In iPhone, keychain is a sqllite database which stores sensitive data on the device. Apple’s keychain service is a library/API provided by Apple that developers can use to store sensitive information on an iOS device securely. Instead of storing sensitive information in plaintext configuration files, developers can leverage the keychain services to have the operating system store sensitive information securely on their behalf.
Keychain is encrypted with a hardware key. Hardware key is unique per device and not even accessible to OS running on the device. So even if some one get access to the keychain db file in a remote attack (Remember android malware, which steal sqlite.db files and sent it to the remote server), they cannot decrypt and view the content. Keychain also restricts the application access to the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier. By default, applications can only access data associated with their own application-identifier. Later apple introduced keychain groups. Now applications which belong to same group can share the keychain items.
On a jailbroken device, all keychain entries can be accessed by writing an application and making it as a member of all application group.
One such tool designed to grab all the keychain entries is keychain dumper – https://github.com/ptoomey3/Keychain-Dumper
Copy keychain_dumper to iPhone over ssh. Run the below command on SSH Terminal. This extracts all the keychain groups from keychain-2.db and stores in an xml file.
./keychain_dumper -e /var/tmp/entitlements.xml
Using ldid and entitlement xml file, we can make keychain_dumper program as a member of all keychain groups.
ldid -S/var/tmp/entitlements.xml keychain_dumper
Now running keychain dumper reads all the entries from keychain and displays it on the terminal.
On the newer versions of iOS (v5) running this tool ends up with killed 9 error.
The problem here is iOS kernel signature checks the binary file at several places. Jailbreak tools cannot patch all these signature checks because it is difficult for them to patch each and every signature check. When we copy keychaindumper to iPhone, it does not have a signature. So running the binary exits with killed 9 message because iOS kernel does not have the signature of keychain_dumper.
To get rid of this problem add the signature of keychain_dumper to kernel cache (list of hashes) by running the below command. After adding the signature, you can run the rest of commands to dump the keychain entries.
ldid -S keychain_dumper
But in the newer versions (5.0.1), this workaround is not working. Because we have to run ldid command twice with -S option. This tries to overwrite the binary hash on kernel cache and fails. So follow the below listed steps to use the keychain_dumper on newer versions of iOS.
1. Copy keychain_dumper to iPhone over SSH.
2. Manually dump keychain groups with the help of sqlite3 command.
> Sqlite3 /var/Keychains/keychain-2.db “select agrp from genp”
Running this command on my phone listed three access groups.
- apple, com.apple.apsd, com.apple.cfnetwork
3. Create a XML file similar to the sample shown below with all the keychain groups listed by above command
(paste the keychain group name in the string tags).
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“><plist version=”1.0″>
4. Copy sample.xml to /var/tmp folder on iPhone.
5. Run below commands to dump the keychain entries.
> ldid –S/var/tmp/ent.xml keychian_dumper
To run the keychain_dumper again, follow all the steps.
New version of keychaindumper has released. So you will not face killed 9 problem any more.
More details are available at – http://labs.neohapsis.com/2012/01/25/keychain-dumper-updated-for-ios-5/