After a student of mine recently "gently" reminded me that I hadn't updated my blog in over a year, I decided that it was time to get back into it! Whoops! So I figured I would ease myself back in with something that I've been thinking about for a while and needed to update on. In this post, I'm going to detail how to pick a couple of iOS and Android devices to build yourself a good testing lab.
Disclaimer: I'm not building exploits, and I'm not testing them. What I mean by that is that when I build out devices, I take the steps ahead of time to build out devices that I know I can easily gain root/full access to. Why? Because I'm interested in artifacts! The bottom line is that getting the data is always going to be the hardest. I leave that to people a lot smarter than myself to figure out. What I care about is WHEN I can get the data, what can I do with it?
It's also important to realize that whether you're testing system-level artifacts or third-party applications, you want to grab data in a number of different ways. Sometimes data will be available in a "Quick" image type, sometimes, it's restricted to a full filesystem pull only. Sometimes the data may be available from a cloud source, while other times it's restricted to on-device only. Heck, even sometimes the data is ONLY in the cloud! Because of these factors, you want to choose a set of devices that are going to offer you the most flexibility across the board.
For my testing lab, I usually like to have a bank of four devices. I know that sounds like a lot if your budget is small, but hopefully this post will illustrate the importance of having them and how you can stretch your budget to go farther. I'm going to break it down into two sections, iOS and Android.
Let's start with everyone's favorite (or least favorite) fruit-named company, Apple. iOS is a huge leader in popularity, at least here in North America. Over the last year, there has been some AMAZING research done around iOS that has extended our capabilities in the research aspect. That being said, the checkm8 research isn't available for all iOS devices out there. If you're going to rely on checkm8 to get full filesystem images, you want to pick a set of iOS devices that's going to allow you to maximize the amount of time you can use it.
Exploitable iOS Device:
Option 1: iPhone 8/iPhone X
Running the A11 chipset, these are the latest iPhone devices that are going to be exploitable by the checkm8 exploit. The iPhone 8 and iPhone X came out in 2017 meaning that they're already showing age in Apple years.
If you choose to buy one of these straight from Apple's refurb website, you can get them for 339 USD or 599 USD for the 8 or X respectively. A little pricey for a test device that's already 3 years old. While I believe these will get support for a while, I'm all about longevity with my test devices because my budget only opens up every so often. Purchasing Apple devices secondhand is often safer than some other devices because these devices can be securely factory reset. With that in mind, make sure the device is not activation locked or that the IMEI is not blacklisted before purchasing.
iPad 7th Generation (2019) Model
For my money, I think if I wanted an iOS device that was vulnerable to the checkm8 exploit for full filesystem testing, I'm going to go with an iPad from 2019. Not the mini, not the Air, and not the Pro. Just the plain old iPad (7th Generation).
Brand new from Apple today, you can score one of these for 329 USD for Wi-Fi only or 459 USD for Wi-FI + Cellular. Do you really need Cellular? It depends on what you want to test! One reason to get a cellular device is to test specific cell-tower based location data or tracking application data usage over cellular (not just Wi-Fi).
But why an iPad? Don't you need a phone? Well... again, it goes back to our two favorite (least favorite) words in mobile forensics: IT DEPENDS. Are you just testing app data and how the system generates artifacts? Then an iPad is going to be great. Are you testing specific location data generation? This will do it. Do you need call and sms data? Well, you can get FaceTime and iMessage data which live right alongside standard telephony calls and SMS/MMS messages. And if you have a SECOND iOS device, like one I'll mention soon, it allows you to forward that information to this device so problem solved!
Another reason to have an iPad in your testing arsenal is that iPadOS does have some slight differences between it and iOS for iPhones. While they're mostly cosmetic and involve how the user interacts with apps, there could be some artifacts that differ (I'm looking at you, Safari Downloads :shakes fist:)
Maybe checkm8 isn't required in your testing. Maybe you're operating in an environment where it wouldn't be approved to use, or you are only operating with quick, iTunes-style backups anyway. In this case, I'm going to recommend another device. When building out my most recent test environment, I went with Option 2 above and the next mentioned device. Skip the XS and 11 Pro Max. Go for the SE!
This device isn't the sexiest on the market, let's be honest. But that's not what I need it for. I don't need the fidget-spinner style camera strapped to the back. Just one that can take pictures and operating running iOS for the next several years to come. This device packs an A13 chipset just like the iPhone 11 series.
This budget-minded iPhone came out in 2020 and can be picked up brand new for 399 USD. That's two hundred dollars cheaper than the iPhone X refurbished on Apple's website! That means for the price of said iPhone X, I could instead pick up the iPhone SE (2nd Gen) and a 7th-Gen iPad for only about 120 USD more. That's not even including sales where I could possibly pick up the iPad cheaper (I bought my last one for even less than the going rate). This leaves you with one checkm8 exploitable device and one that runs the latest available processor. What are you missing in the SE? Well, no FaceID. It's still TouchID because it's the budget iPhone.
Why Two iOS Devices?
This is a simple one. Apple loves to sync! It's incredibly common for a user once in the Apple ecosystem to drink deep of the Apple-flavored KoolAid and have both an iPhone and an iPad. There are also a lot of artifacts (looking at you again Safari) that are generated when a user has more than one iOS device that can be crucial in investigations! Also if you have both, you can have one device running cellular service and generating call/SMS data, use a hotspot feature for the iPad, and constantly have it syncing the data across! It's a win-win system!
Another reason for a second device? Testing the transmission of data form one to another! Think about Wi-Fi password sharing, Airdrop transmissions, and PIN sharing!
Okay, I'm done waxing poetic on Apple for a while (if you know me, you know that's a lie). It's time to talk about the popular green guy in the room, Andy the Android. The Android operating system is one of the most widely distributed OS platforms worldwide and backed by several giants in their own right. For me personally, I'm going to skip a tablet this time around and go with not one, but two different budget-minded Android devices.
The Venerated Veteran
The only Android devices I've ever "liked" (read: tolerated) are the ones that come straight from Google. I'm talking about the Nexus and Pixel lines of devices. The reasons why could fill a blog post in its own right, but I'll be brief.
- STOCK Android (No bloatware)
- Runs on just about any carrier
- Longer update life than most Androids
- Easily fixable
- iTunes: A must-have as Apple really doesn't like to share the iOS driver outside of this.
- Create a minor account and tie it to your own AppleID via family sharing.
- Make this "minor" 17 years old and about a week away from their birthday.
- Once the account owner "turns" 18, you can remove them from your family share plan. Now you have a fully functional plan without 2FA; just don't enable it.
- Make sure phone is above 80% power. I could NOT get this to work until it was on at least 80% power.
- Power Off phone
- Hold Volume Up + Volume Down + Power while plugging in the USB-C cable (use the one that came with the phone, not all USB-C cables are created equal)
- Hold the Volume Up button and allow it to reset/wipe the device.