Extracting tokens from encrypted backup

[Esgariot]

Hi,

I'm trying to extract token secrets from encrypted backup.

I've managed to extract authenticator.plist, which contains multiple entries that resemble base64, but do not decode into valid utf-8.

Here's the steps that got me there:

1. Create local encrypted backup of your device, as specified in https://support.apple.com/en-us/HT205220
2. use https://github.com/jsharkey13/iphone_backup_decrypt (you will find backups in ~/Library/Application Support/MobileSync/Backup/
3. Specify the passphrase
4. extract Library/Preferences/me.mattrubin.authenticator.plist using extract_file
5. Convert the plist from binary to xml using plutil -convert xml1 <plist file>

I've noticed that all the secret entries fit the Z2VucXXXXXXXXXXXXXXXXXXXXXX= pattern. Is it possible to decode it further? I suppose it would represent the Token object, serialized

[Esgariot]

Looking at https://github.com/mattrubin/OneTimePassword/blob/66f284e22c170ffcc2c9dcf055a1efeb260c766d/Sources/PersistentToken.swift#L31-L35 maybe this is not a feasible approach.

[Esgariot]

https://github.com/dunhamsteve/ios is a bit more ergonomic, and allows dumping keychain file

[Esgariot]

Now I'm missing a way to import dumped ascii keychain into macos keychain store, to then query stuff as specified in https://github.com/mattrubin/Authenticator/issues/383#issuecomment-995348508

[Esgariot]

I've managed to decode the url, by base64-decoding the "gena" field from irestore's dumpkeys output, into otpauth://totp/<skipped>algorithm=SHA1&digits=6&issuer=<skipped>&duration=30. There's no secret in this decoded url :<