When the interest of the “human beings” to the mobile technologies are analyzed, it is clear that the “i” series, apple products, are the number one. There is no doubt that they are miracle of design. When you first use these products, you are attracted by either physical compactness or look and feel.
Apple is not only interested in attractiveness of these products, but also trying to solve security issues in depth. However, the problem is not so easy :)
Actually, it is believed that the non-jailbroken apple products are strongly sealed for penetration and leakage. Is it really like that? Of course NO!
From the beginning of the iPxxx usage, you should connect the device to a computer for activation, software insallation/upgrade, synchronization and backup. Do you think that, your data on the phone is really sealed after all? Think again. Let’s have a look, what’s happening?
As you know this is the iTunes screen, when the iPxxx is connected to your computer. There are some options regarding the operations you perform. The “Encrypt iPxxx backup” option is directly related with the confidentiality of your data, when you backed up your device.
The first question is, “What is backed up?”.
- Almost everything on your phone is backed up. Your contacts, call history, notes, calendar, settings, wi-fi’s you connected, photos, location datas, application data, browsing history etc.
The second question is, “How is it stored on computer?”.
- It is stored in the form of you selected. Actually, if you select encryption option, then all the data is stored as encrypted with 128-bit AES in CBC mode (Symmetric-key encryption). However, if you do not select this option, then all your data is stored in cleartext form on your computer.
Then the third question is, “Where all the backed up data is stored?”.
- You can check it out from your iTunes settings.
- Default location for Mac OS: “~/Library/Application\ Support/MobileSync/Backup/XXXX”
- Default location for Microsoft Windows: “C:\Documents and Settings\YourUserName\Application Data\Apple Computer\MobileSync\Backup\XXXX” (Here the XXX is the UDID of your device, seen on iTunes)
When you list the content of the backup directory, you face with ambiguous file names.
At a glance, you realise that there are couple of files with same name but different extension. “.mddata” and “.mdinfo” files.
- The “.mdinfo” contains the metadata info about the file such as what category or type of information (i.e., Address Book, SMS, Call History, etc).
- The “.mddata” contains the actual content for that file.
So let’s have a look file command outputs for all files, we know that iPxxx stores the data on Sqlite databases, and filter by database.
Hmm, actually file command revealed circa 50 database files. Now just use Sqlite to dig in deeper. I’ve selected some of these database files, and interpret the content of the databases, here is the samples, and the outputs:
Tables on this file are not valuable.
Here I found the calendar entires.
This file contains the contacts.
These are the samples that I’ve checked, and also I should mentioned that, there exist several ASCII text files, XML files and other types of files that contain several forms of data. Additionally you should keep in mind that, the backup file names, database structures and table formats may be different as the device type, iOS version and the iTunes version. However, the searching and the accessing methods will be the same for an attacker to find and steel these and may be much more confidential data from your unencrypted iPxxx device back up. You should keep your device backups encrypted to feel much more comfortable.
Do not forget that, the motivation is the most powerful weapon of an attacker…
