Book Image

Learning iOS Security

Book Image

Learning iOS Security

Overview of this book

Table of Contents (13 chapters)


When you connect a device to a computer that runs iTunes for the first time, you are prompted to enter a password. Doing so allows you to synchronize the device to a computer. Applications that can communicate over this channel include iTunes, iPhoto, Xcode, and others.

To pair a device to a Mac, simply plug the device in (if you have a passcode, you'll need to enter that in order to pair the device.) When the device is plugged in, you'll be prompted on both the device and the computer to establish a trust. Simply tap on Trust on the iOS device, as shown in the following screenshot:

Trusting a computer

For the computer to communicate with the iOS device, you'll also need to accept the pairing on your computer (although, when you use libimobiledevice, which is the command to pair, does not require doing so, because you use the command line to accept. This command is covered in Chapter 6, Debugging and Conclusion). When prompted, click on Continue to establish the pairing, as seen in the following screenshot (the screenshot is the same in Windows):

Trusting a device

When a device is paired, a file is created in /var/db/lockdown, which is the UDID of the device with a property list (plist) extension. A property list is an Apple XML file that stores a variety of attributes. In Windows, iOS data is stored in the MobileSync folder, which you can access by navigating to \Users\(username)\AppData\Roaming\Apple Computer\MobileSync. The information in this file sets up a trust between the computers and includes the following attributes:

  • DeviceCertificate: This certificate is unique to each device.

  • EscrowBag: The keybag of EscrowBag contains class keys used to decrypt the device.

  • HostCertificate: This certificate is for the host who's paired with iOS devices (usually, the same for all files that you've paired devices with, on your computer).

  • HostID: This is a generated ID for the host.

  • HostPrivateKey: This is the private key for your Mac (should be the same in all files on a given computer).

  • RootCertificate: This is the certificate used to generate keys (should be the same in all files on a given computer).

  • RootPrivateKey: This is the private key of the computer that runs iTunes for that device.

  • SystemBUID: This refers to the ID of the computer that runs iTunes.

  • WiFiMACAddress: This is the Mac address of the Wi-Fi interface of the device that is paired to the computer. If you do not have an active Wi-Fi interface, MAC is still used while pairing.

Why does this matter? It's important to know how a device interfaces with a computer. These files can be moved between computers and contain a variety of information about a device, including private keys.

Having keys isn't all that is required for a computer to communicate with a device. When the devices are interfacing with a computer over USB, if you have a passcode enabled on the device, you will be required to enter that passcode in order to unlock the device.

Once a computer is able to communicate with a device, you need to be careful as the backups of a device, apps that get synchronized to a device, and other data that gets exchanged with a device can be exposed while at rest on devices.