Posts Tagged ‘iCloud’

Health data is among the most important bits of information about a person. Health information is just as sensitive as the person’s passwords – and might be even more sensitive. It is only natural that health information is treated accordingly. Medical facilities are strictly regulated and take every possible security measure to restrict access to your medical records.

Since several versions of iOS, your health information is also stored in Apple smartphones, Apple cloud and various other devices. In theory, this information is accessible to you only. It’s supposedly stored securely and uses strong encryption. But is that really so? What if Apple uploads this data to the cloud? Is it still secure? If not, can we extract it? Let’s try to find out.

(more…)

Heartrate, sleeping habits, workouts, steps and walking routines are just a few things that come to mind when we speak of Apple Health. Introduced in September 2014 with iOS 8, the Apple Health app is pre-installed on all iPhones. The app makes use of low-energy sensors, constantly collecting information about the user’s physical activities. With optional extra hardware (e.g. Apple Watch), Apple Health can collect significantly more information. In this article we’ll talk about the types of evidence collected by Apple Health, how they are stored and how to extract the data. (more…)

In today’s usage scenarios, messaging are not entirely about the text. Users exchange pictures and short videos, voice recordings and their current locations. These types of data are an important part of conversation histories; they can be just as valuable evidence as the text content of the chat.

Apple ecosystem offers a built-in messenger, allowing users to exchange iMessages between Apple devices. This built-in messenger is extremely popular among Apple users. Back in 2016, Apple’s Senior VP announced that more than 200,000 iMessages are sent every second.

All current versions of iOS are offering seamless iCloud synchronization for many categories of data. Starting with iOS 11.4, Apple devices can synchronize messages via iCloud. iMessages and text messages can be now stored in the user’s iCloud account and synchronized across all of the user’s devices sharing the same Apple ID. This synchronization works in a similar manner to call logs, iCloud Photo Library or iCloud contacts sync (albeit with somewhat longer delays). However, Apple will not provide neither the messages themselves nor their attachments when fulfilling LE requests or GDPR pullouts. Why is this happening, how to extract messages from iCloud accounts and what kind of evidence we can find in attachments? Read along to find out.

(more…)

iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.

But what about iMessage security? Is it safe to use if you’re concerned about your privacy? Is there a reason why countries such as China, Iran or Russia block other messengers but keep iMessage going? Is it safe from hackers? What about Law Enforcement? And what about Apple itself? It must have access to your messages to target the ads, right? Is it OK to send those private snapshots or share your location via iMessage?

There is no simple answer, but we’ll do our best to shed some light on that.

(more…)

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

Accessing cloud evidence requires proper authentication credentials, be it the login and password or credentials cached in the form of a binary authentication token. Without authentication credentials, one cannot access the data. However, contrary to popular belief, even if proper authentication credentials are available, access to evidence stored in the cloud is not a given. In this article we’ll tell you how to access information stored in Apple iCloud with and without using forensic tools. (more…)

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

iMessages in iCloud

Even before iOS 11 Apple had Continuity (https://support.apple.com/en-us/HT204681), a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.

However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this, and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.

iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts. (more…)

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

(more…)

On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.

The Fear of China

Even if the change only affects iCloud accounts registered in mainland China, there is no lack of publications bashing apple for complying with Chinese laws. Below are just a few stories from the top of the news feed.

Journalists express their concerns regarding the potential violation of Chinese users human rights. “In the past, if Chinese authorities wanted to access [Chinese] Apple’s user data, they had to go through an international legal process and comply with U.S. laws on user rights, according to Ronald Deibert, director of the University of Toronto’s Citizen Lab, which studies the intersection of digital policy and human rights. “They will no longer have to do so if iCloud and cryptographic keys are located in China’s jurisdiction,” he told CNNMoney.” [CNN]

(more…)

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

–  Reset password to local backups (passcode required), which makes logical acquisition trivial

–  For 2FA accounts, reset Apple ID password and change trusted phone number with just device passcode (possible for both iOS 11 and iOS 10)

–  Health data sync with iCloud (users can disable)

+  Passcode required to establish trust relationship with a PC (Touch ID/Face ID can no longer be used to pair)

+  Quickly and discretely disable Touch ID/Face ID via S.O.S. mode

+  Automatically call emergency number (push side button 5 times in rapid succession)

+  iOS 11 strongly suggests enabling Two-Factor Authentication in multiple places

+  Two-Step Verification (2SV) is no longer available

Additionally, in macOS High Sierra, Desktop and Documents folders now sync with iCloud (user can disable).