iTunes retains a surprising amount of sensitive information on a computer after syncing with an iPhone. By default, it’s not encrypted and that could be a problem.
It started out with a friend’s request for help. His iPhone is at the bottom of one of Minnesota’s 10,000 lakes. He doesn’t have MobileMe or his contacts backed up to any type of address book. To make matters worse, he does not want another iPhone.
That’s why he called me, asking if I could retrieve his list of contacts. I know iTunes saves it, I just didn’t know where. After some searching, I found what I was looking for:
C:\Documents and Settings\”username”\Application Data\Apple Computer\MobileSync\Backup
I looked in that folder. Wow, that’s a lot of files. Next step is to figure out how to open them, at least the ones with contact information. The following slide is small portion of what I found:
Side note: Mac users please forgive me. My friend is an adamant PC user, hence the focus of this article. This link describes where the databases can be found on Mac computers.
Since there were only three .plist files, I thought I would look at them first. I remember reading that .plist files are written using XML and can be opened with a web browser or text editor. I opened the .plist files with Notepad to see what I could find. Info.plist was the only one of interest because it contained the following information:
- ICC-ID: Integrated Circuit Card ID or serial number of installed SIM card
- IMEI: International Mobile Equipment Identity or the serial number of the baseband processor
- Phone number
- Serial number of the iPhone
- Product version and product type
That’s valuable information, but not what my friend wanted, so on to the other files.
That meant trying to figure out what the files were with the same name, but different extensions. After a bit of searching, I came across an Apple Examiner article that explained everything. Evidently, the file name is a SHA1 hash of the file’s full path on the iPhone. The article also mentions that the files are SQLite databases. The .mdinfo file contains metadata information about what is contained in the .mddata file.
The next step was to see if I could find a way to read the .mddata files. Fortunately, I found SQLite Database Browser. Now I’m all set, except where to start. There are over 1000 files, so back to the Internet. I found an article by the Hampton Roads Geek community that listed exactly what I wanted.
What I found
The blog saved me a lot of guess work as it pointed out the following pertinent .mddata files:
Contact List: 31bb7ba8914766d4ba40d6dfb6113c8b614be442.mddata
- This was the file that saved my friend. It has an abundance of information. Contact names, email addresses, and phone numbers are the most important ones.
I decided to see what else I could find on the .mddata files mentioned in the Hampton Roads Geek Community article. To be honest, there is more information available than I had thought:
SMS Log: 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata
- As you can see below, the SMS log records every text message and the phone number. The date may seem a bit odd. It’s in Unix time or the number of seconds since January 1, 1970. The flag field allows you to determine if the message was sent or received. The number two indicates a received message and the number three a sent message.
Call Log: ff1324e6b949111b2fb449ecddb50c89c3699a78.mddata
- The call log lists the phone number, date, duration, and whether the call was incoming or outgoing.
Notes database: 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b.mddata
- I really did not expect much from the Notes database. I changed my mind when I opened the file. My friend had several entries including passwords and personal information. As you can see, he even referenced his next oil change.
Thinking about my iPhone security
I personally do not keep any data on my computers. It’s all stored on encrypted flash drives. I now realize that’s not the case. Due to my iPhone, I have sensitive information stored in Documents and Settings. My initial solution was to move the backup folder to my encrypted flash drive. But it’s not a good solution, as I have to remember to move the folder after every sync.
Before I moved the folder, I decided to sync my iPhone. Talk about being embarrassed. There it was, right in the options on the Summary tab. A checkbox titled “Encrypt iPhone backup” with an option to change the password.
The Apple iPhone OS Enterprise Deployment Guide states:
“Device backups can be stored in encrypted format by selecting the Encrypt iPhone Backup option in the device summary pane of iTunes. Files are encrypted using AES128 with a 256-bit key. The key is stored securely in the iPhone keychain.”
Sounds good to me, I checked the box and initiated a backup. After the sync was completed, I decided to see what the encrypted files looked like. The first example below is of a .mdinfo file before being encrypted:
The next example was the same file after being encrypted:
Out of curiosity, I checked to see if info.plist was encrypted as well. It wasn’t. I wanted to make sure I mentioned this as you will have to decide how much of a risk that is.
I mentioned what I learned to an IT colleague. She said it wasn’t that big of a deal. Someone would need physical and security access to the computer in question. That’s true, but entirely possible. Also, there could be malware specifically developed to steal the critical .mddata files.
Either way, my friend is now happy and I am encrypting my backups. I also wanted to share my new-found knowledge with you, just in case you want to do the same.