search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.33k stars 840 forks source link

Keychain dump_raw element description #491

Closed BreakfastSerial closed 2 years ago

BreakfastSerial commented 2 years ago

Is your feature request related to a problem? Please describe. I'm trying to make sense of a specific keychain entry of an app and used ios keychain dump_raw for more details, but don't know what the the entries correspond to.

For example, obviously redacted:

{
    UUID = "ID";
    accc = "<SecAccessControlRef: aku;dacl(true)>";
    agrp = "APP";
    atag = {length = 62, bytes = TAG };
    bsiz = 256;
    cdat = "2021-10-05 05:08:54 +0000";
    class = keys;
    crtr = 0;
    decr = 0;
    drve = 1;
    edat = "2001-01-01 00:00:00 +0000";
    encr = 0;
    esiz = 0;
    extr = 0;
    kcls = 1;
    klbl = {length = 20, bytes = BYTE};
    mdat = "2021-10-05 05:08:54 +0000";
    modi = 0;
    musr = {length = 0, bytes = 0x};
    next = 1;
    pdmn = dk;
    perm = 1;
    persistref = {length = 0, bytes = 0x};
    priv = 1;
    sdat = "2001-01-01 00:00:00 +0000";
    sha1 = {length = 20, bytes = BYTE};
    sign = 1;
    sync = 0;
    tkid = "com.apple.setoken";
    tomb = 0;
    type = 73;
    "v_Ref" = "<SecKeyRef:('com.apple.setoken') TOKEN>";
    vrfy = 0;
    wrap = 0;
}

Describe the solution you'd like I'd love to have a source with a short description of the listed elements and what value corresponds to what configuration. Specifically the "Accessible" attribute.

Describe alternatives you've considered I've searched official apple resources but couldn't find a elaboration on the keychain elements.

Additional context iOS 14.4

objection --gadget "com.target.app" explore
ios keychain dump
ios keychain dump_raw

objection: 1.11.0 frida-tools: 10.3.0 frida: 15.1.3

leonjza commented 2 years ago

The best I can recommend is that you open up XCode and try and find the constants that correspond to those string key names. Historically his has been a pain for me as well. That said, this is a raw dump because it's the literal values from the keychain entry leveraging the .toString() method on it.

The ones with known kSec* constants can be seen in the list command here. Some of the kSec* constants can be found in the SecItem header.