plist file and get the value of the IsEncrypted flag.
- Tamper the backup: If the backup is encrypted, it is needed to decrypt every file before it is read, and encrypt it again after modifying it.
- Update Manifest.db
- If the backup is encrypted it is necessary to decrypt manifest.db before reading and encrypt after writing it.
- Query the modified file by fileId (ie: if safari browsing history has been modified, it is needed to filter by: 3d0d7e5fb2ce288813306e4d4636395e047a3d28).
- Read file field as a plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>$archiver</key>
<string>NSKeyedArchiver</string>
<key>$objects</key>
<array>
<string>$null</string>
<dict>
<key>$class</key>
<dict>
<key>CF$UID</key>
<integer>4</integer>
</dict>
<key>Birth</key>
<integer>1643123456</integer>
<key>Digest</key>
<dict>
<key>CF$UID</key>
<integer>3</integer>
</dict>
...
...
<key>Size</key>
<integer>
MODIFIED_SIZE
</integer>
<key>UserID</key>
<integer>501</integer>
</dict>
<string>Library/SMS/sms.db</string>
<data>
MODIFIED_DIGEST
</data>
<dict>
<key>$classes</key>
<array>
<string>MBFile</string>
<string>NSObject</string>
</array>
<key>$classname</key>
<string>MBFile</string>
</dict>
</array>
<key>$top</key>
<dict>
<key>root</key>
<dict>
<key>CF$UID</key>
<integer>1</integer>
</dict>
</dict>
<key>$version</key>
<integer>100000</integer>
</dict>
</plist>- Modify size and digest fields and save it.
5. Restore the iPhone backup via Finder and check if the modified files appear on it.
References
- Getting Pegasus false positives
https://medium.com/@thehackpatrol/getting-pegasus-false-positives-53f670bbde35 - Pegasus false positive
https://github.com/thehackpatrol/pegasus_false_positive - Mobile Verification Toolkit
https://github.com/mvt-project/mvt - Demo video
https://vimeo.com/696991504