Hardening modern iPhone against forensic tools

Note: This thread is constantly updated (until I die). Please scroll down to the very bottom for the latest news and tips.

This setup was tested with:

Modern iPhone that is no more than 2 years old :white_check_mark:

iOS 18✅

Windows 11 :white_check_mark:

External USB✅

iMazing✅

-Utilize iCloud. You may hate the cloud for privacy, but this will come in handy later. There cheapest plan is $2.99 for 200GB.

-Enable Advanced data protection. Advanced data protection makes subpoenas and search warrants to apple nearly useless. Unless there is something valuable in your contacts app, mail app, or generic account/device info. Without this enabled, forensic examiners can quickly have their hands on all of your valuable iCloud data. If you’re a US citizen, the fourth amendment is currently a joke and law enforcement abuse the “good faith” exception in court when they are caught doing sketchy things involving search and seizure/drafting overly broad search warrants. Read more about standard vs advanced data protection here.

-(Optional) Delete the trace of your recovery key. When setting up advanced data protection you should have been prompted for a recovery method. Obviously using a recovery contact is insecure so the key would be the best option. But if there’s even a 0.01% chance of that photo/note of the recovery key getting obtained, let’s not take that risk. If we lose the data we lose it. Oh well…

-Uncheck access iCloud data on the web. There’s no good reason to have this enabled. You’re just exposing your self to more extraction methods such as a iCloud extractor. To turn this off, navigate to Settings > iCloud+ then scroll down to the bottom.

-Use a third party password manager instead of keychain/passwords app
Limit the amount of data they can get their hands on from let’s say a “keychain extraction” by not utilizing it for every single one of your logins.

-Toggle usb accessories. This setting won’t really matter once we turn on lockdown mode.

-Use long alphanumeric password. Assume a bruteforce is always possible and never use a short password. Forget about your “convenience”. Face ID should help with that.

-Disable control center access from lockscreen. Gets rid of certain attack vectors (AFU). We will later enforce this with a profile.

-Don’t display content in push notifications. Less visible data during a “take pictures of device” extraction.

-Frequently clear in app caches if the setting is available. Clears up unwanted traces of activity.

-Follow up with an app delete after clearing the cache. Apps store data in multiple locations on iOS. This may or may not do the final cleanup. Make sure iCloud isn’t backing up the app data for that specific app as well. You may have to check that each time you reinstall it.

-Turn on stolen device protection This feature is a forensic nightmare. When enabled, you cannot do any of the following without biometric authentication

  • Use passwords or passkeys saved in Keychain

  • Use payment methods saved in Safari (AutoFill)

  • Turn off Lost Mode

  • Erase all content and settings

  • Apply for a new Apple Card

  • View your Apple Card or Apple Cash virtual card number

  • Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)

  • Use your iPhone to set up a new device (for example, Quick Start)

  • Change your Apple Account password

  • Sign out of your Apple Account

  • Update Apple Account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)

  • Add or remove Face ID or Touch ID

  • Change your iPhone passcode

  • Reset All Settings

  • Enroll in Mobile Device Management

  • Turn off Stolen Device Protection

-Turn off significant locations. Significant locations gives forensic examiners that lovely map of all the places you’ve been with great detail. There’s several other sources for location info as well. It’s best to just turn off location services, bluetooth, wifi, find my, etc. when they aren’t needed. All depends on what you’re willing to expose.

- Killswitch - Shortcut cool lil button to quickly put your device in BFU

-Lock all sensitive apps with face id. This will prevent snooping through your apps without biometric authentication. Do not use the hide app option. You don’t want to make certain apps stand out from others in case a extraction is successful.

-Do not allow your apple watch to unlock your iPhone. Opening up more attack vectors for no good reason.

- If you use SMS/iMessage, make sure they are backed up to iCloud. Set the expiry date to 30 days so that only the most recent messages are stored locally and the cloud ones are protected by advanced data protection. I have a theory that even when your device is seized, if this setting is on it’ll still delete the messages off your device if 30 days has passed regardless of internet connectivity/power off but I may be wrong. May apply to recently deleted photos as well.

-Delete your google account if you haven’t already self explanatory….

-Supervise your iOS device(s). This will allow you to turn on important anti-forensics features that cannot be bypassed if setup correctly. You can even see cellebrite cry about it in this PDF. I recommend using apple configurator on MacOS or iMazing on Windows. Supervising your device(s) will wipe your device so be sure to backup to iCloud before proceeding.

