Apple Service Toolkit 2 0
This week at Apple’s developer conference WWDC, Apple announced a new feature, “Sign In with Apple” enabling users to sign in to apps using their Apple ID. This new feature is positioned as a secure and privacy-friendly way for users to create an account in apps. Most iOS and Mac users already have an Apple ID, and this new feature lets them use that Apple ID to sign in to other apps and websites.
- Apple Service Toolkit 2 Download
- Apple Service Toolkit 2 0 App
- Apple Service Toolkit 1
- Apple Service Toolkit 2
- Apple Service Toolkit 2 Ast 2
Science Purchase Computer Service Toolkit, Includes 23-in-1 Screwdriver, Wire Stripper, Long Nose Pliers, IC Inserter/Extractor, PLCC IC. OWC Express USB 2.0 Enclosure, and OWC 5 Piece Toolkit DIY Drive Upgrade Kit. Sold by FastMedia. Centenex Electronics Battery & Deluxe Toolkit for Apple iPod Nano 7th Gen A1446 616-0639 616-0640 NEW. YESCOO 5PCS MacBook Repair Tool Kit P5 Pentalobe Screwdriver, T5 Torx and PH000 Phillips Screwdriver Flat Head 2.0 Screwdriver with Nylon Spudger for MacBook Pro & MacBook Air with Retina Display 4.5 out of 5 stars 125.
- 500GB New Sata 2.5' Hard Drive for Apple MacBook & MacBook pro. 4.0 out of 5 stars worth the extra 4 bucks above the cost of a mac mini logic board removal tool by itself. This toolkit had the right size screw to take the case off, the right Y shaped screw to take the battery out, and the right star shapped screw (it was one of the.
- About Apple Service Diagnostic v2.6.3 Dual Bootable CD: Apple Service Diagnostic CD is designed to run both Open Firmware and Mac OS X tests from a single CD. Apple Service Diagnostic (OF) performs low-level tests of hardware directly and does not require an operating system to run.
- DOWNLOAD: Service Toolkit - AST OS 5 10.7.2 MacOSX (Update ) 2.05 GB There is no documentation with this.
If this sounds a lot like “Sign in with Facebook” or “Sign in with Twitter”, that’s because it is! This is Apple’s way of providing a way for users to sign in to apps without having to rely on an external identity provider like Facebook or Twitter.
Apple is taking a firm stance to protect user’s privacy with this new feature. Rather than letting apps see the user’s real email address, they will provide the app with a proxy email address unique to each app. App developers will still be able to send emails to the proxy addresses, it just means developers won’t be able to use the email addresses to correlate users between apps, and it also means users can shut off email forwarding per app.
The Sign In with Apple Flow
Let’s take a look at how this new flow works using your Apple ID to sign in to a website.
It starts with a button in the app or website labeled “Sign In with Apple”.
Clicking on this button will take the user to the Apple sign-in screen.
If the user has two-factor authentication enabled then they will have to confirm this login from another device.
And enter the two-factor auth code.
Finally, the user will see a prompt confirming that they want to sign in to this application using their Apple ID.
Clicking “Continue” will take the user back to the app where they will be signed in!
How Sign In with Apple Works (Hint: it uses OAuth and OIDC)
Thankfully, Apple adopted the existing open standards OAuth 2.0 and OpenID Connect to use as the foundation for their new API. While they don’t explicitly call out OAuth or OIDC in their documentation, they use all the same terminology and API calls. This means if you’re familiar with these technologies, you should have no trouble using Sign in with Apple right away!
Let’s walk through building a short sample application that can leverage Apple’s new API to sign users in. You should be able to translate this code to your language of choice relatively easily once you see the requests being made.
The hardest part of this whole process is registering an application in the Apple Developer Portal. Typically, OAuth providers have a relatively straightforward process to register a new application which will give you a client ID and secret. But since Apple’s API is tied to their whole iOS app ecosystem, it’s a bit more complicated. They’ve also opted to use a public/private key client authentication method rather than a traditional client secret. But don’t worry, we’ll go through this step by step.
At the end of this process, you’ll end up with a registered client_id
(which they call a Service ID), a private key downloaded as a file, and you’ll verify a domain and set up a redirect URL for the app.
First, sign in to the Apple Developer Portal and click on Certificates, Identifiers and Profiles.
