This is for all those who are just kick starting in the dazzling world of iOS penetration testing and hacking into iOS devices.
iOS Security Model
The Security Model consists of:
Secure Boot Chain
Generic Native Language exploit Mitigations:
1. Address Space Layout Randomization
2. Non-executable Memory
3. Stack-smashing Protection
Today we are only going to discuss the secure boot chain.
Secure Boot Chain
“Secure Boot Chain” – is used to describe the process by which firmware is initialized and loaded on the iOS devices at boot time. We can consider it as the first layer of security of the platform.
It is considered as the most sophisticated and important step to check whether any file or component is being modified or not.
The secure boot chain goes like this:
When an iOS device is turned on , The processor executes the boot ROM which is the read only code that is built in the processor at the time of manufacturing.
The boot ROM contains the public key for the Apple’s Root CA, Which is used to verify the integrity of the further steps of the boot chain That is the Low-level Bootloader(LLB).
The LLB Performs many setup tasks including locating the iBoot image flash memory.
LLB maintains the secure boot chain by verifying the signature of the iBoot images and if the signature doesn’t matches the iBoot boots into recovery mode.
If the signature matched then , The iBoot which is the second stage bootloader is then responsible for verifying and loading the kernel, which then loads the UI for the users.
BOOT ROM → LLB → iBOOT → iOS KERNEL
No More Technical Explanation
Yes I know it is a bit hard to get around with the secure boot process, Please don’t worry it is the same for all the beginners.
Now let me make it easy for you to understand with a basic example.
Say for an instance you booked a hotel table yesterday night for having a lunch today with your Friend, You booked it and got a ticket for it (Now the ticket is the LLB). You reached the hotel and the manager askes you for your ticket to verify the booking and he verifies(Now the manger is Root CA), Now it has a number on your ticket which is your table number(Now the table number on your ticket is the signature and the table is the iBoot), You search and find the table that has the number same as the table number on the ticket , Done you go, sit and order your tasty food, the same way as the iBoot verifies the kernel and loads the iOS UI.
It was just an example to make it clear!
When you lock and unlock your iphone, It encrypts and decrypts your data on the go!