Credentials from Password Store: Keychain

Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.[1][2]

ID: T1634.001
Sub-technique of:  T1634
Tactic Type: Post-Adversary Device Access
Platforms: iOS
Version: 1.0
Created: 01 April 2022
Last Modified: 05 April 2022

Procedure Examples

ID Name Description

INSOMNIA can extract the device’s keychain.[3]


ID Mitigation Description
M1002 Attestation

Device attestation can often detect jailbroken devices.

M1010 Deploy Compromised Device Detection Method

Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.

M1001 Security Updates

Apple regularly provides security updates for known OS vulnerabilities.


Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.