Digital forensics

iPhone Espionage

October 31, 2011 by Keith Lee

[highlight color=”blue”]Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available. [/highlight]

There is this misconception that iPhones are protected by the iPhone passcode. This may be true for non-jailbroken iPhones, but not for jailbroken ones.

It is possible to have root access to the iPhone file system using tools from, even when the locked jailbroken iPhone is protected by the PIN.

This seems to be related to the way lockdownd works after an iPhone is jailbroken; a perception around since the iPhone 3GS days (discussed in this article from May 2010. “iPhone’s PIN-Based Security Transparent to Ubuntu”

All an attacker needs is 3 seconds with your phone and to connect it to a usb cable.
It could take even less time, depending on the speed of the computer as well as whether the attack is staged.

This would seem like an awesome attack vector but it’s only viable if you have physical contact with the iPhone or with some social engineer to get the victim to connect the iPhone to an embedded device (e.g. mobile charger?).

Having root access to the iPhone file system means that the attacker is able to view and extract confidential data from your iPhone like emails, SMS, photos – basically everything on your iPhone, including cookies.

We are faced with an issue: how do we get our spy tools and binaries to run on the iPhone system during startup?

Typically, to register an executable so that it can run at startup, you will have to run the command
“launchctl load /System/Library/LaunchDaemons/”

However, since we do not have command line access to the system, we would not be able to use this method. We need to find an alternative solution to get our binaries to run at iPhone startup in the background.

Proof of Concept Spy Tools

There are a couple of proof of concept tools that I’ve made with the help of examples that I found online which could be used as a baseline to be modified for espionage use.

The source code and binaries of the tools can be found at

Tool Name


kbhook2 Captures key strokes from the iPhone keyboard and save to a text file.
location1 Captures GPS coordinates in the background.
sms1 Captures incoming SMS and forwards it another mobile number.
takePicture Activates the iPhone front camera in the background and takes a photo and save it in /tmp folder.
screenCapture Takes a screenshot of the current iPhone screen so that we can monitor that the user is doing.
mic1 Activates the iPhone microphone and record a 30 second clip.
whatsapp1 Intercepts WhatsApp incoming and outgoing messages and forwards it to an email address.
demoScreenCapture1 Demo program which shows that the screenCapture tool can be automated to take each and every screen of a particular iPhone application. When coupled with kbhook2, it is possible get screenshots of the emails in enterprise email iPhone application which provides data encryption and security which the user is browsing thru his/her emails.

Shrinking the Platform

It would attract too much attention if we were to connect the target’s iPhone to a computer and run the script. However, we could avoid suspicion by shrinking the entire attack environment to the size of your palm.

There are a couple of small hardware devices which support Linux, or in particular, Debian. Among these are the Raspberry Pi, Beagleboard, Nokia N900 and the Openmoko Freerunner. Alternatively, you can conceal it in the form of a USB charger or mobile charging stations.

Brian Markus and Joseph did a demo on this in Defcon Las Vegas 2011. A writeup can be found here

A mobile charging station found in Bangkok, Thailand

Summary of Steps

Below is a summary of what you need to do

  1. Install Debian/Ubuntu on the embedded device.
  2. Install the prequisities using the script from
  3. Download and copy from onto /tmp1/ on your embedded device
  4. Modify
  5. Run the command “update-rc.d -f /tmp1/ start 99 2 3 4 5”
  6. Now, reboot the device and plug in your iPhone via the iPhone usb cable.
  7. Wait for the magic to happen.
  8. Look at /tmp1/DB for the data collected

Installing the Prerequisites

 You will need to install the below requisities on a Debian/Ubuntu system.  Alternatively, you can download the script from
and save yourself some trouble.

  • apt-get install libusb-dev usbmuxd libimobiledevice-dev libplist-dev libgnutls-dev build-essential libgnutls-dev libxml2-dev libreadline5-dev libgcrypt-dev libglib2.0-dev libplist-dev libusbmuxd-dev usbmuxd make automake autoconf libtool gcc python-dev git libfuse-dev libimobiledevice-utils ibgtk2.0-dev libnautilus-extension-dev intltool libzip-dev -y
  • mkdir /tmp1 && cd /tmp1 && git clone
  • /tmp1/libiphone/ && /tmp1/libiphone/configure && /tmp1/libiphone/make && /tmp1/libiphone/make install
  • git clone
  • /tmp1/ifuse/ && /tmp1/ifuse/configure -prefix=/ && /tmp1/ifuse/make && /tmp1/ifuse/make install
  • wget
  • bunzip2 -d ideviceinstaller-1.0.0.tar.bz2 && tar xvf ideviceinstaller-1.0.0.tar && /tmp1/ideviceinstaller-1.0.0/configure && /tmp1/ideviceinstaller-1.0.0/make && /tmp1/ideviceinstaller-1.0.0/make install
  • wget
  • bunzip2 -d nautilus-ideviceinfo-0.1.0.tar.bz2 && tar xvf nautilus-ideviceinfo-0.1.0.tar && /tmp1/nautilus-ideviceinfo-0.1.0/configure && /tmp1/nautilus-ideviceinfo-0.1.0/make && /tmp1/nautilus-ideviceinfo-0.1.0/make install

Modifying the Script

The main tool working the magic is iFuse. iFuse takes care of mounting the the root iPhone filesystem in Linux. The command that does the trick is “ifuse $mountPath –root”.

