Extracting Apple Health Data from iCloud

November 29th, 2018 by Oleg Afonin
Category: «Clouds», «Did you know that...?», «Elcomsoft News», «Industry News», «Tips & Tricks»

Heartrate, sleeping habits, workouts, steps and walking routines are just a few things that come to mind when we speak of Apple Health. Introduced in September 2014 with iOS 8, the Apple Health app is pre-installed on all iPhones. The app makes use of low-energy sensors, constantly collecting information about the user’s physical activities. With optional extra hardware (e.g. Apple Watch), Apple Health can collect significantly more information. In this article we’ll talk about the types of evidence collected by Apple Health, how they are stored and how to extract the data.

Data Collected by Apple Health

When you open the Health app, you immediately notice four data categories: Activity, Nutrition, Sleep and Mindfulness.

Activity contains information on how much you move. If only iPhone hardware is used, this section will contain information about steps, running and walking. Additional information is available with Apple Watch and sport trackers.

Nutrition contains a breakdown of your diet. No, your iPhone does not watch you eat; this section is supposed to be filled out by the user.

Sleep details your sleeping habits. This is especially informative if you wear the Apple Watch.

Mindfulness, the opposite of Sleep. In current versions of iOS native support limited to Mindful Minutes, Activity and Sleep; third-party apps help build out your mindfulness data. Pretty meaningless in its current state, may improve in future versions of iOS

In addition to the four main categories, there are the following types of data:

Body Measurements: your height and weight (you must type it in)

Health Records: СDA and Health Records

Heart: your blood pressure and heart rate measurements (requires additional hardware such as Apple Watch)

Reproductive Health: information about sexual activity and menstruation cycles

Results: various medical test results (e.g. sugar level)

Vitals: blood pressure, body temperature, heart rate, breathing rate

Medical ID: essential medical data

Health Records and Clinical Document Architecture (CDA)

The Clinical Document Architecture (CDA) was developed to facilitate electronic transferring of health information across medical facilities. CDA is widely used by medical facilities in the US, UK and Australia. CDA information is stored and transferred in the XML format.

Apple Health is compatible with the CDA standard. All CDA documents are stored under Health Records. In fact, older versions of iOS prior to iOS 11 only contained CDA documents in the Health Records section. Starting with iOS 11, this section may contain additional information obtained from other sources.

A CDA document is entered to Apple Health if you received the complete file (e.g. from a hospital) and opened it with the Apple Health app. It appears that, once registered, CDA documents become part of synchronized data, and will be stored in your iCloud account.

CDA documents contain highly sensitive medical information. The fact that CDA information registered with the Health app is routinely synced to iCloud is a bit alarming considering that at least some Health data is stored in the cloud without additional encryption.

Apple introduced Health Records back in March 2018, with 39 US hospitals joined at the time of introduction. Today, many more medical facilities participate in the Health Record network. The number of participating facilities quickly growing.

Apple Health Records are based on FHIR (Fast Healthcare Interoperability Resources) interoperability via HealthKit. In addition to basic health data, Apple Health Records contain information about allergies, chronic diseases, immunizations, lab tests, prescriptions, studies and so on.

With your permission, third-party apps may access your Health data. Can you trust those apps? In particular, can you trust that they will keep your information at least as secure as Apple? We know that other types of data had leaked before (Celebgate and location leaks). Leaked Health data could be used for phishing and defrauding and to show targeted advertising.

Sources of Health Data: Where Apple Health Gets Data From

How comes Apple know so much about the user? While you may enter some of that data manually in the Health app (e.g. your height and weights), most real-time information and measurements are received from HealthKit devices such as the iPhone, Apple Watch, fitness trackers and third-party apps (Nike+, Strava, Workouts++ etc.) HealthKit compatible apps and devices submit information for the Mindfulness, Heart and Activity categories, and may include measurements such as heart rate or blood pressure. Information is submitted automatically; it is stored in the Apple Health app and, unsurprisingly, shared via iCloud.

The App Store contains an abundance of third-party apps compatible with HealthKit that automatically submit data. Nike+, Strava, Workouts++ and hundreds others support many different data categories and can access everything in the Health app except Health Records and Medical ID. The Health app has a list of “Recommended” third-party apps for collecting data in each data category. Users must manually activate third-party apps in their respective categories under Health > Sources.

The one exception to automatic data submission is Apple Watch. The Watch collects sleep data, but does automatically submit Sleep information (although third-party apps may be used).

