views:

13735

answers:

7

I've been asked by a number of unfortunate iPhone users to help them restore data from their iTunes backups. This is easy when they are unencrypted, but not when they are encrypted, whether or not the password is known.

As such, I'm trying to figure out the encryption scheme used on mddata and mdinfo files when encrypted. I have no problems reading these files otherwise, and have built some robust C# libraries for doing so. (If you're able to help, I don't care which language you use. It's the principle I'm after here!)

The Apple "iPhone OS Enterprise Deployment Guide" states that "Device backups can be stored in encrypted format by selecting the Encrypt iPhone Backup option in the device summary pane of iTunes. Files are encrypted using AES128 with a 256-bit key. The key is stored securely in the iPhone keychain."

That's a pretty good clue, and there's some good info here on Stackoverflow on iPhone AES/Rijndael interoperability suggesting a keysize of 128 and CBC mode may be used.

Aside from any other obfuscation, a key and initialisation vector (IV)/salt are required.

One might assume that the key is a manipulation of the "backup password" that users are prompted to enter by iTunes and passed to "AppleMobileBackup.exe", padded in a fashion dictated by CBC. However, given the reference to the iPhone keychain, I wonder whether the "backup password" might not be used as a password on an X509 certificate or symmetric private key, and that the certificate or private key itself might be used as the key. (AES and the iTunes encrypt/decrypt process is symmetric.)

The IV is another matter, and it could be a few things. Perhaps it's one of the keys hard-coded into iTunes, or into the devices themselves.

Although Apple's comment above suggests the key is present on the device's keychain, I think this isn't that important. One can restore an encrypted backup to a different device, which suggests all information relevant to the decryption is present in the backup and iTunes configuration, and that anything solely on the device is irrelevant and replacable in this context. So where might be the key be?

I've listed paths below from a Windows machine but it's much of a muchness whichever OS we use.

The "\appdata\Roaming\Apple Computer\iTunes\itunesprefs.xml" contains a PList with a "Keychain" dict entry in it. The "\programdata\apple\Lockdown\09037027da8f4bdefdea97d706703ca034c88bab.plist" contains a PList with "DeviceCertificate", "HostCertificate", and "RootCertificate", all of which appear to be valid X509 certs. The same file also appears to contain asymmetric keys "RootPrivateKey" and "HostPrivateKey" (my reading suggests these might be PKCS #7-enveloped). Also, within each backup there are "AuthSignature" and "AuthData" values in the Manifest.plist file, although these appear to be rotated as each file gets incrementally backed up, suggested they're not that useful as a key, unless something really quite involved is being done.

There's a lot of misleading stuff out there suggesting getting data from encrypted backups is easy. It's not, and to my knowledge it hasn't been done. Bypassing or disabling the backup encryption is another matter entirely, and is not what I'm looking to do.

This isn't about hacking apart the iPhone or anything like that. All I'm after here is a means to extract data (photos, contacts, etc.) from encrypted iTunes backups as I can unencrypted ones. I've tried all sorts of permutations with the information I've put down above but got nowhere. I'd appreciate any thoughts or techniques I might have missed.

+2  A: 

You should grab a copy of Erica Sadun's mdhelper command line utility (OS X binary & source). It supports listing and extracting the contents of iPhone/iPod Touch backups, including address book & SMS databases, and other application metadata and settings.

Nathan de Vries
That's just a PList reader: I can already do that stuff natively. It doesn't support encrypted backups which is what I'm after, and which is beyond the scope of that utility.
afit
Did you take the time to try the utility? My backups are encrypted and it does exactly what you're trying to do.
Nathan de Vries
Yes, and I've read the source, too. It does not handle encrypted backups, and was last modified prior to release of iTunes' support for encrypted backups. I suspect you mean your backups are encoded or that your iPhone uses an encrypted filesystem, which is another matter entirely. As well as there being no support for encryption in the code, more obviously there's no option to pass in a password in the command-line options. And the code doesn't use any certs or keychains. I'd love to be proven wrong on this, but I really don't think I am! I appreciate the suggestion, though.
afit
+1  A: 

If the encrypted backup can be pushed to another iPhone, can I backup the second iPhone in iTunes with encryption disabled and read the second phone's backup the usual way?

richard
Yes, that should be possible.
afit
A: 

What is the procedure for "pushing" an encrypted backup file or files to a second iPhone?

Rooney
Connect a new phone to iTunes, and it'll ask you whether you want to set it up anew or restore an existing back. You shouldn't have to do anything special.
afit
This should be a comment, not an answer.
Callum Rogers
A: 

Is there any luck with the "decryption" of an encrypted backup password?

Larry
You can brute force the password, but quite what you do with it when you have it is another matter!
afit
This should be a comment, not an answer.
Callum Rogers
A: 

Haven't tried it, but Elcomsoft released a product they claim is capable of decrypting backups, for forensics purposes. Maybe not as cool as engineering a solution yourself, but it might be faster.

http://www.elcomsoft.com/eppb.html

Jablair
Thanks. This doesn't decrypt backups as such: it just cracks the keys. I know how to do that already... and that's a lot simpler than decrypting the backup once you have the key.
afit
Huh. Sorry about that. Guess I misread the docs.
Jablair
+3  A: 

Sorry, but it might even be more complicated, involving pbkdf2, or even a variation of it. Listen to the WWDC 2010 session #209, which mainly talks about the security measures in iOS 4, but also mentions briefly the separate encryption of backups and how they're related.

You can be pretty sure that without knowing the password, there's no way you can decrypt it, even by brute force.

Let's just assume you want to try to enable people who KNOW the password to get to the data of their backups.

I fear there's no way around looking at the actual code in iTunes in order to figure out which algos are employed.

Back in the Newton days, I had to decrypt data from a program and was able to call its decryption function directly (knowing the password, of course) without the need to even undersand its algorithm. It's not that easy anymore, unfortunately.

I'm sure there are skilled people around who could reverse engineer that iTunes code - you just have to get them interested.

In theory, Apple's algos should be designed in a way that makes the data still safe (i.e. practically unbreakable by brute force methods) to any attacker knowing the exact encryption method. And in WWDC session 209 they went pretty deep into details about what they do to accomplish this. Maybe you can actually get answers directly from Apple's security team if you tell them your good intentions. After all, even they should know that security by obfuscation is not really efficient. Try their security mailing list. Even if they do not repond, maybe someone else silently on the list will respond with some help.

Good luck!

Thomas Tempelmann