Keychain

Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.[1][2]

ID: T1579
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Credential Access
Platforms: iOS
MTC ID: AUT-11
Version: 1.0
Created: 24 June 2020
Last Modified: 24 June 2020

Procedure Examples

Name Description
INSOMNIA

INSOMNIA can extract the device’s keychain.[3]

Mitigations

Mitigation Description
Application Vetting

Application vetting services may be able to detect known privilege escalation exploits contained within applications.

Deploy Compromised Device Detection Method

Mobile security products can potentially detect jailbroken devices and take responsive action.

Security Updates

Apple regularly provides security updates for known OS vulnerabilities.

Use Recent OS Version

Newer OS releases typically patch known root exploits disclosed in previous versions.

Detection

Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.

References