In our recent article iPhone Acquisition Without a Jailbreak I mentioned that agent-based extraction requires the use of an Apple ID that has been registered in Apple’s Developer Program. Participation is not free and comes with a number of limitations. Why do you need to become a “developer”, what are the limitations, and is there a workaround? Read along to find out.
Sideloading IPA Packages onto iOS Devices
Elcomsoft iOS Forensic Toolkit now supporting agent-based extraction without a jailbreak also brings a new requirement. Agent-based extraction is a newer, forensically sound alternative to traditional acquisition methods requiring a jailbreak. Based on direct access to the file system, agent-based extraction does not require jailbreaking the device. Using agent-based extraction, you can can image the full file system and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.
The new acquisition method utilizes an extraction agent, which in turn is an app we’ve developed for the iOS platform. Once installed, the agent will talk to your computer, delivering significantly better speed and reliability compared to jailbreak-based extraction. In addition, agent-based extraction is safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering performance that is as close to forensically sound extraction as at all possible (only a few log entries are left behind after the agent is removed).
Interestingly, most jailbreaks (with the exception of checkra1n, which uses a bootrom exploit) also require a developer account in order to be installed. Before you begin using agent-based extraction (or install a jailbreak), you must have your Apple ID enrolled in Apple’s Developer Program. This is required in order to sideload the agent onto the iOS device being acquired. You can enroll at developer.apple.com/programs/enroll/; the process is fast and easy if you do it as a private person.
Why this requirement? Before I go into technical details, let me briefly explain what happens when you command iOS Forensic Toolkit to install an agent.
The extraction agent is deployed on iOS devices in the form of an IPA package. An IPA (iOS App Store Package) file is an iOS application archive file which stores an iOS app. Technically speaking, an IPA file is a ZIP archive that contains a binary for the ARM architecture that can be installed on an iOS device.
Each IPA file must be signed before you can install it onto an iOS device. While any Android phone can install any APK signed with a valid certificate, Apple makes sideloading apps significantly more difficult. An IPA package can be signed in one of the following ways.
Signed with a regular Apple ID
The digital signature is tied to each iOS device. An IPA signed with a certain Apple ID for a certain device can only be installed on that particular device; it cannot be distributed. If an IPA package was signed with a regular Apple ID, iOS will need to validate the digital signature by connecting to an Apple server, which means that the device you’re pushing the app to must go online in order to install the IPA. For the purposes of mobile forensics, we don’t want the device to go online to mitigate the risks of receiving a remote lock, remote erase or Find My commands, as well as syncing the device with the iCloud (many 3rd party applications may also sync, of course, as well as the system itself).
Signed with an Enterprise account
Apple enables companies distribute in-house apps to their employees bypassing Apple checks for compliance with App Store policies. These apps can be signed with a so-called enterprise certificate. Enterprise certificates must be also validated by the iOS device; the device must go online and connect to Apple servers in order to validate the certificate. These certificates are meant to be used by each company to distribute apps among its own employees. If a company attempts using their enterprise certificate to sign apps and distribute them globally, Apple revokes their certificate. However, unless revoked, enterprise certificates do not limit the number of devices that can install a signed IPA package. For this reason, leaked enterprise certificates are frequently used by third-party app stores and Web stores such as ignition.fun to sideload IPA packages.
Signed with a Developer account
Developer accounts are unique in that verification occurs on Apple servers and not on the iOS device. In order to use a developer certificate to sign an IPA package, developers must first register the iOS device (iPhone, iPad etc.) in their Apple Developer Account by adding it to the Developer Profile. Once this is done, one can sign the IPA package with their developer certificate and sideload the IPA onto the iOS device. Importantly, the iOS device will not need to go online in order to validate the certificate as its UUID is already provisioned. For this reason, developer certificates are (and have always been) the most forensically sound method of pushing jailbreaks (and now the extraction agent) onto iOS devices.
What Has Changed
For years, Cydia Impactor and similar tools have been able to sideload packages onto iOS devices using disposable Apple ID’s. Apple imposed several limitations to discourage users from treating sideloading as a replacement for Apple’s own App Store. Sideloaded apps signed with a non-developer Apple ID would expire after a mere 7 days, requiring to re-sideload and re-sign the app. Since iOS 10, one could not have more than 3 sideloaded apps on the device, and you couldn’t use the same Apple ID to sideload more than 10 apps per week. There were also other limitations in place, but at very least users could temporarily install apps that were not approved by Apple.
Something had changed in November, 2019.
About two weeks ago, Apple made a change to their provisioning service to require a different authentication scheme for “free” Apple accounts (they return an error that mentions upgrading to “Xcode 7.3”); this broke Cydia Impactor for users without a paid Apple Developer account.
Elcomsoft iOS Forensic Toolkit uses a similar IPA sideloading mechanism, meaning that, for the time being, the users are forced to use a paid Apple Developer account to sideload the extraction agent IPA.
