Accessing keychain items with "ThisDevice" protection class

[ptoomey3]

I received an email from someone asking if I knew how to dump credentials from Google Authenticator, as the user was trying to move to a new phone and had a ton of TOTP codes stored. They noticed that the elements in Google Authenticator weren't accessible. They also mentioned that it appeared these elements had the "ThisDevice" protection class. The full list can be found on https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values. It wasn't clear to me, but I'm guessing Google is using either kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly or kSecAttrAccessibleWhenUnlockedThisDeviceOnly. I don't see why this would prevent access on the current device, but I'm also not at all familiar with the "ThisDevice" option. It has been a number of years, but I don't recall that being available however many years back when this tool was first written (it very well could have been and I've forgotten though).

I no longer have a jailbroken phone to test/debug this with. So, I was hoping some recent contributors might have more up to date info about this protection class and whether it is something that we an support or not. /cc @mechanico @0xln @vocaeq

[0xln]

So my understanding is that "ThisDeviceOnly" prevent's the values being backed up or being synced to another device. You should still be able to read the values as long as the device is unlocked. I'll take a look into this once i get chance.

[mechanico]

I tested several protection classes, with a simple custom app. The result can be seen below.

[ACTION] Select Entitlement Group by Number: 11
[INFO] 94FBXXZG2J.de.mezdanak.AutoFillTest selected.
Generic Password
----------------
Accessible Attribute: <SecAccessControlRef: 0x102375e30>
Service: AutoFillTest
Account: dump-me
Entitlement Group: 94FBXXZG2J.de.mezdanak.AutoFillTest
Label: (null)
Accessible Attribute: kSecAttrAccessibleWhenUnlockedThisDeviceOnly, protection level 5
Description: (null)
Comment: (null)
Synchronizable: 0
Generic Field: (null)
Keychain Data: password_thisdeve_only

As can be seen the password is shown without any issues (as @0xln assumed). Therefore, I assume that the google app might use Secure Enclave (SE) to further protect the keychain items. This would totally make sense, if the app is bond to the device itself.

[TellowKrinkle]

Tested on my phone, iPhone 7 iOS 13.2.2 checkra1n
When run, the device pops up a TouchID authentication and once authorized, all Google Authenticator codes including ThisDeviceOnly ones are printed
Edit: They have data in the Generic Field field, however the Keychain Data is null because it isn't valid utf-8. #48 fixes this.

[ptoomey3]

Nice debugging! I’ll take a look at that PR in a bit more detail later this week. Thanks!

[CapCap]

Can confirm having the same problem with authenticator data field being null, and #48 indeed does fix it. Thank you guys!

[ptoomey3]

Looks like #48 fixed this. Closing.