> You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.
Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung. The inability to fully backup devices means that post-intrusion device restore is literally impossible. Only a new OS version can be installed, then a subset of the original data can be restored, then every app/service needs to re-establish trust with this newly "untrusted" (but more trustworthy than the previously trusted-but-compromised) device.
In theory, Apple could provide their own malware analysis toolset, or provide optional remote attestation to verify OS and baseband integrity.
In the absence of persistent disk artifacts, the next best option is behavioral analysis, e.g. usage anomalies ("dog that did not bark") in CPU, battery, storage or network. Outbound network traffic can be inspected by a router and compared against expected application and system traffic. This requires an outbound firewall where rules can specify traffic by wildcard domain names, which are widely used by CDNs. Apple helpfully provides a list of domains and port numbers for all Apple services.
The fact that iPhones are hard to dump is actually the main protection against threats when your phone is stolen or taken away from you (from a more or less legitimate-looking organization or person). It's a pretty good thing overall.
Would DNS logs suffice? You could use service that offers logs of DNS like NextDNS or a Pi-Hole to watch DNS traffic from the device, but you wouldn't know which app sent it and for what purpose.
> provide optional remote attestation to verify OS and baseband integrity
And lock us out of our computing freedom while they're at it.
Remote attestation enables discrimination against free computers owned by users rather than corporations. They could theoretically allow users to set their own keys but it's not like apps and services are gonna trust people's personal attestation keys, they're only gonna trust Apple's and Google's.
This is among the most dangerous developments in cryptography to date and it's gonna end free computing as we know it today. Before this, cryptography used to empower people like us. Now it's the tool that will destroy our freedom and everything the word "hacker" ever stood for. Malware is a small price to pay to avoid such a fate.
It's not going to be "optional" either. Every major service is going to use it. Guaranteed.
Has anyone seen an iOS device fail to boot due to an integrity violation?
Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit, which itself can only identify a small subset of real-world attacks. For evidence, look no further than the endless stream of zero-day CVEs in Apple Security Updates for iOS. Recovery from iOS malware often requires DFU (Device Firmware Update) mode reinstallation from a separate device running macOS.
Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.
Most modern malware is not disk resident, as it has a higher probability of persisting by re-infection with an undocumented zero-day.
For example, people that play games that bind the GPS location services will find interruptions magically stop for awhile after a cold power-off, and power-on restart. Or the battery performance suddenly stops quickly losing power in standby, as recording/image capture was burning power and data budgets.
Ultimately, a smartphone is impossible to fully secure, as the complexity has a million holes in it regardless of the brand. And Gemini is a whole can of worms I'd rather not discuss without my lawyer present. =3
> Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung.
And it's not just Apple.
Android is just as bad, and even worse for the user because while iOS backups are consistent in backing up everything sans stuff in the Secure Enclave (i.e. credit card and eSIM keys), in Android support for backup is optional for apps and there are many games who just outright don't do any kind of backup.
This is true and I resent it. However, at least you have the option of installing a ROM that supports toggling adb root out of the box. That alone solves 99% of the issues I have with Android in practice.
> However, at least you have the option of installing a ROM that supports toggling adb root out of the box.
That's not valid for all devices, all Samsungs need a cooldown of one week (Knox lock, presumably to thwart people from rooting stolen devices to bypass antitheft), all modern Androids require a full wipe of the device as part of rooting so it's useless for forensics, and a shitload of apps will flat out refuse to work on rooted devices - forget many games, forget anything with streaming, forget banking apps.
>iOS backups are consistent in backing up everything sans stuff in the Secure Enclave
Do they now back u TOTP generators? I lost access to an account I had since my teens because when restoring from backup, I had no MFAs in my Google Authenticator. Since I had imported my teenage cell # into Google Voice, when the backup codes I'd generated for the account failed to restore access, I lost access to my gmail + my phone number I'd had for decades, despite taking what seemed to be reasonable steps.
(I'd backup my iPhone to my laptop, and backup my laptop to a USB hard drive, one of which would live in my house and another in a secure offsite location.)
Well unfortunately, if the backup method is SMS MFA, and that SMS # is now behind Google's cloud, you can become locked out. Really terrible, from a UX perspective -- I managed to go decades without a data loss, and then poof -- every email, calendar, and contact from my late teens to my 30s erased.
