The Last Line of Defense: Understanding and Attacking Apple File System on iOS

Presented at Black Hat Europe 2018, Dec. 6, 2018, 9 a.m. (30 minutes)

With its rapid evolvement, Apple has deployed many mechanisms in iOS to defend against potential threats and risks. Among system components, filesystem is considered to be the last line of defense against attackers' attempts to steal and tamper users' private data, as well as preventing permanent damage such as installation of backdoors or malicious applications.

In consideration of both security and performance, Apple recently proposed and deployed a new filesystem, called Apple File System (APFS), on iOS and macOS. Especially on iOS, as required by the system's rigorous security policies, APFS has adopted several protection mechanisms to prevent critical files and directories from being tampered even in face of attackers with kernel privileges. But, in our study, we found that these mechanisms are not as secure as they are supposed to be, and we successfully discovered ways to exploit or bypass them.

In this talk, we will first introduce the architecture of filesystem on Apple systems as well as the basic structure of APFS. Then we will explain previous attacks on APFS, and elaborate APFS's new mitigation through several experiments. Most importantly, our talk will propose a new attack to bypass the APFS's mitigation, which allows an attacker to tamper any file or directory on the system.

The knowledge of APFS architecture, its weak points, and our new attack elaborated in this talk is indispensable to iOS hackers and jailbreakers, which has not been thoroughly presented in any previous talks. We believe that our talk will inspire the design of a securer filesystem on Apple systems.


  • Min Zheng / Spark - Security Expert, Alibaba Inc.   as Min (Spark) Zheng
    Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design, and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked at FireEye, Baidu, and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus, and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He has presented his research in DEF CON, HITB, BlackHat, ISC, XCon, etc.
  • Xiaolong Bai - Security Engineer, Alibaba Inc.
    Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. at Tsinghua University. He has published several research papers at top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.


Similar Presentations: