Add SecAttrAccessControl printing functionality #72
Conversation
|
I've had a number of folks open various issues having issues with Keychain-Dumper on newer iOS releases and such. Given the PR, I'd assume you aren't able to use it successfully? I can take a look at the change proposed here, but would also appreciate any feedback around any hurdles you've experience and what you have had to do to workaround them. Thanks! |
|
@ptoomey3 It works fine on both 14.5 and 15.1, people just don't know how to use it. I remember that I've encountered similar problem to #71 on my second pc and simple switch to Theos SDK resolved the problem. Today I compiled it both with iOS 16.1 SDK and iOS 14.5 Theos SDK without any issue, both Macs are Apple Silicon. Application works without any issue on iOS 15.1 (palera1n) and iOS 14.5 (checkra1n). Don't have any higher devices to check. Many people are reporting to have problem with compilation and the fact that if you add asterisk or too many keychain-access-groups keychain_dumper does not work - which is true and the solution is simply add less groups to entitlement and not use asterisk. I will try to add another PR with updated compilation and usage instructions soon. Below screenshot from tool working on iOS 15.1 on iPad: |
| }else if ([accessControlString rangeOfString:@"cpo(DeviceOwnerAuthentication)"].location != NSNotFound) { | ||
| printToStdOut(@"%sSecAccessControl flag: .userPresence%s\n", KRED, KWHT); | ||
| }else if ([accessControlString rangeOfString:@"cup(true));odel(true)"].location != NSNotFound) { | ||
| printToStdOut(@"%sSecAccessControl flag: .devicePasscode%s\n", KRED, KWHT); |
There was a problem hiding this comment.
I'm not super familiar with the values of this access control string. Googling, I notice that all of these are listed here. These line up one to one, except for the "watch" type. Is it worth adding or maybe you don't have access to a watch to figure out what the magic string is to match on for that one?
There was a problem hiding this comment.
Oh yeah, I must've omitted that as I didn't need that personally. Hopefully I will have more time this week, so I try to commit this and compilation instruction.
|
Hello @ptoomey3, |
|
Nice! I'll take a look at this sometime this week and hopefully get it merged. |
Hi,
Adding functionality to quickly check SecAccessControl flags. This allows checking whether key requires password, biometry to be set or whether it should only respect current biometry settings and remove key when biometry settings were changed.