iOS 13

It is difficult to say when it actually happened, but iOS stopped syncing call logs and doesn’t sync them for the time being. But there is more. Apple Maps data has been moved to an encrypted container, similar to other protected data such as the iCloud keychain, iCloud Messages, Health and Screen Time data. It’s a strange move, as Maps data is not all that sensitive compared to other bits stored in secured containers. While we can still obtain it from the cloud, the procedure now relies on the process for extracting other end-to-end encrypted data, which means you have to use the password/passcode of one of the user’s devices.

Just in case: if you are curious about Screen Time, we are currently able to extract only part of the data from iCloud. This includes the passcode, family information, restrictions, etc. The most interesting data, such as app usage statistics, seems to sync directly across devices, but it’s not stored in the way that would allow us to extract it from the cloud. If you have more than one device and use the Share across devices option, just compare the statistics you see on the device it’s been collected from and how it appears on other devices on the account. The results are different. Moreover, some stats are not available at all, while there is some mysterious data from devices that have been disconnected from the account a long time ago. A lot of iPhone users reported similar problems:

Screen Time not ready for Prime Time
Phantom Screen Time Devices
Parent/Child Screen Time Bug – Incorrect Device Name

This can mean that such ‘direct’ syncing simply doesn’t work correctly. It is difficult to say whether it is an iOS 12/13 or iCloud bug, but we decided not to waste our time trying to obtain this data from iCloud. And btw, in iOS 13 the data related to Screen Time is also protected better than most of other data – it’s not enough just to have root privileges to access it.

macOS

Lockdown (pairing) records had always allowed to access passcode-protected devices. However, with the latest update, lockdown records are no longer accessible. Starting with maCOS 10.12, you had to to run the following command: sudo chmod 755 /private/var/db/lockdown .

With macOS 10.15.4, it doesn’t work anymore. Is there a workaround? Yes. Just disable System Integrity Protection by booting into Recovery mode, then start Terminal and run the following command: csrutil disable . Then reboot and access lockdown folder as you did before, e.g. to perform advanced logical acquisition of a locked iPhone using iOS Forensic Toolkit.

iCloud

iCloud authentication has changed again. However, this doesn’t really improve the security and privacy. I’ll give you some tips on how this affects the usage of authentication tokens in Elcomsoft Phone Breaker (https://www.elcomsoft.com/eppb.html).

Tokens extracted from iCloud for Windows 7 and later work only for accounts without two-factor authentication. With these tokens, you won’t be able to access the entire set of iCloud data. iCloud Photos are still accessible as well as certain synced categories, including contacts, calendars, notes, Safari browsing history, etc. (except end-to-end encrypted data, such as the Keychain, iCloud Messages or Health data). As for iCloud backups, you can only retrieve ones created by iOS versions older than iOS 11.2.

On macOS, the situation is slightly better. On macOS from 10.13 to 10.15, we can get the token for non-2FA accounts only; and for ones that have 2FA enabled, the token is, well, ‘tethered’ to the device it is obtained from, so you can authenticate with this token in Elcomsoft Phone Breaker only on the same Mac. The scope of the data that can be downloaded from the iCloud (regardless the account and token type) is the same as above: limited number of categories of synced data (without end-to-end encryption) and iCloud backups of devices with iOS up to 11.2. Fully ‘untethered’ tokens for 2FA accounts are only available in macOS 10.12 and older. In fact, we recently used a kind of vulnerability in iCloud protocol that allowed us to get such tokens even for 2FA accounts, but not anymore, sorry.

One more thing: some changes have been made even for accounts without 2FA. Due to these changes, Apple can now lock accounts after a single incorrect password attempt.

Conclusion

To obtain all the data from the user’s iCloud account, you’ll need the Apple ID, the password, the second authentication factor and the device passcode. If you have all of those, you can obtain virtually everything, including some of the data that is not available on the device itself. Do not underestimate this method, and remember that Elcomsoft Phone Breaker is the only product on the market that extracts all the data from iCloud including end-to-end encrypted categories.