Application can store data securely in Keychain, it's the recommended way to store sensitive information.
All stored in centralized encrypted database, apps can only access their own keychain items.
Multiple type of data can be stored, such as:
Using the DVIA-v2 application, we will try the Keychain challenge in the 'Local Data Storage' menu. Add a text in the application and than dump the data
We will search for classes contain keychain and dump them
eh@Ethicals-MacBook-Pro DVIA-v2 % frida -U "DVIA-v2"
____
/ _ | Frida 14.2.18 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at <https://frida.re/docs/home/>
[iPhone::DVIA-v2]-> ObjC.classes
{
"AAAbsintheContext": {
"handle": "0x1f0cf94c0"
},
"AAAbsintheSigner": {
"handle": "0x1f0cf7d00"
},
"AAAbsintheSignerContextCache": {
"handle": "0x1f0cf7990"
},
"AAAcceptedTermsController": {
"handle": "0x1f0cf8f48"
},
"PDFViewLayout": {
"handle": "0x1f4731230"
},
"PDFViewLayoutPrivate": {
"handle": "0x1f4731208"
},
"PDFViewPrivate": {
"handle": "0x1f47312f8"
},
"PDKeychainBindings": {
"handle": "0x104abc770"
},
"PDKeychainBindingsController": {
"handle": "0x104abbbb8"
},
"PDMeasurement": {
"handle": "0x1f69f0288"
},
"PEPServiceConfiguration": {
"handle": "0x1f099e8e0"
},
"PET1Key": {
"handle": "0x1efd677b0"
},
"PET2LoggingOutlet": {
"handle": "0x1efd673f0"
},
"PETAggdLoggingOutlet": {
"handle": "0x1f0b1c670"
},
"PETAggregateState": {
"handle": "0x1efd678a0"
},
"PETAggregateStateStorage": {
"handle": "0x1efd676c0"
},
"PETAggregateStateStorageInMemory": {
"handle": "0x1f0b1c788"
},
"PETAggregateStateStorageOnDisk": {
"handle": "0x1efd67710"
},
"PETAggregatedMessage": {
"handle": "0x1f0b1c8c8"
},
"PETAggregationKey": {
"handle": "0x1efd67760"
},
"PETConfig": {
"handle": "0x1efd67850"
},
"nw_listener_inbox": {
"handle": "0x1f054fc60"
},
"nw_listener_inbox_protocol": {
"handle": "0x1f054fcb0"
},
"nw_listener_inbox_socket": {
"handle": "0x1f054fc10"
}
}
Then bind them and save in a variable
[iPhone::DVIA-v2]-> ObjC.classes.PDKeychainBindingsController
{
"handle": "0x104abbbb8"
}
[iPhone::DVIA-v2]-> pdk = ObjC.classes.PDKeychainBindingsController
{
"handle": "0x104abbbb8"
}
[iPhone::DVIA-v2]-> pdk
{
"handle": "0x104abbbb8"
}
[iPhone::DVIA-v2]-> pdk.$ownMethods
[
"+ sharedKeychainBindingsController",
"- storeString:forKey:",
"- keychainBindings",
"- stringForKey:",
"- values",
"- setValue:forKeyPath:",
"- valueForKeyPath:",
"- .cxx_destruct",
"- serviceName"
]
Check the inside methods
[iPhone::DVIA-v2]-> pdk.sharedKeychainBindingsController()
{
"handle": "0x281486f80"
}
[iPhone::DVIA-v2]-> controller = pdk.sharedKeychainBindingsController()
{
"handle": "0x281486f80"
}
[iPhone::DVIA-v2]-> controller
{
"handle": "0x281486f80"
}
[iPhone::DVIA-v2]-> controller.values()
{
"handle": "0x28142fd60"
}
[iPhone::DVIA-v2]-> controller.values().toString()
"{\\n keychainValue = \\"iron password \\";\\n}"
[iPhone::DVIA-v2]->
* on (iPhone: 14.6) [usb] # ios keychain dump
Note: You may be asked to authenticate using the devices passcode or TouchID
Save the output by adding `--json keychain.json` to this command
Dumping the iOS keychain...
Created Accessible ACL Type Account Service Data
------------------------- -------------------- ----- -------- ------------------------- --------------------- ------------------------------------
2021-06-16 13:57:45 +0000 WhenUnlocked None Password FlurryAPIKey *com.flurry.analytics
2021-06-16 13:57:45 +0000 WhenUnlocked None Password FlurrySessionTimestampKey *com.flurry.analytics
2021-06-16 13:57:45 +0000 AlwaysThisDeviceOnly None Password FlurrySessionInstallIDKey *com.flurry.analytics 8A71950D-F2F4-403E-86EB-E72B6EA1BE88
2021-06-18 13:58:34 +0000 WhenUnlocked None Password keychainValue * iron password
We can see that the 'KeychainValue' is set to the text we added in DVIA-V2