The Apple Watch

Unsurprisingly, the Apple Watch is among the biggest contributors to the data collected by the Health app. In addition to any information collected by the iPhone, Apple Watch can measure the user’s heart rate, detect whether the user is standing or exercising, and calculate the number of calories burned. The step counter built into Apple Watch is also more accurate than the one in the iPhone. The latest Apple Watch 4 supports ECG (Electrocardiogram) (at this time, only in the US).

Apple Watch supports third-party apps such as Pedometer++ or Runkeeper, and even supports applications that are able to track users’ sleeping habits. All of that data is also transferred into the Apple Health app.

The 4th generation Apple Watch has one particularly interesting new feature: the fall detection. By default, the feature is automatically activated only for senior users, but can be enabled manually by the user. Once activated, fall detection is able to recognize three distinct falling patterns. The feature can be configured to automatically call an emergency number.

Fall detection information can be an essential bit of evidence, providing an exact timestamp (down to the second) of the crime. Apple Watch logs and syncs fall events with the iPhone; the data is received by the Apple Health app and automatically synced with iCloud. As a result, this data may be available even if both the phone and the watch are taken from the victim.

Apple Health Security

We wrote a separate article on Apple Health security: Apple Health Is the Next Big Thing: Health, Cloud and Security. For the purpose of data extraction, it is important to note that Apple is using two different containers to synchronize Health data depending on certain unknown factors. The first container, which is used in certain configurations (for example, if the user’s Apple ID has both iOS 11 and iOS 12 devices, or the user has certain additional trackers or medical hardware) contains information stored without any sort of additional protection. Extracting Health data from this container is no different from accessing other types of synchronized information; it does not require the passcode, and the data can be obtained by using authentication tokens. Information from this container is provided by Apple when serving Law Enforcement requests and GDPR pull-out requests.

The second container is using the extra layer of AES256 encryption based on the user’s passcode to protect iCloud Messages. This container stores the majority of Health data. Accessing this container is only possible with full authentication (login, password, 2FA code and screen lock passcode from one of the trusted devices). Authentication tokens cannot be used to access information in this container. Due to secure encryption, Apple does not have access to information stored in this container and, as a result, does not deliver its content when serving Law Enforcement and GDPR requests.

In our lab, approximately 350,000 records (out of the total 2 million records) were stored in the first, unencrypted container.

Accessing Apple Health Data

We know of several different methods for obtaining Apple Health data. As usual, which method is applicable depends on what exactly the examiner has access to. For example, if an unlocked iPhone is available, one can export information from the Health app into the XML format. Alternatively, one may produce an encrypted local backup and extract Health information from the backup. Law enforcement may be able obtain information directly from Apple via a government request, while end users can initiate a GDPR pull-out.

  1. Export from Health app (XML); iPhone must be unlocked
  2. Local backup (encrypted only)
  3. File system acquisition (requires jailbreaking)
  4. GDPR request (7-day waiting period): data from unencrypted container only
  5. Government/LE request (available to certain government and law enforcement agencies only)
  6. Cloud extraction (requires login, password and one-time 2FA code; more information will be available if screen lock passcode is known)

Exporting from the Health app

If you have access to the iPhone or iPad device that you can unlock using the passcode or biometric identification, you can export Apple Health information directly from the Health app using the Share feature. The data will be exported into a ZIP file containing two XML files. At this time, we don’t know of any tools that can automatically analyze the exported data. LE requests and GDPR pull-out request will return information in a similarly confusing format that would be difficult to analyze.


Obtaining Health Data from iCloud

Health information can be obtained from the user’s iCloud account providing that one knows the user’s Apple ID and password. In addition, access to the secondary authentication factor will re required for 2FA accounts.

Steps to extract Health data from iCloud:

  1. Launch Elcomsoft Phone Breaker and select Apple > Download from iCloud > Synced Data
  2. Specify the user’s Apple ID and password.
  3. Provide one-time code to pass Two-Factor Authentication.
  4. Select data to obtain from iCloud. Make sure the “Health” box is selected.
  5. You will be prompted for the passcode. Choose one of the trusted devices from the list, and enter its screen lock passcode or system password.
  6. Health data will be downloaded.
  7. After the messages are downloaded, click Finish.

Analyzing Apple Health Data

Elcomsoft Phone Breaker downloads Health information in a format that can be analyzed using Elcomsoft Phone Viewer. EPV 3.50 or newer is required to analyze downloaded Health data.

From the Health tab, select a particular category to analyze.