RSS

Extracting data protection class from files on iOS

October 18

On iOS, every file is encrypted with an unique encryption key as illustrated in the image. The content of a file is encrypted with a per-file key, which is wrapped with a class key (data protection class key) and stored in a file’s metadata, which is in turn encrypted with the file system key (EMF key). The file system key is generated from the hardware UID. UID is unique per device and it is embedded in hardware and inaccessible to code running on CPU.

iOS Files encryption

Imagine a file which is encrypted only with the file system key, upon physical access to the device custom ramdisk techniques (ex: msft_guy automated custom ramdisk) can be used to steal the file from passcode protected devices. To overcome this problem Data protection was introduced. Data protection protects the data at rest on iOS devices using encryption keys that are tied to the device passcode and UID. So if the file is protected with a data protection class and the user sets a passcode for the device, an attacker cannot access the file using custom ram disk technique until he knows the passcode. In simple, data protection provides another layer of security to files by encrypting them with a passcode generated key.

File protection is enabled by setting an accessibility constant to NSFileProtectionKey file attribute. Later the files are encrypted with  a protection class key respective to the accessibility constant marked for that file.

Ex: If a file is marked with NSProtectionComplete accessibility constant then the file is encrypted with Class 1 protection class key and it is available only when the user unlocks the device. If a file is created without specifying any accessibility constant then the file is marked as NSProtectionNone and it is accessible even the device is locked . List of accessibility constants available for files  are shown in the below table.

data protection classes for files in iOS

I wrote a program (FileDP), when executed takes a file as input and displays the accessibility constant of that file. The accessibility constant determines the type of class key. This would help during iOS application security assessments, to identify whether the sensitive files are protected with data protection or not.

Extracting data protection accessibility constant from files:
1. Download FileDP.
2. Copy FileDP to the iPhone over SSH using cyberduck or winscp.
3. Open  the terminal or putty and connect to the iPhone over SSH.
4. On ssh terminal, use the below command to provide executable permissions to FileDP.

chmod 777 FileDP

5. Use  the below command to list the Data protection accessibility constant of a file or for all the files in the directory.

./FileDP -[F/D] [FilePath/DirecotryPath]

data protection of all files in a directory

After running FileDP against an iOS application directory, I have noticed that the app preferences plist is not protected by data protection and it is marked as NSProtectionNone. The preferences plist is used by many applications to store configuration details and sensitive details like username’s, session cookies and authentication tokens. The preferences plist is usually generated by XCode and the user has no control  on the file attributes.

Ex: Facebook preferences plist – com.Facebook.Facebook.plist contains user authentication tokens and cookies. The below image shows that it is marked as NSFileProtectionNone.

data protection of a file on iPhone

 

Posted by on October 18, 2012 in iPhone

8 Comments

Tags: , , ,

8 responses to “Extracting data protection class from files on iOS

  1. jhaddix

    April 3, 2013 at 1:46 pm

    Got a new version?

    enders-iPad:~ root# chmod 777 FileDP
    enders-iPad:~ root# ./FileDP
    -sh: ./FileDP: Malformed Mach-o file

     
    • satishb3

      April 3, 2013 at 2:19 pm

      I guess my FTP client screwed the file while uploading. Will upload a new file in zip format in an hour.

       
    • satishb3

      April 3, 2013 at 2:35 pm

      jhaddix, just fixed the download link. check now.

       
      • jhaddix

        April 3, 2013 at 8:34 pm

        works perfectly now, ty. btw we added it to the OWASP ios security testing cheatsheet. Do you have any other tools you want added?

         
        • satishb3

          April 3, 2013 at 8:40 pm

          Cool. I’ve other tool BinaryCookieReader and its already added to the list.

           

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>