-Create a MDM profile with the following payloads.
allowEnterpriseAppTrust
false
allowAppInstallation (IMPORTANT)
false
allowESIMModification
false
allowHostPairing (IMPORTANT)
false
allowiTunesFileSharing
false
allowLockScreenControlCenter
false
allowUIConfigurationProfileInstallation
false
forceAuthenticationBeforeAutoFill
true
forceEncryptedBackup (IMPORTANT)
true
forceITunesStorePasswordEntry
true
forcePreserveESIMOnErase
true
forceWiFiPowerOn
true
allowScreenShot
false
allowFilesUSBDriveAccess
false

-allowAppInstallation false allowHostPairing false are the most important ones as they block those sneaky forensic agents from being installed on the device if they somehow manage to overcome USB restrictions. You can remove the profile temporarily to install or update apps as needed. forceWiFiPowerOn will prevent the examiner from disabling WiFi. I don’t think anything will be “forensically sound” with that setting on lol. Be sure to sign the profile with a certificate before installing it on your device(s).

-Since we are configuring MDM without using apple business manager, the profile can be removed by simply resetting the device (wipes all data though) or with the device passcode. To prevent device passcode removal make sure to configure a Profile Removal Password. I’d recommend typing some random gibberish 90 character password that you’ll forget about since as long as you have the computer that configured the profile, you can just remove it from there via a USB connection.

-Turn on encrypted backups + stolen device protection. This can be configured using iMazing/iTunes etc. Usually when forensic examiners come across an encrypted itunes backup password, they will use the “reset all settings” to remove it so programs like cellebrite can set their own encryption password. But with stolen device protection this action will require a security delay and face ID. Face ID can also be used to lock apps which combats the (taking pictures of everything that can be seen on the device) method. Stolen device protection should be configured with security delay set to always.

-Turn on lockdown mode. Lockdown mode is needed to quickly lockdown the usb port instead of relying on apple’s non configurable 1 hour time limit. If you lock your device, the usb connection will be restricted in about 10 seconds until unlocked again. No need to even use the power button 5 times trick.

-Secure the PC where the MDM is managed. Since we are using a local MDM solution, your security relies on how safe your computer is. For windows you should be using bitlocker with tpm+pin+startup key protectors for max protection. Extra brownie points if you buy 10 USB’s that are shaped like pens and put a fake startup key on 9 of them lol. Without the startup key, nothing can be bruteforced because there is no input for the pin without the key being inserted first. You should also delete and disable the bitlocker recovery key for extra lulz. For Macbooks use FileVault and avoid using the same iCloud account as your phone.

This tutorial will be updated as new things are discovered. Please let me know if you have any suggestions or if I am wrong about a feature. Enjoy!

10 Likes

Just use GrapheneOS. It’s open and tested by even Celebrite to break in but so far no luck.

Apple is good in terms of UI/UX, I will not deny that. But they might push an update to a specific region like for example they did in Hong Kong to limit Airdrop to be used only after every 2 hrs and with only 5 persons. Not sure about the time. Cuz the government requested.

If they are willing to keep their market there and complying to government. Then how would you trust them ?

5 Likes

I use both and I split my threat model across the two. But a few major apps I use don’t work and the backup solution not so straightforward. Sometimes “just use GraphenesOS” is not an option for people so it’s good to share methods for other phones such as modern iPhone + MDM combo.

7 Likes

Maybe I am in the wrong here, but why does HK legislation affect you if you do not live in HK?
Sure. Apple comply with these bad regimes, but if the same legislation is not applied in the EU for example, why does it, other than morally, affect the choice of phone there?

If you live in a country where privacy is not a right= Always GrapheneOS

If you live in a country in the EU, where legislation is somewhat privacy oriented in comparison=
GrapheneOS or if you want the UI/UX= IPhone

And if an EU-country changes the legislation for the worse= GrapheneOS

Thank you for the post. I’ve heard for a long time that Cellebrite is easily stopped by those who know what they are doing, but the details can be hard to find.

Forensic examiners currently acquire Google account data via Takeout requests (lol). If you want to see what potential data would be turned over, do a takeout request.

Do you have any details on how to prevent forensic acquisition of a Fedora laptop with LUKS2? If the laptop is turned on, but the decryption keys have been entered, how could the decryption keys be acquired? I guess you could do a ram dump via a DMA port, but you can turn that off in settings.

On windows, you can set it up to require TPM + Pin on hibernation, meaning you can’t sniff the TPM or anything.

How can I harden a linux computer in a similar way (require LUKS keys on screen unlock)?

Just don’t use phones at all and entire avoid the risk /s

Different people consider different trade offs, are in different situations, and have different threat models. While I think it makes sense to recommend using the best options, I don’t think that detracts from gaining more security in less than optimal systems. For those unable or unwilling to switch from iOS, such hardening guides are very useful.

4 Likes

I agree the more options the better. Plus checking around, iPhone SE 3rd edition refurbished is cheaper than any currently supported refurbished Pixels.

1 Like

Hi, thanks for the post! Is there a a way to confirm that this is actually effective against Cellebrite?

I’m in the “reduce ewaste” camp, so I’m riding my old iOS phone until it kicks over dead or stops receiving updates.

3 Likes

AFAIK, TPM bus is now encrypted in new linux kernel above 6.9 not sure about version number.

Maybe use Buskill ?

1 Like

Your best bet is to keep it completely off when not in use. Use a password with high entropy as well since Linux is more prone to the “high powered” brute force attacks.

Do note that certain US courts don’t keep biometrics on the same level as passwords and pins, and you can (and almost always will) be compelled to give your biometrics.

Is vulnerable during Windows updates. Here’s a nice exploration of this: How to access data secured with BitLocker? Do a system update

Be careful to choose laptops that are not vulnerable to tpm-sniffing attacks.

Some additional considerations for ADP:

  1. According to Apple, even when ADP is turned on, there are still some features that can be stored encrypted, but with Apple still holding the decryption keys. Specifically, these are iCloud Mail, Contacts, and Calendars.
  2. Also, metadata for photos, files, etc remains encrypted using Apple keys.

Thanks for the writeup, this will be helpful for my iOS friends!

Nope, they can’t prove it works unless it actually gets tested against forensic tools.

This EU, is this the same place that’s pushing for breaking encryption? Which has member states that force companies to log user activity because they were “climate activists”?

It’s naive to think EU is some paradise where birds walk around dropping encrypted pendrives all over the place. Use the best tools available if you can. If that’s iOS, use it. If it’s Graphene, use it. Don’t give too much weight to UI/UX and frills.

Apple can deny you service by removing applications from App stores, bricking your device, revoking access to their services, etc. Thinking it’s a HK problem and not an Apple ecosystem lock-in problem is not healthy.

3 Likes

TPM sniffing attacks on windows only apply to TPM only setting for bitlocker. Using TPM + pin or TPM +pin + smart key stops these attacks. Why? The pin is entered BEFORE releasing anything from the TPM.

Meaning there is nothing to sniff until the correct pin is entered.

2 Likes

From a US citizen perspective,

That is a very small and unlikely attack window for bitlocker. Your PC should be fully off when you are not in front of it and never used in a public area like Mr Silk Road did. TPM sniff will be useless since we are using tpm+pin+startup key. Touch ID is probably more enforceable than Face ID. Depends on your judge. Idk about you but no one is forcing me to open my eyes lol.

And if you follow each of the steps I listed, Face ID won’t even matter because nothing will be able to interact with your device. The only extraction available would be to take a picture/video from a second phone which I’m not sure that’s forensically sound evidence. With this setup a AFU, BFU, logical, advanced logical, and full file system extraction are defeated. Which are the only methods for modern iPhone until a new bootrom exploit is discovered.

1 Like

Yes. Elcomsoft blog details a lot about how these extractions work. Although cellebrite and graykey don’t often talk about their weaknesses publicly, elcomsoft does and there’s no reason to believe the methods between these companies are much different on iOS. You could easily browse through the jailbreak reddit/discord or the digital forensics discord to see their capabilities. The most talked about defeat was MDM on a device with no bootrom exploit (A12+) from my observance. Cellebrite and Graykey have talked about every new iOS feature except stolen device protection or lockdown mode. Maybe because they can’t make an article without explaining how much of a pain it is to them. When they announce “full support” for a new iOS, that doesn’t mean they can just break into it. It means they were successful on a device with none of these road blocks I posted in place. They’re profiting off jailbreak community, turning their work into some service that they get paid millions for. I hate to see them praised as some skilled company.

3 Likes

EU is not a country, but a group of countries. With that said, just because a few apples in a basket are bad, does not mean effectively that all of them are bad.
Pushing does not equal in effect. The EU pushes for a lot of stupid stuff, but not all of them get passed.
If you have a moral stand on ios, be my guest, but please do not mistake your moral standpoint for general advice. As already stated, Having no phone is better than using a phone with GrapheneOS, so why use GrapheneOS?

I am really not sure, but I reckon I would have heard from my iPhone friends, or read somewhere if Apple in recent years has blocked a commonly used app for the whole EU as per your suggestion. But as already stated, I could be wrong.
If that has been made for one of the bad apples, does not make it a general rule for all countries.
If I would live in such a country or move to HK even. My privacy measures would change accordingly.

I was using an iPhone 7 until last year. Worked just fine and I wanted to actually use it till it stopped working. Was planning to remove secure apps like password manager and use it just for calls, texts and quick browsing. Never had banking apps in it. Still using it as a secondary device for Signal calls. Would have still kept using if I wasn’t gifted a 6A.

iPhone 7 doesn’t support the latest iOS, if you want the most secure possible iPhone you need one that’s supported by the latest version because Apple doesn’t back port all fixes.

Agree. I should have been more clear and quoted before I posted. I was simply supporting the above post to how I agree with reducing waste part. I use an Android with a custom ROM that still receives updates and I’m aware that an iPhone 7 isn’t secure anymore. I was referring to a possibility that if I were to keep using an ip7 I would have done that as I would have only used it for calls, texts and the odd browsing and forum logins. It’s still a perfectly working phones and I’d hate to see it go to waste. Based on what I generally do with a phone and how less often I use it, I feel it would have been just fine.

1 Like