Create an App ID
From the sidebar, choose Identifiers then click the blue plus icon.
Choose App IDs in this first step.
In the next screen, you’ll choose a description and Bundle ID for the App ID. The description isn’t too important, but type something descriptive. The Bundle ID is best when it’s a reverse-dns style string.
In this example, I’m using lol.avocado
since the domain this app will be running on is avocado.lol
.
You’ll also want to scroll down through the list of capabilities and check the box next to Sign In with Apple.
Go ahead and confirm this step.
Create a Services ID
The App ID in the previous step is a sort of way to collect things about this app. It seems redundant when you’re only making a simple web app login experience like this example, but it makes more sense once you have a native app and web app that you want to tie together under a single login experience.
The Services ID will identify the particular instance of your app, and is used as the OAuth client_id
.
Go ahead and create a new identifier and choose Services IDs.
In the next step, you’ll define the name of the app that the user will see during the login flow, as well as define the identifier which becomes the OAuth client_id
. Make sure to also check the Sign In with Apple checkbox.
You’ll also need to click the Configure button next to Sign In with Apple in this step. This is where you’ll define the domain your app is running on, as well as define the redirect URLs used during the OAuth flow.
Make sure your associated App ID is chosen as the Primary App ID. (If this is the first App ID you’ve made that uses Sign In with Apple, then it will probably already be selected.)
Enter the domain name your app will eventually be running at, and enter the redirect URL for your app as well. If you want to follow along with this blog post, then you can use the placeholder redirect URL https://example-app.com/redirect
which will catch the redirect so you can see the authorization code returned.
It’s worth noting that Apple doesn’t allow localhost
URLs in this step, and if you enter an IP address like 127.0.0.1
it will fail later in the flow. You have to use a real domain here.
Go ahead and click Save and then Continue and Register until this step is all confirmed.
Ok! At this point, you now have an App ID container to hold everything, and you’ve created a Services ID which you’ll use as your OAuth client_id
. The Identifier you entered for your Services ID is your OAuth client_id
. In my example, that is lol.avocado.client
.
Create a Private Key for Client Authentication
Rather than using simple strings as OAuth client secrets, Apple has decided to use a public/private key pair, where the client secret is actually a signed JWT. This next step involves registering a new private key with Apple.
Back in the main Certificates, Identifiers & Profiles screen, choose Keys from the side navigation.
Click the blue plus icon to register a new key. Give your key a name, and check the Sign In with Apple checkbox.
Click the Configure button and select your primary App ID you created earlier.
Apple will generate a new private key for you and let you download it only once. Make sure you save this file, because you won’t be able to get it back again later! The file you download will end in .p8
, but it’s just text inside, so rename it to key.txt
so that it’s easier to use in the next steps.
Lastly, go back and view the key information to find your Key ID which you’ll need in the next step.
Alright, that was a lot, but we are now ready to start writing some code! If you ran into any trouble, try checking out Apple’s documentation in case anything has changed since the publication of this blog post.
Generate the Client Secret
Rather than static client secrets, Apple requires that you derive a client secret yourself from your private key. They use the JWT standard for this, using an elliptic curve algorithm with a P-256 curve and SHA256 hash. In other words, they use the ES256 JWT algorithm. Some JWT libraries don’t support elliptic curve methods, so make sure yours does before you start trying this out.
The Ruby JWT library supports this algorithm, so we’ll use that to generate the secret.
First, make sure you’ve got Ruby installed, and then install the JWT gem by running this from the command line:
Now the jwt
gem should be available for use. Fill in the missing values at the top of this file, and save it as client_secret.rb
. You should already have the client_id
value from the previous step. You’ll also need your Apple Team ID. This is displayed in a few places, but the most convenient is in the top right corner of the screen. Use the Key ID you found in the previous step.
client_secret.rb
This code generates a JWT using the ES256 algorithm which includes a handful of claims. This JWT expires in 6 months, which is the maximum lifetime Apple will allow. If you’re generating a new client secret JWT every time a user authenticates, then you should use a much shorter expiration date, but this allows us to generate the secret once and use it in our sample apps easily.
Now you can run this from the command line and it will output a JWT.
This is described in Apple’s documentation Generate and validate tokens.
Begin the OAuth 2.0 Flow
Now that we’ve got a client secret, we can actually begin the OAuth flow! For this step, we’ll create a simple PHP file that will handle both the beginning of the flow as well as the redirect step.
