Saturday, November 12, 2016

iOS Forensics Trace Leakage

Jonathan Zdziarski:

Apple has worked very hard to reduce the iPhone’s attack surface, but they haven’t yet fully addressed the underlying motivations of an attacker (specifically, the device’s forensic value), and that’s left the iPhone a very high value target. This is the oldest, and hardest challenge in the book: making sure that deleted data actually gets deleted. Conversations are ephemeral, but the traces of these conversations are not; this directly impacts how and why search warrants are executed and why mobile devices are targeted by attackers. If the user of the device believes their conversation to be deleted, it’s breaking their trust by keeping forensic traces of those conversations, and ultimately the device’s design can lead to a betrayal of the user’s privacy if data is stolen or a forensic image is made. Ephemeral conversations (or other exchanges) should also mean ephemeral data.

1 Comment RSS · Twitter


Thomas Tempelmann

Having written forensics software to recover deleted text messages from iPhones, I always wondered why Apple didn't simply use SQLite's automatic erase option ("PRAGMA secure_delete=true") so that any deleted record gets overwritten with zeros. I don't see why that would be any worse than making any other modification to the database, such as adding a new entry of a received text message. At worst, it doubles the amount of writes to the flash memory for every added text message. That's not so bad. Jonathan's suggestion with the keys is a bit more sophisticated but I don't think that an iPhone's flash memory is so easily worn out that the "secure_delete" option is having a noticable effect on its lifetime. I mean, whose iPhone has ever stopped working because its flash memory has worn out? And that little extra writing can't make it all much worse, suddenly.

I believe that Apple has a different reason: It wants to enable forensics to look into the message history. It's a big market, and so far no one has made a big problem out of it.

Leave a Comment