Sideloading the Extraction Agent using a Firewall

March 23rd, 2023 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

Agent-based low-level extraction of Apple mobile devices requires sideloading an app onto the device, which is currently far from seamless. One can only run sideloaded apps if they are signed with a device-specific digital signature, which must be validated by an Apple server. Establishing a connection to the server carries a number of potential risks. In this article, we are proposing a solution that reduces the risks by using a firewall script.

Cheat sheet

Please read the instructions below carefully and follow them carefully. Always use an extra device (test device) to configure the firewall, and be sure to disable USB Sharing on the target device before continuing.

Before you begin, download and unpack the script from this link. You will also need to provide the script the rights to execute (chmod +x {path to script}) and remove the quarantine  (xattr -d com.apple.quarantine {path to script}).

Glossary

  • Target device: the device being investigated; part of the evidence base. The device to minimize the risk of data loss for.
  • Test device: an extra iPhone that will be used as a tool to configure the firewall script.

Stage 1. Prepare the target device

  1. Disable all network connections on the target device
  2. Verify that USB Sharing is disabled
  3. Connect the target device and install the agent
  4. Disconnect the target device

Stage 2. Signing the extraction agent on the target device

  1. Disable all network connections on the test device and target device
  2. Configure and enable USB Sharing
  3. Run sudo ./install_firewall.sh from the folder where the script is located
  4. Connect the test device to the computer with a USB cable
  5. Respond to the prompts on the computer. Get to the point when the script performs connectivity check. All hosts except one must be blocked
  6. Confirm the successful blocking of hosts
  7. Check the expiry countdown timer for the IP address. We recommend waiting until you see a windows of 200-300 seconds
  8. Disconnect the test device
  9. Connect the target device
  10. On the target device, validate the signature of the extraction agent
  11. Disconnect the target device
  12. Exit the script by entering “Q”
  13. Disable USB Sharing on the target device

What’s this all about

Elcomsoft iOS Forensic Toolkit is a powerful tool that uses advanced low-level extraction techniques to image the file system and decrypt the keychain of many iOS devices, including some of the modern ones. While the extraction agent offers numerous benefits over logical extraction, sideloading it onto the device poses certain difficulties if the Apple ID is not enrolled in the Apple developer program.

Every app sideloaded (that is, installed from a source different from the official Apple App Store) to an iPhone or iPad must be signed with a unique digital signature that is tied to a particular device. A digital signature can only be issued by Apple. (Note that installing third-party apps on Android devices also requires a digital signature, but the signature is not tied to a particular device).

When attempting to launch a newly sideloaded app on an iPhone or iPad, the user will be prompted to confirm the digital signature, which requires the device to contact Apple’s server. If the device is part of an evidence base, any internet connection carries the risk of remote blocking or remote erase.

We have long recommended a solution that involved enrolling the Apple ID used to sign the sideloaded app in the Apple Developer program. In this case, validating the digital signature does not require the device to contact the server. However, we have recently found that in certain cases the digital signature must be verified with an Apple server even if one used a developer’s Apple ID, which brings back all the potential risks we wanted to avoid in the first place. This led us to develop a solution that minimizes the risk by limiting the device’s connection only to the server required to verify the certificate.

Mitigating the risks

To reduce the risks of exposing the iPhone device being remotely tampered with, we’ll need to restrict it’s online connectivity. Ideally, the iPhone should be only able to connect to a single certificate validation server – with all other communications being terminated. For this we developed a firewall script:

https://www.elcomsoft.com/download/firewall.zip

Important: make sure the phone has the correct date and time. Some deeply discharged iPhones lose their time settings and set the date back to 1970. If this happens, the digital signature cannot be validated.

Then follow these steps.

WARNING: There is no guarantee whatsoever that these instructions will work in the future. Apple may alter any part of the protocol at any time without a warning. The script only blocks TCP packets. At any time, Apple developers can make changes that may break the script. Private Relay and VPN connections on the phone break the script; disable these features if enabled.

Be alert and watch the steps. The script must be running at all times while you are working with the target device.

  • Target device: the device being investigated; part of the evidence base. The device to minimize the risk of data loss for.
  • Test device: an extra iPhone that will be used as a tool to configure the firewall script.

⚠️ You will need an extra Apple device (test device) to set up the script.

☢️ Do not use the script without a test device! This can lead to Remote Device Lock or Wipe on the target device!

Configuration steps:

1. Configure USB Internet Sharing for a certain port (generally USB iPhone or USB iPad depending on the device)

2. Launch the script:

sudo ./install_firewall.sh

You will be prompted to connect a test device; this is required for the new interface to appear.

Step 1. Please connect NON TARGET iPhone via USB,
 enable internet sharing via USB cable and press any key when ready

3. Connect the test device. The device must have all the network interfaces disabled (Bluetooth, WiFi, and mobile data). Once the device is connected, press any key.

After that, the script analyzes the system environment, finds the IP addresses you need (they vary every time you launch the script), generates firewall rules and reconfigures the firewall.

The output should look like this:

No ALTQ support in kernelALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled

This means that the firewall rules were installed successfully.

4. After that, you will be asked to check that everything works on your device. Launch Safari and check:

⛔️ trying to open the host www.elcomsoft.com, expected result: failure – the host is unavailable.

👌trying to open the host ppq.apple.com, expected result: host is available, Ok.

5. If the results are as expected, confirm with a “y”.

Step 3. Please reconnect and test using  NON TARGET phone that https://ppq.apple.com returns 'ok' message, but any other site (not Google!!!) - not. Clear Safari web cache before testing!!!

Is all ok? [y/n]

6. From now on, you will see the detected IP address and how much time you have before it changes.

IP detected as 17.171.47.86/32,
IP will be valid for 59 sec.
press [Q] key to interrupt firewall

If this value is less than 30 seconds, we recommend to wait until this time expires. The script will detect another IP address and the operation time will become 300 or slightly less.

7. Connect the target device and validate the digital signature. If the first attempt fails, try again.

8. Disconnect the target device and enter “Q”. The script will restore the original firewall settings and exit.

If the script was terminated with Ctrl+C, you can manually restore firewall settings by running the following command:

sudo ./uninstall_firewall.sh

⚠️ Everything is done at your own risk. We don’t know what changes Apple might bring at any given time.

9. Finally, disable USB Sharing in device settings.

Conclusion

Low-level extraction of Apple mobile devices requires sideloading an app, which poses certain difficulties, especially if the Apple ID is not enrolled in the Apple developer program. To validate the digital signature of a sideloaded app, the device may need to contact an Apple server, which carries potential risks. We developed a solution to reduce these risks by using a firewall script that restricts the device’s connectivity to a single certificate validation server. In this article, we provided instructions on how to use the script with an extra Apple device to configure the firewall rules and validate the digital signature of the sideloaded app. While there is no guarantee that these instructions will work in the future, this solution can minimize the risk of remotely tampering with the device and potentially losing important data during investigations.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »