Recently I found myself in the situation, were it was not possible to dump Keychain Item data with Frida. Please don’t ask me why, I did not figure out why. I knew that there was a tool called keychain_dumper. The output of keychain_dumper was sufficient for the assessment, but I found it really painful to find all Keychain Items from the output that belonged to the app I was looking into (very verbose). Furthermore, the accessible attribute that was set during the creation of the Keychain Item was not printed. Therefore, the decision was made, that it would be super handy if it would be possible to only dump Keychain Items that belong to a specific app and to also print the accessible attribute.
The Plan.
To reach my goal, I had to extent the tool with some features:
- Add a new command line option to run the selective mode (-s)
- List existing Entitlement Groups
- Let User select the target Entitlement Group
- Print only the selected Entitlement Groups Keychain Items
- Also print kSecAttrAccessible* information, with some useful information
Added value:
- Add some colors to make command line output more readable
Long Story short.
First I had to get used to the syntax of Objective-C, which was not to hard since I’m familiar with C. The next step was to analyze the Keychain database which holds the encrypted data and other information of the Keychain Items. The original SQLite query was extended to also dump the agrp information of the tables cert and keys.
The following screenshot shows a example output of the extended tool:
Stop talking, I want this tool.
If you like it you can download it on here GitHub. Run the following commands to use it on your own iOS device.
On Mac:
git clone https://github.com/mechanico/Keychain-Dumper.git
cd Keychain-Dumper
scp keychain_dumper root@192.168.xxx.xxx:
scp entitlements.txt root@192.168.xxx.xxx:
scp setup_on_iOS.sh root@192.168.xxx.xxx:
On iOS:
chmod +x setup_on_iOS.sh
keychain_dumper -s
Kudos.
The extension is based on the keychain_dumper tool from ptoomey3. Thanks for the awesome project.
PS.
For those of you who are interested in more details on the Accessible Attributes, that can be set during Keychain Item creation, I copied the following information from the official Apple Developer Information:
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
This is recommended for items that only need to be accessible while the application is in the foreground. Items with this attribute never migrate to a new device. After a backup is restored to a new device, these items are missing. No items can be stored in this class on devices without a passcode. Disabling the device passcode causes all items in this class to be deleted.
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
This is recommended for items that need to be accessible only while the application is in the foreground. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
After the first unlock, the data remains accessible until the next restart. This is recommended for items that need to be accessed by background applications. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
kSecAttrAccessibleWhenUnlocked
This is recommended for items that need to be accessible only while the application is in the foreground. Items with this attribute migrate to a new device when using encrypted backups.
This is the default value for keychain items added without explicitly setting an accessibility constant.
kSecAttrAccessibleAfterFirstUnlock
After the first unlock, the data remains accessible until the next restart. This is recommended for items that need to be accessed by background applications. Items with this attribute migrate to a new device when using encrypted backups.
kSecAttrAccessibleAlwaysThisDeviceOnly
This is not recommended for application use. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
kSecAttrAccessibleAlways
This is not recommended for application use. Items with this attribute migrate to a new device when using encrypted backups.