The Last Line of Defense: Understanding and Attacking Apple File System on iOS

The talk discusses the security of Apple File System (APFS) on iOS and proposes a new attack to bypass its mitigation.

• APFS is a new file system proposed by Apple on macOS and iOS that is designed to be high performance and high security.
• The root partition in APFS is the main target for attackers to control in order to modify system settings or install malicious apps.
• Previous attacks on APFS have been mitigated through several protection mechanisms.
• The talk proposes a new attack to bypass APFS's mitigation, which allows an attacker to tamper any file or directory on the system.

The talk explains how APFS's protection mechanisms are not as secure as they are supposed to be, and the speaker successfully discovered ways to exploit or bypass them. The proposed attack is a new method to bypass APFS's mitigation, which allows an attacker to tamper any file or directory on the system. This knowledge is indispensable to iOS hackers and jailbreakers, and the talk aims to inspire the design of a securer filesystem on Apple systems.

With its rapid evolvement, Apple has deployed many mechanisms in iOS to defend against potential threats and risks. Among system components, filesystem is considered to be the last line of defense against attackers' attempts to steal and tamper users' private data, as well as preventing permanent damage such as installation of backdoors or malicious applications. In consideration of both security and performance, Apple recently proposed and deployed a new filesystem, called Apple File System (APFS), on iOS and macOS. Especially on iOS, as required by the system's rigorous security policies, APFS has adopted several protection mechanisms to prevent critical files and directories from being tampered even in face of attackers with kernel privileges. But, in our study, we found that these mechanisms are not as secure as they are supposed to be, and we successfully discovered ways to exploit or bypass them. In this talk, we will first introduce the architecture of filesystem on Apple systems as well as the basic structure of APFS. Then we will explain previous attacks on APFS, and elaborate APFS's new mitigation through several experiments. Most importantly, our talk will propose a new attack to bypass the APFS's mitigation, which allows an attacker to tamper any file or directory on the system. The knowledge of APFS architecture, its weak points, and our new attack elaborated in this talk is indispensable to iOS hackers and jailbreakers, which has not been thoroughly presented in any previous talks. We believe that our talk will inspire the design of a securer filesystem on Apple systems.