Apple accounts are used in mobile forensics for sideloading third-party apps such as our own low-level extraction agent. Enrolling an Apple ID into Apple Developer Program has tangible benefits for experts, but are they worth the investment? Some years back, it was a reassuring “yes”. Today, it’s not as simple. Let’s delve into the benefits and limitations of Apple Developer accounts in the context of mobile forensics.

Why do we need an Apple ID?

Four years back, we published a comprehensive article Why Mobile Forensic Specialists Need a Developer Account with Apple. While some details in this article have been changed (more on that later), it still provides a good introduction into why forensic experts require an Apple ID for file system extraction.

On modern devices, low-level extraction means utilizing a chain of kernel exploits to obtain high-level privileges, escape sandbox and access the file system. For that purpose, we developed a special app, the low-level extraction agent.

The extraction agent is deployed on iOS devices in the form of a file with .ipa extension. The IPA package (iOS App Store Package) file is an iOS application archive file containing the iOS app. Technically speaking, it’s a simple ZIP archive that contains a binary for the ARM architecture that can be installed on an iOS device.

Each IPA file must be signed before you can install it onto an iOS device. For the installed package to be launched on the device, iOS requires digital signature verification. Unlike most other platforms, iOS not only verifies the application developer but also identifies the device(s) on which the application can be installed. An Apple ID account is used to sign the package.

About Apple Developer accounts

In layman terms, an “Apple Developer account” is just a standard Apple ID enrolled into Apple’s developer program. Participation costs $99 a year for individuals, more for organizations.

Developer account benefits

When it comes to mobile forensics, developer accounts have a major benefit over standard Apple IDs, enabling the sideloading of third-party apps while waiving the requirement to validate the signing certificate. This in turn means that using a legacy (see below) developer’s Apple ID allows sideloading, launching, and using the extraction agent completely offline, without a working Internet connection. When using a developer account, the device UDID is sent to Apple and registered with the the developer program (and is counted against the 100-device quota). Then a device-specific certificate is created, which iOS Forensic Toolkit uses to sign the IPA and sideload it onto the device. This certificate will be unique to the particular device, and no further verification is required. Please note that this applies to legacy accounts only; there is a slightly different procedure for new Apple ID’s (see below).

The biggest drawback of developer accounts is basically the fact that you have to enroll into the program, which is a bit of a hassle and requires the annual fee of $99.

The other drawback is major, but only applies to accounts enrolled after June 6, 2021. For these accounts, iOS will validate the signing certificate the first time you launch the extraction agent, which requires online connectivity. If you are using a Mac and just considering becoming an Apple Developer, please note that enrolling today will not allow for a fully offline sideloading.

Yet, offline sideloading is not the only benefit of developer accounts. An Apple Developer account is required to sideload apps if you are using iOS Forensic Toolkit on a Windows or Linux PC. Mac users may continue using standard, non-developer Apple ID’s for this purpose.

Legacy developer accounts: before June 6, 2021

If you became a Developer before June 6, 2021, you are in luck: you can sideload, launch, and use apps such as the extraction agent completely offline.

Recently enrolled Apple IDs

If you have enrolled your Apple ID, you will be subject to Apple’s new rules that will require online verification on the first launch of the extraction agent. This poses security risks that can be mitigated with a software or hardware firewall. Apple explais the difference:

New Apple Developer Program memberships created after June 6, 2021, require development- and ad-hoc-signed apps for iOS, iPadOS, and tvOS to check in with the PPQ service when the app is first launched. Your device must be connected to the internet to verify the certificate used to sign your app. If you’re behind a firewall, make sure that it’s configured to allow connections to https://ppq.apple.com. If the device can’t successfully make a connection, the app may not launch. If your app is running in a highly restrictive network environment or you need to temporarily build offline, alternative workflows are available.

Applying as an individual or as an organization

Apple allows enrolling as an individual or as an organization. Personal memberships are faster and easier to get, while organizations will need additional paperwork (and a DUNS number). The annual fee is the same, as well as the limit of 100 devices of each kind per year.

Standard Apple IDs

Standard Apple IDs are free of charge, but you can only use them to sideload apps from a macOS computer. If you are using a Windows or Linux PC, you will need a developer account to sideload the extraction agent. In addition, you will be required to validate the agent’s digital signature online if you use a regular Apple ID to sideload the app (a firewall is a must in this case).

Understanding the limitations

As a forensic specialist, it’s important to be aware of the limitations and rules that come with standard and developer accounts.

Device registration limits

For developer accounts, Apple imposes a limit of 100 devices of each type (iPhone, iPad, Apple TV, etc.) per year. Once a device is registered, it cannot be removed from your list until the annual reset when you renew your developer program membership. Additionally, after registering the first 10 devices, you might experience delays of up to three days for subsequent device registrations.

For standard accounts, this limit is 3 devices per week.

Best practices for developer accounts

We recommend using your developer account with a trusted Mac that already has the account configured. This will simplify sideloading while making it more robust, and allow you to skip two-factor notification.

Standard account restrictions

Standard Apple accounts have stricter limits and constraints. You can only use up to 3 devices per week, and you can only use Macs for sideloading the extraction agent. Sideloading Windows or Linux is not supported.

Digital signature verification

Online verification of a digital signing certificate is mandatory for all standard Apple IDs. While this is not required for developer accounts, for newly enrolled developer accounts you will still have to allow the device connect to an Apple server when running the extraction agent for the first time. Using a firewall is strongly recommended to secure this process.

Trusted device requirement

For all types of accounts, having a trusted device is strongly recommended. While you can initially use text messages for authentication, Apple may eventually require you to authenticate through a trusted device exclusively.

Conclusion

Do you need a developer account? If you don’t already have one, note that the primary advantage of Apple developer accounts in the context of mobile forensics is the ability to sideload the extraction agent from Windows and Linux computers. With freshly enrolled developer accounts you will still need to protect your device with a firewall during the agent’s initial launch as iOS will enforce digital signature verification.

On the other hand, if you already have a developer account enrolled before June 6, 2021, it’s best to continue using it. Such accounts offer the advantage of fully offline sideloading, meaning that you won’t have to use firewalls when installing the extraction agent.

If you are a macOS user, there are no significant benefits to enrolling into Apple’s Developer Program today. You can still sign the extraction agent with a standard account, and there will be no difference in the requirement to allow the device going online.