Go ahead and create a file called index.php
with the following contents, filling in the values for your own application.
index.php
Now you can start building the URL that the user will go visit to start the flow. First, you’ll generate a random state
value and save it in the session. Then you’ll use your app’s configured values to create a URL that the user can visit. These parameters should all look familiar to you if you’ve used OAuth or OpenID Connect before.
I couldn’t find any documentation on which URL to use as the authorization endpoint, or even whether these were the right parameters, but thankfully the rest of the API looked like OAuth so I was able to figure it out despite the missing docs.
Now you can create a link the user can click to log in.
Of course, you should probably use the recommended button provided by Apple so that it looks a bit nicer than this text link, but this is good enough for now.
You can run this app now using the built-in PHP web server!
Once that’s running, you can visit http://127.0.0.1:8080
in your browser and you should see your sign-in link!
Handle the OAuth Redirect
Before you click Sign In, you should set up the mechanism for handling the redirect back from Apple.
Add the following code to index.php
above the line $_SESSION['state'] = bin2hex(random_bytes(5));
.
This is a handful of code, so let’s walk through it.
if(isset($_POST['code']))
First, we check for the presence of the authorization code in the query string which indicates that Apple has completed the initial step and sent the user back to the app.
Next, we verify the state
parameter matches the one we set at the beginning. This is to protect your app against CSRF attacks.
Then we’re ready to exchange the authorization code for an access token. Again this will look familiar if you’ve written OAuth code before.
This request is actually documented on Apple’s website, although as of this writing, their docs have a couple of typos. The typos make it look like Apple has done something non-standard with the parameter names, but in reality, the OAuth parameters work properly.
This uses a helper function http()
that we need to define, so go ahead and add the following to the bottom of your index.php
file.
One particularly tricky thing I noticed while testing this is that Apple requires the presence of a User-Agent
header in the HTTP request, otherwise, it returns a 403
error and an HTML web page. This is not documented in their API, because I’m guessing this check happens at their API gateways before the request hits the real backend server.
At this point, assuming everything worked, you can output the response from this and see what Apple has returned!
Let’s try this out for reals now.
Try Sign In with Apple Now!
Click the “Sign In with Apple” button, and you’ll be taken to the Apple sign-in screen.
You should see the name of your app and a placeholder icon. Enter your Apple ID and password.
If your Apple ID has two-factor auth enabled, you’ll be prompted for that as well.
It does seem to prompt for two-factor auth every time you log in to an app, which is definitely secure, but can be a little frustrating especially while testing.
Once you confirm that, you’ll see a screen asking if you would like to continue signing in to the app.
Note: You will only see this permissions screen the very first time you log in with this App ID. In subsequent logins, you’ll see a confirmation prompt like the below.
If you want to reset this so that you see the permissions screen and get the name and email back from Apple, visit your Apple ID App Security page and revoke your application.
Now click Continue and you’ll be redirected to your redirect URL! If you entered the placeholder https://example-app.com/redirect
URL then you’ll see a message like this.
Since Apple sends a POST request to the redirect URL, you’ll have to actually set up a redirect handler yourself to catch the values, since the authorization code will likely expire before you can copy it out of this debug screen.
Once you’ve set up the sample code above and registered your own redirect URL, your app will exchange the authorization code for an access token and ID token, and will show the output on the screen!
The last step to getting the user’s info is to decode the ID token. Since in this example we used response_type=code
to get the ID token, the ID token was obtained via the back channel, which means we don’t need to worry about validating the JWT signature of the ID token. We can just parse out the middle claims section and read the data directly.
The sub
value in the claims is the unique identifier for the user. It’s notable that this value doesn’t mean anything in particular, which is Apple’s way of preserving user privacy. You can store this value in your own database now, and use it to determine whether the same user logged back in a second time.
You can also find the user’s email or proxy email in the claims as well.
Note: Apple will send the user’s name and email in the form post response back to your redirect URL. You should not treat these values as authoritative, because like the OAuth Implicit flow, the data cannot be safely trusted at this point. Unfortunately Apple does not return the user’s name in the ID token where it would be safe to trust. Thankfully they do return the user’s email address that way, so that’s where you should get it from.
You can find the complete code from this tutorial on GitHub!
