iOS Forensic Toolkit 6.50: jailbreak-free extraction without an Apple Developer Account

The macOS edition of Elcomsoft iOS Forensic Toolkit 6.50 drops the requirement for using a paid Apple Developer account when extracting the file system and decrypting the keychain from a compatible iPhone or iPad device. The new release also adds jailbreak-free agent-based extraction for iOS versions up to and including iOS 13.5.

Elcomsoft iOS Forensic Toolkit 6.50 for Mac adds the ability to perform jailbreak-free extraction from a wide range of compatible iPhone and iPad devices while dropping the requirement for registering as an Apple Developer. The new feature requires a Mac. In addition, the new release adds jailbreak-free extraction for iOS versions up to and including iOS 13.5.

Historically, iOS users and forensic experts had been able to install (“sideload”) third-party apps by using an ordinary, often throwaway Apple ID for signing the binary. Cydia Impactor was frequently mentioned in this context, but alternatives also existed. In November, 2019, Apple made a server-side change to their provisioning service, effectively blocking the sideloading mechanism for all but the users of a paid Apple Developer account. Since then, nothing but a paid Apple Developer or an even costlier Enterprise account could be used to sign sideloaded binaries.

Jailbreak-free extraction utilizes an Elcomsoft-developed extraction agent. Agent-based extraction provides numerous benefits compared to the traditional extraction method based on jailbreaking the device, being a safer, faster, and more robust alternative.

Agent-based extraction had one major drawback, requiring an Apple account registered in the Apple Developer program. We even created a blog article explaining why a Developer Account is needed. Utilizing an Apple account registered in the Developer program allows both signing sideloaded apps and skipping the on-device signature verification which would otherwise require connecting the device to the Internet.

iOS Forensic Toolkit 6.50 running on a macOS computer removes this limitation completely, once again allowing experts to use throwaway Apple IDs for extracting the file system and decrypting the keychain from compatible iPhone and iPad devices. However, if one already has an Apple Developer account, we recommend continuing using that account to sideload the extraction binary due to the tangible benefits of this approach.

Release notes:

  • Added jailbreak-free extraction without an Apple Developer account (Mac version only)
  • Agent-based extraction (file system and keychain) for iOS 13.3.1, 13.4, 13.4.1 and 13.5
  • Minor improvements and bug fixes

其他