28 May, 2015

Exploration of the Apple Watch Backup Files

by Seth Law & Jerrick Davis

The release of the Apple Watch has opened many lines of research for the wider security community. While a jailbreak of Apple’s newest device is not yet available, there are hints of privacy issues and possible security flaws. Some suspect considerations include the way communicates with an iPhone (using both Bluetooth and WiFi) and how a synced iPhone delivers an updated image to the watch. This post reviews one reliable method of determining how the watch operates and communicates with various applications and devices.

One of the first available insights into Apple’s new piece of wearable technology is through the backups of that device. This gives us an understanding of what unique items are stored on the device. This is especially useful with an Apple Watch since there are no direct communications between the device and the system backing it up. All data transmitted to and from your wrist runs through the synced iPhone.

Given that Apple Watch backups are being stored on the iPhone, an attacker with access to the local iPhone backup or the offline iTunes backup may be able to cause havoc.  Important information such as Passbook, Email, Voicemail, Contact and device identifier data is all stored unencrypted in the watch backup which is then rolled into the iPhone backup.

Since we are focusing on the Apple Watch backup files, this post does not review the location or deciphering of iOS device backup files. Others have covered this in great detail and any search engine can show the work that has already been done in this area.

Assuming you have a backup of an Apple Watch synced iPhone, using one of the available iOS Backup Analyzers will show the following structure. We will be using iExplorer (http://www.macroplant.com/iexplorer/) as the analyzer during this post.

The first step to exploring the relevant backup files is to build a list of associated devices. This is done by decoding the property list in /HomeDomain/Library/DevicesRequest.state/properties.bin file. This file details the metadata about paired watches, including the date the device was first paired with the iPhone and the GUID needed to find other stored information.

In addition, there are further details about the watch including device name, model number, and the system build version. All which may be useful when identifying physical devices.

Further exploration shows that the secureProperties.bin property list also included in the DeviceRegistry.state directory shows additional sensitive data, including a watch’s serial number, UDID, SEID, and Wireless MAC Address.

Screen Shot 2015-05-20 at 2.34.47 PM.png

Meanwhile, within the associated HomeDomain/Library/DeviceRegistry/ directory there is more information that needs to be explored. At first glance, there are more than a few points of interest.

Today we will explore the two highlighted folders. First, the NanoAppRegistry folder contains a full listing of the the apps installed on the watch. The plist files (don’t be fooled by the .dat extension) reveal the specific versions of the different applications, but doesn’t contain much other useful information. This will most likely be the spot for application data storage once native Apple Watch applications are released.

Next up, the NanoPasses directory stores relevant details about all stored information in the Passbook application on the watch.

We start exploration with the nanopasses.sqlite3 database, which contains a list of all Passbook passes included on the device, which can be helpful in identifying Apple Pay credit cards.

Further digging into the pkpass files shows the nitty gritty details of Passbook cards, including cardholder name, the last 4-5 digits of the credit card number, expiration date, and Apple’s primary account identifier for Apple Pay cards. Exposure of these files can expose some credit card details, but is not alone enough information to initiate credit card fraud.

There is obviously more information within each directory associated with the Apple Watch, but most seem fairly innocuous at this point. Once Apple releases the SDK for custom applications on the watch, developers will begin storing increasing amounts of data on the watch, which will result in an increase of mobile device data storage issues as seen with other versions of iOS.

The overall takeaway from this analysis is the importance of encrypting those pesky iPhone backups, if you weren’t already doing so. Remember, security is all about vigilance and if Apple does not encrypt by default, at least it provides the option to do so.