The first step to exploring the relevant backup files is to build a list of associated devices. This is done by decoding the property list in
/HomeDomain/Library/DevicesRequest.state/properties.bin file. This file details the metadata about paired watches, including the date the device was first paired with the iPhone and the GUID needed to find other stored information.
In addition, there are further details about the watch including device name, model number, and the system build version. All which may be useful when identifying physical devices.
Further exploration shows that the secureProperties.bin property list also included in the DeviceRegistry.state directory shows additional sensitive data, including a watch’s serial number, UDID, SEID, and Wireless MAC Address.
Meanwhile, within the associated
HomeDomain/Library/DeviceRegistry/ directory there is more information that needs to be explored. At first glance, there are more than a few points of interest.
Today we will explore the two highlighted folders. First, the NanoAppRegistry folder contains a full listing of the the apps installed on the watch. The plist files (don’t be fooled by the .dat extension) reveal the specific versions of the different applications, but doesn’t contain much other useful information. This will most likely be the spot for application data storage once native Apple Watch applications are released.
Next up, the NanoPasses directory stores relevant details about all stored information in the Passbook application on the watch.
We start exploration with the nanopasses.sqlite3 database, which contains a list of all Passbook passes included on the device, which can be helpful in identifying Apple Pay credit cards.
Further digging into the pkpass files shows the nitty gritty details of Passbook cards, including cardholder name, the last 4-5 digits of the credit card number, expiration date, and Apple’s primary account identifier for Apple Pay cards. Exposure of these files can expose some credit card details, but is not alone enough information to initiate credit card fraud.
There is obviously more information within each directory associated with the Apple Watch, but most seem fairly innocuous at this point. Once Apple releases the SDK for custom applications on the watch, developers will begin storing increasing amounts of data on the watch, which will result in an increase of mobile device data storage issues as seen with other versions of iOS.
The overall takeaway from this analysis is the importance of encrypting those pesky iPhone backups, if you weren’t already doing so. Remember, security is all about vigilance and if Apple does not encrypt by default, at least it provides the option to do so.