Changelog
- August 23, 2019: Updates to the sample code and blog post to adapt to Apple’s new requirement of using the
response_mode=form_post
parameter, as well as details on getting the user’s name and email address. okta.github.io#3022. - Jun 7, 2019: Updates to the sample code based on some new implementation experience. Added screenshot of the permissions screen asking to hide the email address. You can see the changes to this article in okta.github.io#2924.
- Jun 10, 2019: Fixed typo in
client_secret.rb
Learn More about OAuth 2.0 and OpenID Connect
If you’d like to learn more about OAuth, check out the links below!
If you have any questions about this post, please add a comment below. For more awesome content, follow @oktadev or subscribe to our YouTube channel. If you’re interested in other security-focused articles like this, please check out our new security site as well.
Category: «Elcomsoft News», «Mobile», «Tips & Tricks»
1 11 2 - 14
It’s been a week since Apple has released iOS 14.2 as well as iOS 12.4.9 for older devices. Just a few days later, the developers updated the checkra1n jailbreak with support for new devices and iOS versions. What does that mean for iOS forensics? Let’s have a look; we have done some testing, and our discoveries are positively consistent with our expectations. Just one exception: to our surprise, Apple did not patch the long lasting vulnerability in iOS 12.4.9 that leaves the door open to full file system extraction and keychain acquisition without jailbreaking.
iOS 14.2
Over 100 new emoji, that’s the deal! On a serious note, iOS 14.2 brings a lot of improvements and fixes; please pay attention to the security content.
At this time, there are no known vulnerabilities or publicly available exploits in iOS 13.5.1 and newer. For devices running these versions, you only have the following options:
- Extended logical acquisition (backups, media files, shared files, diagnostics logs)
- Cloud acquisition
- checkra1n jailbreak, followed by the full file system and keychain acquisition
We have successfully tested Elcomsoft iOS Forensic Toolkit (extended logical acquisition) and Elcomsoft Phone Breaker (cloud acquisition) with the new iOS 14.2. No issues found, all the data has been extracted successfully.
As for the checkra1n, the devil is in the details, please keep reading. But a bit on yet another iOS update first.
iOS 12.4.9
As you know, iPhone 5s and iPhone 6 (there are still millions of these devices on the market) did not receive iOS 14 or even iOS 13. For these devices, Apple continues maintaining the iOS 12 branch, thus releasing iOS 12.4.9. No notable improvements were found, but have a careful look at iOS 12.4.9 security content. Our biggest surprise was that this iOS release does not patch any of the system vulnerabilities that allowed us to implement the file system extraction and keychain acquisition without jailbreaking for iPhone 5s and iPhone 6, which makes our tool covering most iOS versions these device can run (see iOS Extraction Without a Jailbreak: Finally, Zero-Gap Coverage for iOS 9 through iOS 13.5 on All Devices).
checkra1n 0.12
The biggest news last week is not iOS updates though, but the new checkra1n release.
Despite the fact that the checkm8 exploit is a hardware-based one and “cannot be patched by Apple” as many forensic vendors love to say, iOS 14 partially fixed it; more information here.
Still, checkra1n developers were able to implement full iOS 14 support for iPhone 6s and iPhone SE (first generation). And the latest version of checkra1n 0.12 beta has the following major improvements:
- Official support for iOS 14.1 and 14.2
- Official support for A10/A10X devices on iOS 14.x
- Limited support for A11 devices on iOS 14.x (Options > Skip A11 BPR check)
Confused about A10/A11 and how the SoC names are related to iPhone and iPad models? Consult to our Apple Mobile Devices Cheat Sheet.
In other words: checkra1n now also fully supports not just the iPhone 6s and iPhone SE, but also iPhone 7 and 7 Plus, as well as some iPad models (6th and 7th gen and iPad Pro 2nd gen). All of that, including iOS 14.1 and 14.2 that have been just released.
What about the iPhone 8 (8 Plus) and iPhone X? They received only partial support. More on that below.
macOS issues
Before we proceed further, please note that the checkra1n jailbreak is only available for macOS and Linux. iOS Forensic Toolkit also works more reliably and has extended functionality on macOS, although we have the Windows version too. Two major features that are not available in the Windows version:
We recommend using macOS 10.13 (High Sierra) or 10.14 (Mojave) for iOS Forensic Toolkit. The tool is compatible with macOS 10.15 (Catalina) and 11.0 (Big Sur) as well, but there is one extra step in the product installation: you have to clear the quarantine flag from the iOS Forensic Toolkit image before installation. Also, there are some nuances on using the lockdown/pairing records for extended logical acquisition of locked devices. Please read the Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina before contacting our technical support saying “hey, it does not work”.