I have written a script which, when run, monitors usb connections looking for an Apple device. When an Apple device is connected, it will mount the root iPhone filesystem and then copy out predetermined databases like Google Maps, cached information, iPhone call history, SMS data, Cell Tower location database, and so on. The script also extracts device-related information and the list of installed applications on the Iphone in a matter of seconds.

You can also uncomment some lines in the script to copy some spy tools to the iPhone and also execute them either at startup or at specific timing of the day.

The script can be found at

If you are looking at hooking directly to the functions of iPhone applications like what I did with WhatsApp, you will be looking at something called an iPhone tweak and you would need to copy the binary to /tmp1/TransferDynLibraries so that it will be copied over to /Library/MobileSubstrate/DynamicLibraries when the scripts detect an iPhone being connected.

If you are looking at running something in the background of the iPhone at all times or during specific timing, you will be looking at something called an iPhone tool. You will need to copy the binary to /tmp1/TransferStartup so that it will be copied over to /usr/bin on the iPhone when the script is running..

iPhone Daemons

Daemons are system processes that run in the background of the system.  These system processes are started when the iPhone boots up.   If we want to run our spytool at startup or at certain intervals of the day, we would need to identify the plist of an abundent daemon to overwrite.

There are a list of abundent daemons that have already been registered on the iPhone by Apple which seems fairly safe to delete or replace in our case to run our own malicious binaries.

The list of safe to delete/replicate daemons include but are not limited to 


By hiding and replacing the existing plist files makes it slightly more undetectable.  Normal users do not check the contents of the LaunchDaemons.

Modifying the Launch Daemons

The plist file for LaunchDaemon have 3 types of launch options

  1. Run at Load
  2. Run at Load and Launch Only Once
  3. Start At Certain Interval

In order to stay beneath the radar, I would choose the 3rd option as 1 and 2 would slow down the iPhone significantly during startup.

Below are the contents of an original  

Below are the contents of a modified which calls our malicious binary /usr/bin/sql2.  I have specified it to the daemon to run daily at 4.01am. 

Developing an iPhone Tweak

In the below example, I’ll show how easy it is to develop an iPhone tweak which intercepts the incoming and outgoing messages in WhatsApp.

Most iPhone applications have enabled debug mode in the application so that users can report bugs to the software company.

You will need to connect your iPhone to your Mac and start Xcode and then launch Organizer.  The debug messages are very invaluable to us as it tells us which class and method to hook.  This has made our development work even easier.

THEOS is a very useful tool made by Dustin L. Howett and it makes jailbroken iPhone development so much easier as compare to using Xcode.  The installation guide for THEOS can be found here

You will need the below

  1. Mac with Snow Leopard or Lion with Xcode
  2. Jailbroken iPhone
  3. THEOS
  4. Crackulous from Cydia
  5. WhatsApp
  6. Class-Dump (

What you need to do ?

  1. Install THEOS
  2. Run Crackulous on iPhone and select Whatsapp
  3. SCP the cracked version of Whatsapp from your iPhone to your Mac.  It should be stored in /private/var/root/Documents/Cracked/ folder on your iPhone
  4. Unzip the decrypted ipa file
  5. Navigate to Payload >
  6. Open Info.plist.
  7. Take note of the “Bundle Identifier”
  8. mkdir /Headers
  9. Run “Class-Dump -H WhatsApp ” -o Headers/
  10. Under XMPPConnection.h you should see a method called “processIncomingMessages:(id)arg1”
  11. After installation of THEOS, you will navigate /opt/theos/bin
  12. Run “sudo ./”
  13. Select Option 5 for Tweak
  14. Key in a project name
  15. cd <ProjectName>
  16. Edit Tweak.xm and fill in the below details
  17. What the code does is to hook the method “processIncomingMessages:(id)arg1” method in XMPPConnection class.   The %log command logs information about the call , methods, names and arguments to the system log.  The %orig command  makes a call to the original function with the original arguments.
  18. Edit <projectname.plist> and overwrite the data and replace it with the below information.
  19. Run “make”
  20. Go to obj folder and copy <projectname.dylib> to /Library/MobileSubstrate/DynamicLibraries on your iPhone.
  21. Alternatively you can run “export THEOS_DEVICE_IP=XX.XX.XX.XX” and run “make package && make install” to install the dylib to your iPhone via SSH.


Are you allowing jailbroken iPhone devices in your organization? How are you managing these mobile devices? Are you able to ensure the integrity of these devices and insure that they have not been compromised ?

The author of this article can be contacted at keith.lee2012[at], via twitter @keith55 or via his blog at

Posted: October 31, 2011
Keith Lee
View Profile

Keith Lee is a researcher for InfoSec Institute and an Independent Security Professional with nearly a decade of IT industry experience. He has been a speaker at HackInTheBox and was published at Hakin9. He also occasionally contributes to Metasploit. You can reach Keith on Twitter at @keith55, via email at keith.lee2012[at] He also has a blog: