tcc

APOLLO and tvOS – It Just Works! (...and judges me for binging TV)

It’s been a while since I last jailbroke an Apple TV and had a forensic look at it. Using the checkra1n jailbreak, I decided to give it a try. The jailbreak itself was easy and went very smooth. This was using an 4th Gen Apple TV running tvOS 13.4

I wanted to run it through some of my APOLLO modules to see if any needed to be updated. Fortunately, none do as it acts just like iOS! (whew!) There is a noticeable lack of some files and databases compared to iOS proper, but some good ones are still accessible! 

KnowledgeC.db

Starting with my favorite database, knowledgeC.db you will notice there are many less “streams” for tvOS. Even so, there are a few that are still of investigative use!

KnowledgeC.db – App InFocus 

This screenshot below shows me going back and forth between different apps and the usage time for them. I watch both recent NASA launches on NASA TV (gov.nasa.NASA) while also watching some TV on Amazon Prime (com.amazon.aiv.AIVApp). The com.apple.HeadBoard app is the main app selection screen.

KnowledgeC.db – Now Playing

 (Note this module is getting an update hopefully later this week, what you see below has some of those updates.🤞)

This screenshot shows what binge-watching Alias on Amazon Prime looks like. After the NASA launch, back into Alias I went! episode after episode until the “Are you still watching?” message pops up. 😆

It’s not just TV and movies for me, sometimes I’m rocking out to music! This screenshot shows me streaming Apple Music. In the middle of this I watched some cat videos in the Photos app. Unfortunately, those do have any metadata associated.

TCC.db

Next up are app permissions with TCC.db. This one is sparse compared with those of iOS and macOS but could show some useful information. kTCCServiceLiverpool is generally assumed to be part of location services and kTCCServiceUbiquity is associated with iCloud. kTCCServiceMSO is a new one to me but apparently HBO needs it. 🤷🏻‍♀️

Locationd (cache_encryptedB.db)

You may think that Apple TVs probably do not capture much locational activity, however they are keeping track of WiFi locations in locationd’s cache_encryptedB.db. This particular Apple TV doesn’t leave my living room, but I do have others that I could travel with…if and when I travel again!

Networkd (netusage.sqlite)

Finally, all this streaming adds up on the network usage which can be seen in the netusage.sqlite database. I’ve sorted this output by Wi-Fi in. Not surprising on top are processes for Netflix, HBO, and Amazon. The NASA app even made it close to the top too! 🚀

Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module

TCC Modifications in the Unified Logs

TCC or Transparency, Consent, and Control keeps track of various application permissions. A user can make changes to an application’s permissions in the respective Privacy settings on macOS and iOS. 

When changing these permissions on macOS entries do get written into the unified logs. While there are many related TCC entries, I want to focus on just permission changes. These can be extracted using a query where I’m looking for the text ‘Update Access Record:’ in the log message.

log show --info --predicate 'eventMessage contains[c] "Update Access Record:"'

To create these entries, I went into my own settings and toggled some on (Allowed) and some off (Denied). 

  • Camera access was denied to QuickTime Player (com.apple.QuicktimePlayerX)

  • Camera access was allowed for Zoom (us.zoom.xos)

  • Microphone access was denied to PowerPoint (com.microsoft.Powerpoint)

  • Microphone access was denied for SnagIt (com.TechSmith.Snagit2020)

  • Accessibility access was denied for SnagIt (com.TechSmith.Snagit2020)

  • Accessibility access was allowed for iStat Menus (com.bjango.istatmenus)

  • Accessibility access was allowed for SnagIt (com.TechSmith.Snagit2020)

Unfortunately, these entries are removed from the logs after in a short time period. I’ve seen mine being removed anywhere from about 1 hour to 1h40m. 😧

iOS TCC Entries

On iOS many of the same privacy settings apply as well. In this example I toggled the WhatsApp permission for microphone access to on.

I’ve connected to my phone using the Console.app application on macOS. This particular phone is named miPhoneX (iPhone X running iOS 13.1). This is the easiest way to test certain scenarios on iOS devices, sadly there doesn’t appear to be a ‘log’ executable for jailbroken devices. Unified logs can also be extracted using sysdiagnose or copying them off a jailbroken device and manually creating a logarchive.

Toggling permissions back and forth I can see the same entries I might see on macOS, however notice the ‘Volatile’ column for these entries are set to a ‘1’ – meaning they are not being written to disk. These entries are removed after only a few minutes (less than 5 minutes in my experience). What you see in Console may not necessarily get written to disk. Some entries (like those for macOS) are written to disk but not necessarily kept for the entirety of unified logs themselves. Nothing lives forever!

macOS & iOS TCC APOLLO Module 

There may be a time when the macOS logs rollover or you are looking at an iOS device where these entries are volatile. Fortunately, the TCC.db database keeps track of the last modified time for these entries. I’ve created an APOLLO module for macOS and iOS to extract this information. The example below is from my macOS user TCC.db database using the SQLite query from the APOLLO module.

This database can be found on macOS and iOS devices in the following paths:

macOS:

  • User: ~/Library/Application Support/com.apple.TCC/TCC.db

  • System: /Library/Application Support/com.apple.TCC/TCC.db

iOS (Backup acquisitions may differ slightly): 

  • /private/var/mobile/Library/TCC.db