search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.46k stars 854 forks source link

[bug] ios keychain add sets Service instead of Account #350

Closed aph3rson closed 4 years ago

aph3rson commented 4 years ago

Describe the bug When using ios keychain add --key foo --data bar, foo is set to the service name on the keychain, not the account. When setting items on the Keychain, the service is most often the bundle name (except in instances of cross-app keys), and the account identifies the specific purpose within the application. However, that's not in use here.

Here's an example from ios keychain dump - the top is a normal key on the keychain, the middle is the one I'm trying to overwrite, and the bottom is my added key:

com.corp.app on (iPad: 11.4) [usb] # ios keychain dump
Note: You may be asked to authenticate using the devices passcode or TouchID
Save the output by adding `--json keychain.json` to this command
Dumping the iOS keychain...
Created                    Accessible    ACL    Type      Account     Service        Data
-------------------------  ------------  -----  --------  ----------  ------------  ---------------
2020-03-30 23:36:18 +0000  WhenUnlocked  None   Password  dbPassword  com.corp.app  foo-bar-baz-bat
2020-03-30 23:36:33 +0000  WhenUnlocked  None   Password  foo         com.corp.app  bat
2020-03-31 00:02:00 +0000  WhenUnlocked  None   Password              foo           bar

ios keychain dump_raw also has similar output, showing the account as blank.

To Reproduce Steps to reproduce the behavior:

  1. Hook an iOS app
  2. Attempt to add a new key using ios keychain add
  3. Observe that the key argument becomes the service name, not the account name.

Expected behavior Either set the key parameter to be the account name (and the bundle name to be the service name), or split the key parameter into account and service, to match available arguments to SecItemAdd.

Environment (please complete the following information):

leonjza commented 4 years ago

Ah interesting. Should be a relatively easy change though. We cal already determine (service) the bundle (used in the repl), and can update the attribute here to be account.

Maybe we should add some flags here? 🤔

aph3rson commented 4 years ago

@leonjza how would you feel about renaming --key to --account and adding a --service flag accordingly? That way we're at somewhat-parity with the actual iOS APIs, and using terms that are relevant to the keys we're storing.

leonjza commented 4 years ago

@aph3rson Excellent idea, I did just that. Will be available in the next release.

aph3rson commented 4 years ago

https://github.com/sensepost/objection/blob/4dadfc497864ff8d0eeff6b4d4468a1645558a95/objection/commands/ios/keychain.py#L149-L151

Minor bug, this should be --service, not --server. You'll want to change the relevant test suite line as well.