I'd be curious if anyone has tried this for Android and what kind of stuff it's checking for. Sideloaded APKs can often contain malicious stuff, but it's nearly impossible to know if it's doing anything suspicious unless you open it up with a tool like Apktool [1] or run it on Triage [2] as it supports Android and watch what it's doing. Most antivirus for Android is pretty much a joke, as far as I'm concerned.
I recently had the "pleasure" of reading over a criminal forensic investigation report. It was harrowing. The report was basically like "we ran virus check and it reported clean so nobody could have accessed the system remotely" and then it moved right along to the next thing. The logic felt more dubious than some of the court scenes from Idiocracy. And it had been produced for defense counsel and paid for by the defendant.
I have no idea what arguments were actually made. But that concern was raised somewhere along the chain asking for my (informal technical) opinion.
It's obviously quite difficult to prove a negative in general, but the complete lack of any standard of care then presented as an "expert opinion" for the defense was astounding.
(FWIW this was a MS Windows machine, and I think the AV was just Windows Defender)
Does the iPhone / iOS track the profiles of the machines it is physically connected with and when “Allow Access” is selected? I ask because I did not have face authentication or a password on my phone and my ex-landlords illegally obtained my exempt property and I would like to know if they plugged it in to their computer and potentially obtained personal files from it. Yes I know the lack of security was an oversight and failure on my part. I accept that. However, they also tried to steal my car and sell it and refuse to return my property they are not legally entitled to possess (“tools of trade” under Texas law). The legal process takes time so I’m just curious if such a forensics investigation is possible.
iOS, https://docs.mvt.re/en/latest/ios/methodology/
> You will need to decide whether to attempt to jailbreak the device and obtain a full filesystem dump, or not.
Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung. The inability to fully backup devices means that post-intrusion device restore is literally impossible. Only a new OS version can be installed, then a subset of the original data can be restored, then every app/service needs to re-establish trust with this newly "untrusted" (but more trustworthy than the previously trusted-but-compromised) device.
In theory, Apple could provide their own malware analysis toolset, or provide optional remote attestation to verify OS and baseband integrity.
In the absence of persistent disk artifacts, the next best option is behavioral analysis, e.g. usage anomalies ("dog that did not bark") in CPU, battery, storage or network. Outbound network traffic can be inspected by a router and compared against expected application and system traffic. This requires an outbound firewall where rules can specify traffic by wildcard domain names, which are widely used by CDNs. Apple helpfully provides a list of domains and port numbers for all Apple services.
The fact that iPhones are hard to dump is actually the main protection against threats when your phone is stolen or taken away from you (from a more or less legitimate-looking organization or person). It's a pretty good thing overall.
Would DNS logs suffice? You could use service that offers logs of DNS like NextDNS or a Pi-Hole to watch DNS traffic from the device, but you wouldn't know which app sent it and for what purpose.
> provide optional remote attestation to verify OS and baseband integrity
And lock us out of our computing freedom while they're at it.
Remote attestation enables discrimination against free computers owned by users rather than corporations. They could theoretically allow users to set their own keys but it's not like apps and services are gonna trust people's personal attestation keys, they're only gonna trust Apple's and Google's.
This is among the most dangerous developments in cryptography to date and it's gonna end free computing as we know it today. Before this, cryptography used to empower people like us. Now it's the tool that will destroy our freedom and everything the word "hacker" ever stood for. Malware is a small price to pay to avoid such a fate.
It's not going to be "optional" either. Every major service is going to use it. Guaranteed.
IIRC wasn't it Librem that wanted to have the device attest itself to the user (ie a second device)?
Agreed though. Any major vendor deploying this globally and making it available to developers without restriction would be an affront to our freedom.
Unless I remember incorrectly doesn’t iOS do an integrity verification at system boot.
Has anyone seen an iOS device fail to boot due to an integrity violation?
Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit, which itself can only identify a small subset of real-world attacks. For evidence, look no further than the endless stream of zero-day CVEs in Apple Security Updates for iOS. Recovery from iOS malware often requires DFU (Device Firmware Update) mode reinstallation from a separate device running macOS.
Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.
>Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.
The question is how often do users usually reboot their phone these days?
Regularly, if using iOS Lockdown Mode to increase resilience to malware.
the people who need it. use it.
the fact some people may need it and dont reboot isn't relevant. The option is there.
And how many users do that regualrly?
Persistent iOS malware is quite rare these days.
Rare, expensive and extant.
Starting in iPadOS and iOS 15, iOS and macOS use a similar Signed System Volume concept and the System volume's integrity is verified.
Integrity verification of what? The OS definitely has its signature/hash checked.
Most modern malware is not disk resident, as it has a higher probability of persisting by re-infection with an undocumented zero-day.
For example, people that play games that bind the GPS location services will find interruptions magically stop for awhile after a cold power-off, and power-on restart. Or the battery performance suddenly stops quickly losing power in standby, as recording/image capture was burning power and data budgets.
Ultimately, a smartphone is impossible to fully secure, as the complexity has a million holes in it regardless of the brand. And Gemini is a whole can of worms I'd rather not discuss without my lawyer present. =3
> Since Apple won't allow iDevice owners to access an unredacted raw disk image for forensics, iOS malware detection tools are hamstrung.
And it's not just Apple.
Android is just as bad, and even worse for the user because while iOS backups are consistent in backing up everything sans stuff in the Secure Enclave (i.e. credit card and eSIM keys), in Android support for backup is optional for apps and there are many games who just outright don't do any kind of backup.
This is true and I resent it. However, at least you have the option of installing a ROM that supports toggling adb root out of the box. That alone solves 99% of the issues I have with Android in practice.
> However, at least you have the option of installing a ROM that supports toggling adb root out of the box.
That's not valid for all devices, all Samsungs need a cooldown of one week (Knox lock, presumably to thwart people from rooting stolen devices to bypass antitheft), all modern Androids require a full wipe of the device as part of rooting so it's useless for forensics, and a shitload of apps will flat out refuse to work on rooted devices - forget many games, forget anything with streaming, forget banking apps.
>iOS backups are consistent in backing up everything sans stuff in the Secure Enclave
Do they now back u TOTP generators? I lost access to an account I had since my teens because when restoring from backup, I had no MFAs in my Google Authenticator. Since I had imported my teenage cell # into Google Voice, when the backup codes I'd generated for the account failed to restore access, I lost access to my gmail + my phone number I'd had for decades, despite taking what seemed to be reasonable steps.
(I'd backup my iPhone to my laptop, and backup my laptop to a USB hard drive, one of which would live in my house and another in a secure offsite location.)
Google Authenticator at least does support cloud uploads.
Nope not in general, gotta use multiple second factors and/or the second factor reset key.
Well unfortunately, if the backup method is SMS MFA, and that SMS # is now behind Google's cloud, you can become locked out. Really terrible, from a UX perspective -- I managed to go decades without a data loss, and then poof -- every email, calendar, and contact from my late teens to my 30s erased.
I'd be curious if anyone has tried this for Android and what kind of stuff it's checking for. Sideloaded APKs can often contain malicious stuff, but it's nearly impossible to know if it's doing anything suspicious unless you open it up with a tool like Apktool [1] or run it on Triage [2] as it supports Android and watch what it's doing. Most antivirus for Android is pretty much a joke, as far as I'm concerned.
[1] https://github.com/iBotPeaches/Apktool?tab=readme-ov-file
[2] https://tria.ge/
I recently had the "pleasure" of reading over a criminal forensic investigation report. It was harrowing. The report was basically like "we ran virus check and it reported clean so nobody could have accessed the system remotely" and then it moved right along to the next thing. The logic felt more dubious than some of the court scenes from Idiocracy. And it had been produced for defense counsel and paid for by the defendant.
Did the defendant argue that the system was compromised and that they therefore did not commit the crime?
I have no idea what arguments were actually made. But that concern was raised somewhere along the chain asking for my (informal technical) opinion.
It's obviously quite difficult to prove a negative in general, but the complete lack of any standard of care then presented as an "expert opinion" for the defense was astounding.
(FWIW this was a MS Windows machine, and I think the AV was just Windows Defender)
the courts and police dont care about nonsensical phone forensics. the entire encrochat thing was built on lies, the courts lapped it up
Does the iPhone / iOS track the profiles of the machines it is physically connected with and when “Allow Access” is selected? I ask because I did not have face authentication or a password on my phone and my ex-landlords illegally obtained my exempt property and I would like to know if they plugged it in to their computer and potentially obtained personal files from it. Yes I know the lack of security was an oversight and failure on my part. I accept that. However, they also tried to steal my car and sell it and refuse to return my property they are not legally entitled to possess (“tools of trade” under Texas law). The legal process takes time so I’m just curious if such a forensics investigation is possible.
iVerify uses diagnostic logs for hunting. Give it a go