New: Keychain Editor

For a while now, idb had the ability to dump the keychain of a jailbroken iDevice. So far, idb has been using the keychain_dump utility which is part of the iphone-dataprotection forensics tools to accomplish this. However, this tool has some major limitations in that it does not support the new data protection classes introduced in recent iOS versions, lacks support for Keychain ACLs, and is a pure ‘dump’ utility without editing capabilities.

To address these shortcomings, Nitin Jami, a coworker of mine at Intrepidus Group (part of the NCC Group along with Matasano and iSEC Partners), implemented a full-featured keychain editor. To our knowledge, this is the first public tool which provides a convenient way for modifying the iOS keychain. The keychain editor provides a simple command line interface to interact with the iOS keychain and is ideal for scripting or when using automated tools. For more manual interaction and exploration, the tool has been integrated into the most recent version of idb for convenient access. Read on for all of the new features and screenshots.

To update to the newest version 1.8, simply run

1
gem update idb

Supported Features

  • Dumping of the entire keychain including the following data:
    • Entitlement Groups
    • Account
    • Service
    • Protection class
    • User Presence
    • Creation and modification date
  • Support for “user presence” where a user has to use TouchID or enter their passcode to unlock a keychain item.
  • Dump each entry as
    • String
    • Hex
    • Parsed as plist when appropriate
  • Editing entries (binary and string-based)
  • Deleting keychain entries

This is the first release of these features and there are likely bugs. Please report any issues using the Github Issue Tracker for idb.

The New Features in Detail

Keychain

Above is an overview screenshot of the new keychain tab and below is an excerpt from the updated documentation explaining the new features.

Dump the Keychain

Dumping the keychain works by simply clicking the “Dump Keychain” button in idb. The returned data includes Entitlement Groups, Account, Service, Protection class, User Presence requirement, create and modification date. User presence is a new feature in iOS which requires a user to authenticate either via TouchID or by entering their passcode in order to access a keychain item. Note that there is no known way for bypassing this check since data is in fact encrypted under the passcode and this processing happens in hardware through the Secure Enclave.

dump of the keychain

View Keychain Entries

When selecting an entry in the table shown above, the data can be viewed as text, hexdump, or parsed as XML in the case of binary plist data.

Text View

Dump of the keychain

Hexdump View

Dump of the keychain

Parsed Binary Plist View

There is a decent number of applications that store binary plist data inside the keychain and it can be rather painful to read it in its string presentation. This screen attempts to detect if a keychain item consists of a binary plist, converts it to a regular (xml) plist, and displays the data.

Dump of the keychain

Deletion

Deleting a keychain item as simple as it sounds: simply select the entry and click the “Delete” button.

Delete keychain item

Editing

For editing keychain items idb goes with a simple yet flexible approach. After selecting a keychain item, one can display its content either as plain text, or as Base64 encoded data. The plain text version allows quick editing of text-based keychain entries while the Base64 version can be used to edit binary data. Implementing a proper binary/hex editor inside of idb did not seem like a reasonable effort. Instead, by providing the data in Base64 format any external editor can be used to modify the data. After editing, simply paste the new Base64 data into idb and hit save.

Edit keychain item Edit keychain item Edit keychain item

Comments