BFU acquisition (and iPhone X issues)
Noted the Limited support for A11 devices on iOS 14.x in checkra1n 0.12 release notes? It applies to iPhone 8 and iPhone X (no iPads based on that SoC, btw). That means that you can only install checkra1n on devices that do not have the passcode set, which has the following forensic consequences:
- If you know the passcode, you have to remove it first to perform the file system extraction and keychain acquisition. Note that removing the passcode has some important consequences; see The Worst Mistakes in iOS Forensics
- If the passcode is not known and you want to perform BFU acquisition, you are out of luck.
In case if you are not familiar with BFU: it means “Before First Unlock”, and this term is not official. BFU acquisition is intended for the case when the phone is locked with an unknown passcode. Thanks to checkra1n, you can still extract some data from the device, such as account information, list of installed apps, message drafts, some media files, and even parts of the keychain, see BFU Extraction: Forensic Analysis of Locked and Disabled iPhones. Moreover, some iOS apps leave their data unencrypted (and so available in BFU mode), detailed in Snapchat – A False Sense Of Security? by James Duffy.
One more thing. If you perform BFU acquisition, please do not forget to set the port number (in the iOS Forensic Toolkit script) to 44 instead of 22. Speaking technically, by the time when the checkm8 exploit completed its work and the user partition is mounted (but Cydia is not installed, so no OpenSSH), only the DropBear SSH client is active on the devices. For some reason, it opens SSH on port 44 instead of the default 22.
Testing
We have tested iOS Forensic Toolkit on the following configurations:
- iPhone 7 (A1778), iOS 14.2, BFU (passcode is not known)
- iPhone 7 (A1778), iOS 14.2, AFU (passcode entered)
- iPhone X (A1901), iOS 14.2, AFU (passcode is not set)
We spent considerable time testing the new iOS builds and the new version of checkra1n to make sure that everything works as intended on both Windows and macOS, the extracted files open successfully in Elcomsoft Phone Viewer and Forensic Forensic Detective, and there are no further surprises.
As noted above, for the iPhone 7 it is still possible to perform BFU extraction of devices locked with an unknown passcode. In this case, you do not receive the full file system (as a solid part of it is still encrypted), but something is better than nothing. On our test device, we obtained 12 GB of data (counting the system files though) in BFU mode, compared to about 40 GB of the full file system image. In case if you curious, standard (iTunes-style) backup takes about 17 GB (no system files there).
Apple Service Toolkit 2 Download
For the iPhone 8 and iPhone X, even the limited extraction is no longer possible. If the device is running 14.0 to 14.2 and the passcode is not known, there is nothing we can do. Still, checkra1n is very useful for these devices as it allows to perform the file system and keychain acquisition of unlocked devices.
To summarize, we obtained the results we were hoping for. Sometimes, checkra1n did not work from the first try (although we followed the checkra1n Installation Tips & Tricks carefully). We had to reboot MacBook and the device occasionally (otherwise iOS Forensic Toolkit failed to connect, and it is not clear it that that was a problem of macOS or our software).
Apple Service Toolkit 2 0 App
Conclusion
Apple Service Toolkit 1
If you are a forensic expert, you might be hoping for a step-by-step manual covering all possible combinations of devices and operating systems. For example, we have not covered the USB restricted mode issues; fortunately, the new checkra1n still ignores USB restrictions, allowing to perform the partial acquisition or locked and disabled devices. We are working on a guide like that. For now, we know the following:
- If the device is unlocked (passcode known or not set), use Agent acquisition if possible; this is the most safe, easy and forensically sound method available.
- if Agent acquisition is not available or the passcode is not known, use checkra1n (BFU/AFU)
- If neither Agent nor chechra1n are compatible with your device, you are limited to extended logical acquisition.
- If the passcode is not known and the device is not vulnerable to the checkm8 exploit, all you can do is cloud acquisition (or request the data from Apple). You may receive even more data than counted above.
Apple Service Toolkit 2
Apple Service Toolkit 2 Ast 2
1 11 2 - 14