This is part two of my post on ProtonMail. The first section involved artifacts on Android. This post will deal with artifacts (lack thereof) on iOS v. 13.3.1.
So, after I finished having my temper tantrum about not finding any artifacts on device, I picked myself up and I got to business. Yes, ProtonMail on iOS 13.3.1 was disappointing after what was located in Android. However, for security purposes I suppose it is good news.
First, when I set up the ProtonMail acct. I selected the 4096bit encryption for the account. I used this account on my iPhone 7 device, running iOS 13.3.1. This device has been checkra1ned and I utilized Magnet Acquire to obtain a FFS dump. I also utilized Elcomsoft’s iOS Forensic Toolkit to obtain a FFS dump.
I placed the image files on my MacBookPro, running MacOS 10.15.6 to analyze the images. I navigated to private/var/mobile/Data/Application/5F9545AD-59AF-4E93-8593-965D11DC40C2. There are several folders here.
Under folder Saved Application State/KnownSceneSessions there is a plist file, restorationInfo that contains the following,
I admit that I do not know what these recovery keys are, but I thought someone may find this information useful. I dug deep into the ch.protonmail.protonmail without much luck.
I made a backup of the iPhone 7 device shortly after creating the ProtonMail and Threema Secure Messaging applications. I used iBackup Viewer, version 4.1600, to view the backup file. I selected the image view of file tree. Within the backup folder, group.ch.protonmail.protonmail which contains three files (see below image), however, these files cannot be exported. Therefore, I do not know what data they may contain.
After I had published the first blog post on ProtonMail a good friend of mine had suggested that I secure the ProtonMail addresses. I attempted to secure email@example.com via the app on the iPhone 7. I was directed to sign into the ProtonMail website. I signed into the ProtonMail website and went to my Account, Settings, to set 2 Factor Authentication. Interestingly enough, once I set this I was presented with a folder keys which presented me with the 4096bit RSA encryption key fingerprint (see image below)
I do not know enough about cryptography to know if this is of any benefit or not. I did find it interesting that this key appeared from the ProtonMail website.
Well, that is it for ProtonMail. I hope you will return to read my blog post on Threema Secure Messaging application. Till then….
Okay, well I got excited about this. I am still going to have to do some work. Anyway, while working on manually examining another application on Android, I discovered that a database is created if the user creates a backup within the application.
So I decided to apply this to Protonmail. I archived three emails. Then I dumped the iPhone 7 running iOS 13.3.1 using Magnet Acquire to obtain a ffs dump. This device is checkra1ned.
Well, well, I am surprised. A protonmail.sqlite database was indeed created. The path is private/var/mobile/containers/shared/AppGroup/14DC-B381-D852-498F-9798-E8519EB6476B.
When I opened the database using DB Browser for SQLite. I was greeted with the familiar database similar to what was seen on Android.
However, here is where I stopped with my excitement. When I copied what I thought was Base64 encoded ZMESSAGEID, surprise, it does not appear to be Base64 encoding according to CyberChef.
If anyone recognizes this encoding please leave a comment. I checked the entropy and it does not appear to be encrypted. There appears to only be one timestamp.
If anyone would like a copy of the database please email me. Thank you everyone for reading this research!! I promise a blog post is coming on Threema.