Most of the iOS applications store sensitive information like usernames, passwords & transaction details, etc.. either permanently or temporarily on the iPhone to provide offline access for the user. In general, to store large and complex data, iOS applications use the Sqlite database as it offers good memory usage and speed access. For example, to provide offline access Gmail iOS application stores all the emails in a Sqlite database file in plain text format. Facebook iOS application stores all the friends details in Sqlite files.
Unencrypted sensitive information stored in a Sqlite file can be stolen easily upon gaining physical access to the device or from the iTunes backup. Also, if an entry is deleted, Sqlite tags the record as deleted but not purge them. So in case if an application temporarily stores and removes the sensitive data from a Sqlite file, deleted data can be recovered easily by reading the Sqlite Write Ahead Log.
The below article explains on how to view Sqlite files and how to recover the deleted data from Sqlite files on the iPhone. For this exercise, I have created a demo application called CardInfo. CardInfo is a self signed application, so it can only be installed on a Jailbroken iPhone. The CardInfo demo application accepts any username & password, then collects the credit card details from the user and stores it in a Sqlite database. Database entries are deleted upon logout from the app.
Steps to install the CardInfo application:
1. Jailbreak the iPhone.
2. Download CardInfoDemo,ipa file – Download link.
3. On the Windows, download the iPhone configuration utility – Download link.
4. Open the iPhone configuration utility and drag the CardInfoDemo.ipa file on to it.
5. Connect the iPhone to the windows machine using USB cable. Notice that the connected device is listed in the iPhone configuration utility. Select the device and navigate to Applications tab. It lists already installed applications along with our CardInfo demo app.
6. Click on Install button corresponding to the CardInfo application.
7. It installs the CardInfo application on to the iPhone.
When an application is installed on the iPhone, it creates a directory with an unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory and it is known as bundle directory.
Steps to view CardInfo Sqlite files:
1. On the Jailbroken iPhone, install OpenSSH and Sqlite3 from Cydia.
2. On windows workstation, download Putty.
3. Connect the iPhone and the workstation to the same Wi-Fi network.
Note: Wi-Fi is required to connect the iPhone over SSH. If the Wi-Fi connection is not available SSH into the iPhone over USB.
4. Run Putty and SSH into the iPhone by typing the iPhone IP address, root as username and alpine as password.
5. Navigate to /var/mobile/Applications/ folder and identify the CardInfo application directory using ‘find . –name CardInfo’ command. On my iPhone CardInfo application is installed on the – /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/ directory.
6. Navigate to the /var/mobile/Application/B02A125C-B97E-4207-911B-C136B1A08687/CardInfo.app directory and notice CARDDATABASE.sqlite3 database file.
7. Sqlite database files on a Jailbroken iPhone can be viewed directly using Sqlite3 command line client. View CARDDATABASE.sqlite3 and notice that CARDINFO table is empty.
8. On the iPhone, open CardInfo application and login (works for any username and password).
9.Enter credit card details and click on Save button. In the background, it saves the card details in the Sqlite database.
10. View CARDDATABASE.sqlite3 and notice that CARDINFO table contains the credit card details data.
11. Logout from the application on the iPhone. In the background, it deletes the data from the Sqlite database.
12. Now view CARDDATABASE.sqlite3 and notice that CARDINFO table is empty.
Steps to recover the deleted data from CardInfo Sqlite file:
Sqlite database engine writes the data into Write Ahead Log before storing it in the actual database file, to recover from system failures. Upon every checkpoint or commit, the data in the WAL is written into the database file. So if an entry is deleted from the Sqlite database and there is no immediate commit query, we can easily recover the deleted data by reading the WAL. In case of iOS, strings command can be used to print the deleted data from a Sqlite file. In our case, running ‘strings CARDDATABASE.sqlite3’ command prints the deleted card details.
In iOS, if an application uses the Sqlite database for temporary storage, there is always a possibility to recover the deleted temporary data from the database file.
For better security, use custom encryption while storing the sensitive data in Sqlite database. Also, before deleting a Sqlite record, overwrite that entry with junk data. So even if someone tries to recover the deleted data from Sqlite, they will not get the actual data.