private/var/mobile/Applications/{random ID}
Once installed, applications have limited read access to some system areas and functions (SMS, phone call...). If an application wants to access a protected area, a pop-up requesting permission appears.NSFileProtectionNone
are encrypted with a key derived from the device UID and the user's passcode. As a result, decryption can happen only on the device itself and requires the correct passcode.securityd
daemon, which grants access according to the app's Keychain-access-groups
, application-identifier
, and application-group
entitlements.SecItemAdd
SecItemUpdate
SecItemCopyMatching
SecItemDelete
kSecAttrAccessible
key in the call to SecItemAdd
or SecItemUpdate
.The following configurable accessibility values for kSecAttrAccessible are the Keychain Data Protection classes:kSecAttrAccessibleAlways
: The data in the Keychain item can always be accessed, regardless of whether the device is locked.kSecAttrAccessibleAlwaysThisDeviceOnly
: The data in the Keychain item can always be accessed, regardless of whether the device is locked. The data won't be included in an iCloud or local backup.kSecAttrAccessibleAfterFirstUnlock
: The data in the Keychain item can't be accessed after a restart until the device has been unlocked once by the user.kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
: The data in the Keychain item can't be accessed after a restart until the device has been unlocked once by the user. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.kSecAttrAccessibleWhenUnlocked
: The data in the Keychain item can be accessed only while the device is unlocked by the user.kSecAttrAccessibleWhenUnlockedThisDeviceOnly
: The data in the Keychain item can be accessed only while the device is unlocked by the user. The data won't be included in an iCloud or local backup.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
: The data in the Keychain can be accessed only when the device is unlocked. This protection class is only available if a passcode is set on the device. The data won't be included in an iCloud or local backup.AccessControlFlags
define the mechanisms with which users can authenticate the key (SecAccessControlCreateFlags
):kSecAccessControlDevicePasscode
: Access the item via a passcode.kSecAccessControlBiometryAny
: Access the item via one of the fingerprints registered to Touch ID. Adding or removing a fingerprint won't invalidate the item.kSecAccessControlBiometryCurrentSet
: Access the item via one of the fingerprints registered to Touch ID. Adding or removing a fingerprint will invalidate the item.kSecAccessControlUserPresence
: Access the item via either one of the registered fingerprints (using Touch ID) or default to the passcode.kSecAccessControlBiometryAny
or kSecAccessControlBiometryCurrentSet
) are protected by the Secure Enclave: The Keychain holds a token only, not the actual key. The key resides in the Secure Enclave.Info.plist
file:Info.plist
file in the default editor and search for the keys starting with "Privacy -"
."Privacy - Location When In Use Usage Description"
will turn into NSLocationWhenInUseUsageDescription
).Info.plist
is located in Payload/<appname>.app/Info.plist
.plutil -convert xml1 Info.plist
) as explained in the chapter "iOS Basic Security Testing", section "The Info.plist File".UsageDescription
:Info.plist
file of the app under the UIRequiredDeviceCapabilities
key.Typically you'll find thearmv7
capability, meaning that the app is compiled only for the armv7 instruction set, or if it’s a 32/64-bit universal app.
nfc
device capability.Entitlements are key value pairs that are signed in to an app and allow authentication beyond runtime factors, like UNIX user ID. Since entitlements are digitally signed, they can’t be changed. Entitlements are used extensively by system apps and daemons to perform specific privileged operations that would otherwise require the process to run as root. This greatly reduces the potential for privilege escalation by a compromised system app or daemon.
<appname>.entitlements
file as the com.apple.developer.default-data-protection
entitlement with default value NSFileProtectionComplete
. In the IPA we might find this in the embedded.mobileprovision
as:Info.plist
file of the app.