ProtonMail on iOS

This is part two of my post on ProtonMail. The first section involved artifacts on Android. This post will deal with artifacts (lack thereof) on iOS v. 13.3.1.

So, after I finished having my temper tantrum about not finding any artifacts on device, I picked myself up and I got to business. Yes, ProtonMail on iOS 13.3.1 was disappointing after what was located in Android. However, for security purposes I suppose it is good news.

First, when I set up the ProtonMail acct. I selected the 4096bit encryption for the account. I used this account on my iPhone 7 device, running iOS 13.3.1. This device has been checkra1ned and I utilized Magnet Acquire to obtain a FFS dump. I also utilized Elcomsoft’s iOS Forensic Toolkit to obtain a FFS dump.

I placed the image files on my MacBookPro, running MacOS 10.15.6 to analyze the images. I navigated to private/var/mobile/Data/Application/5F9545AD-59AF-4E93-8593-965D11DC40C2. There are several folders here.

Under folder Saved Application State/KnownSceneSessions there is a plist file, restorationInfo that contains the following,

I admit that I do not know what these recovery keys are, but I thought someone may find this information useful. I dug deep into the ch.protonmail.protonmail without much luck.

I made a backup of the iPhone 7 device shortly after creating the ProtonMail and Threema Secure Messaging applications. I used iBackup Viewer, version 4.1600, to view the backup file. I selected the image view of file tree. Within the backup folder, group.ch.protonmail.protonmail which contains three files (see below image), however, these files cannot be exported. Therefore, I do not know what data they may contain.

After I had published the first blog post on ProtonMail a good friend of mine had suggested that I secure the ProtonMail addresses. I attempted to secure l.hermesdorf4n6@protonmail.com via the app on the iPhone 7. I was directed to sign into the ProtonMail website. I signed into the ProtonMail website and went to my Account, Settings, to set 2 Factor Authentication. Interestingly enough, once I set this I was presented with a folder keys which presented me with the 4096bit RSA encryption key fingerprint (see image below)

I do not know enough about cryptography to know if this is of any benefit or not. I did find it interesting that this key appeared from the ProtonMail website.

Well, that is it for ProtonMail. I hope you will return to read my blog post on Threema Secure Messaging application. Till then….

UPDATE

Okay, well I got excited about this. I am still going to have to do some work. Anyway, while working on manually examining another application on Android, I discovered that a database is created if the user creates a backup within the application.

So I decided to apply this to Protonmail. I archived three emails. Then I dumped the iPhone 7 running iOS 13.3.1 using Magnet Acquire to obtain a ffs dump. This device is checkra1ned.

Well, well, I am surprised. A protonmail.sqlite database was indeed created. The path is private/var/mobile/containers/shared/AppGroup/14DC-B381-D852-498F-9798-E8519EB6476B.

When I opened the database using DB Browser for SQLite. I was greeted with the familiar database similar to what was seen on Android.

However, here is where I stopped with my excitement. When I copied what I thought was Base64 encoded ZMESSAGEID, surprise, it does not appear to be Base64 encoding according to CyberChef.

If anyone recognizes this encoding please leave a comment. I checked the entropy and it does not appear to be encrypted. There appears to only be one timestamp.

If anyone would like a copy of the database please email me. Thank you everyone for reading this research!! I promise a blog post is coming on Threema.

2 thoughts on “ProtonMail on iOS

  1. Very good work. You have more patience than I. Have you considered running the phone dumps through other tools for comparison? That would be the ultimate thing to be able to do. A side by side of all of the tools. But $$$$

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: