Locked Apple Notes Aren’t as Secure as You Think

By Andrew Orr

Forensic company BlackBag, a Cellebrite company, recently found that locked Apple Notes are temporarily stored in an insecure state.

“Secure”

Senior researcher Sarah Edwards found that Apple Notes locked with a password are “partially and temporarily unsecure.” She used macOS 10.15.3 and iOS 13.3, the latest software versions. The database for Apple Notes is stored in ~/Library/Group Containers/group.com.apple.notes/ on macOS 10.15 and /private/var/mobile/Containers/Shared/AppGroup/<GUID>/ on iOS 13.

Insecure apple notes BlackLight

In one example, Ms. Edwards created a test locked note. Using the company’s forensic tool called BlackLight, she was able to see a partial note title and first line of a password-protected note.

In this case, the contents have been cleared of anything sensitive and moved to the ZDATA contents of the secured note which is encrypted…However, the ZSNIPPET column show the partial unencrypted content of this note. This is where potentially sensitive information from the note could be extracted. While I cannot see the full contents of the secure note, I can see the snippet or the first line of the note!

In another test, she attached a photo and location from Apple Maps. She was able to see the embedded location data, a suggestion of the photo’s contents thanks to Apple’s machine learning, and other metadata.

It appears that data is cleared under certain circumstances: Exiting the Notes app on macOS, closing the Notes window on macOS, and navigating to the home screen on iOS (switching to a different app doesn’t necessarily delete the entries). However, in spite of those data entries “clearing” some information was still left to be displayed in BlackLight.

Digital Forensic Community