We are currently working on a solution allowing our users to sideload the extraction agent using disposable (free) Apple accounts for Mac users. Windows users will likely have to wait longer.
Developer Account Limitations
Apple would not be Apple if it didn’t have some roadblocks in place.
The first roadblock has to do with two-factor authentication. An Apple ID enrolled in Apple’s Developer Program must have two-factor authentication enabled. Elcomsoft iOS Forensic Toolkit requires a login and password. As a result, you’ll have to take an extra step in setting up an Application-specific password in your Apple account. You’ll have to use that app-specific password instead of your regular Apple ID password when installing the extraction agent in iOS Forensic Toolkit.
The second limitation is about the number of devices that can be enrolled. As an Apple developer, you can only add up to 100 devices of each kind (e.g. 100 iPhones, 100 iPads etc.) per year. The number of available registration slots will only reset once a year even if you delete the device afterwards.
It is also worth noting that once you add a new device to your Developer Profile, the provisioning profile that is used to sign the extraction agent will list all previously registered device ID’s (UDID) unless you manually remove them from the Developer Profile prior to extraction (which, again, won’t reset the limit). The good news is that you won’t have to manually add the device to the developer profile if you use Elcomsoft iOS Forensic Toolkit; all you need is just command it to install an agent, and type in your developer Apple ID and that application-specific password we’ve talked about earlier.
Enrolling your Apple ID into the Developer Program can be especially tricky for corporate developers. For this reason, we recommend registering as a private person for $99 a year.
There are multiple apps and services positioning themselves as “App Store alternatives”. AltServer, AppStore.io, AppEven, ignition.fun, Tutuapp, Pandahelper, App Valley, Desde tu iPhone, Tweakbox and numerous other “alternative app stores” utilize a mix of paid and stolen developer accounts and leaked enterprise certificates to sign and sideload apps onto the iPhone. Some of these stores are known to overwhelmingly modify the content of the devices they sideload apps to, so neither of them can be recommended for the purpose of mobile forensics.
A Word On checkra1n & checkm8
This is slightly outside the scope of this article, but you may ask why you even need that acquisition method if there are such things as checkm8 exploit and checkra1n jailbreak that do not require a developer account to install unlike most other jailbreaks.
First, the compatibility. We have about fifty test devices (iPhones and iPads) in our lab, and most of them are checkm8-compatible, at least theoretically. If checkra1n installs, then we can make full file system acquisition and keychain extraction without an agent, minor issues with iOS 13 aside (iOS Device Acquisition with checkra1n Jailbreak). This jailbreak makes it possible to perform a limited BFU (“before first unlock”) extraction for devices with an unknown passcode, even if they are disabled or locked. But checkra1n is only compatible with iOS 12.3 and up. And of course, the hardware support is limited to the iPhone 5s through 8/8 Plus/iPhone X, so forget about iPhone Xr, Xs and 11 extraction.
Second, the reliability and speed. Not just the checkra1n itself, but even some implementations of checkm8-based extraction leave much to be desired. checkra1n fails to install on many devices for no obvious reason. In our experience, as many as 30% of devices may be problematic. The situation is even worse for direct implementations of checkm8 based extraction. Just one example; I will not name the vendor for ethical reasons:
We are currently doing our office’s first Checkm8 extraction on an iPhone 8 plus 64GB w/13.3. It’s been running two days now and the estimated time to completion keeps going up, from 8 days yesterday to now 15 days today. At first things looked pretty normal but the estimated time just keeps going up. Any ideas on what could be the problem? Another odd thing is it says 8GB of 88 GB extracted, which of course makes no sense being a 64GB device.
And one of the responses:
I also encountered a lot of iPhone devices that extracted “full file system” with no success, lasting for weeks.
Finally, the “forensically sound” issue. There is no agreement among the forensic vendor about the meaning of this term. Moreover, speaking of the iPhone extraction, it is not possible to prove that the device content has not been modified during the extraction, regardless of the method you use (whether it’s good old logical acquisition, checkm8 or agent-based extraction). All extraction methods leave some traces, making some changes to the device data.
Is agent-based solution we have implemented a silver bullet? Of course not. It also has limited compatibility with device models and iOS versions (we are working hard on that, an Elcomsoft iOS Forensic Toolkit update is coming with support for iOS 13.0-13.3 on all devices), and it also has some reliability issues. The acquisition speed is always higher; we’ve been able to get up to 40 MB/s. There are many hardware/iOS combinations that only the agent works for. You just need the Developer Account, that’s it.
The $99 a year for Developer Account is a great, cost-efficient investment because it’s the only type of accounts offering safe, forensic-friendly extraction. Developer accounts are the only type of accounts whose provisioning profiles do not require the device being acquired connecting to Apple servers. The entire sideloading and extraction process can be performed safely while the device is in the Airplane mode.