By Andrew Hoog | January 10, 2018
HOWTO decrypt iOS 10 backups with open source tools
This is the first installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.
In this post, we’ll explore a brief overview and history of iPhone data protections, challenges with as well as the forensic value of encrypted backups, the benefits of open source and what the future might bring.
Please checked out other posts in this series:
- Introduction [this post]
- HOWTO decrypt iOS 10+ backups with irestore
- HOWTO decrypt iOS 10+ backups with iphone-dataprotection
Overview and history of iOS encrypted backups
In the early releases on iOS, Apple quickly recognized that smart phones would collect and retain sensitive data in ways that traditional IT and consumer technology had never seen. With each release of iOS and the Apple devices that run it, we’ve seen a significant investment in securing the device and the data.
While the majority of those efforts are focused on the integrity of the device and the data on the device, Apple realized that iOS backups contained the highly sensitive data without the controls and protections of their hardware and software.
They built in a mechanism to encrypt the backups as they were streamed from the device. This would not only encrypt “standard” user data but provide additional protections for highly sensitive data in, for example, the iOS keychain.
The format of the backups (and encryption) has changes over time, something in minor ways and at other times drastically. There is extensive community documentation online about iOS backups. Here’s are a few helpful starting points:
- A glimpse of iOS 10 from a smartphone forensics perspective
- structure of older backup files
- iPhone Data Protection in Depth
- iPhone Forensics – Analysis of iOS 5 backups : Part1 (of 5!)
- Forensic analysis of iPhone backups
- Exploring the iPhone Backup Made by iTunes
and quite a bit more.
Forensic challenges with encrypted backups
The obvious challenge of encrypted backups is the inability to decrypt the backup. As Apple has increased the sophistication of their encryption process, this challenge has increasingly surfaces.
For example, Apple has consistently increased the number of PBKDF2 iterations they perform on the user supplied password. This is a direct effort to defeat brute-force and dictionary based attacks against the hashed password.
Forensics value of encrypted backups
While encrypted backups can be a huge obstacle for a forensic investigation (if you do not have the password), there is significant value if you are able to decrypt the backup. When an encrypted backup is performed, Apple has much higher confidence privacy of that data and includes additional data from the iOS device including:
- Saved passwords
- Wi-Fi settings
- Website history
- Health data
Benefits of open source software
This section will point out some of the specific examples of how open source software has providing tremendous benefits to the community of folks interested in decrypting iOS backups. The community includes users who want to access their backups, security and privacy researchers, forensics analysts, aspiring hackers and more.
If you are truly interested in learning more about the power of open source software, a good place to start is with reading Eric S. Raymond’s “The Cathedral and the Bazaar”.
Running an open source project is hard and time consuming. And often a thankless job. When a commercial tool is no longer maintained, the users are out of luck. However, with open source project, a new maintainer might take over. They will have the source code, the history, the community and more as their starting point. This happens over and over again in open source software and great projects like iphone-dataprotection live on today due to this model.
The very nature of open source software is that anyone can access and use the software. Certainly there can be barriers to entry (often technical) but anyone interested in leveraging the software can derive value.
Often, an amazing community will develop around an open source software (or challenge) that’s very welcoming, open to contributing and helping others.
Of course, the actual developers who build and maintain the software make an enormous contribution (e.g. Jean-Baptiste Bedrune and Jean Sigwald and their iphone-dataprotection software). From there, an entire community can spring up that include users, contributors, folks that help with documentation and more.
Implicit in the release of open source software is sharing knowledge, often through code and documentation, some something you learned and value.
While researching open source tools for this series, I came across a stackoverflow article where someone asked “How to decrypt an encrypted Apple iTunes iPhone backup?” and the top answer was incredibly thorough, including working sample code and was then even updated to support iOS 10.
It is contributions like these that make open source software so valuable to the community.
What the future might bring
It’s always interesting to reflect on the past and try to understand where things are headed. I’ll make a few predictions here:
- Apple will continue to invest heavily in security protections for the iOS platform, including updates to how they encrypt backups.
- Over time, Apple will continue to push people to leverage iCloud Backups over local iTunes backups but there are many uses cases that require a local backup so I don’t expect them to disappear anytime soon.
- Apple will ultimately enhance iCloud Backups to the point where they no longer have access to the data, thus insulating them from requests to decrypt customer data.
If you’ve made it this far and are ready to dive into HOWTOs for specific open source tools that can decrypt iOS backups, here are the links again: