Skip to content

T1634.001 Keychain

Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users’ passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.12

Item Value
ID T1634.001
Sub-techniques T1634.001
Tactics TA0031
Platforms iOS
Version 1.1
Created 01 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0463 INSOMNIA INSOMNIA can extract the device’s keychain.3

Mitigations

ID Mitigation Description
M1002 Attestation Device attestation can often detect jailbroken devices.
M1010 Deploy Compromised Device Detection Method Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.
M1001 Security Updates Apple regularly provides security updates for known OS vulnerabilities.

Detection

ID Data Source Data Component
DS0041 Application Vetting API Calls
DS0013 Sensor Health Host Status

References

  1. Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020. 

  2. V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020. 

  3. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.