Elcomsoft has announced that its Phone Breaker 9.0 forensic extraction tool now has the ability to remotely access Apple Health data stored in iCloud, making it the first forensic tool to gain access to this information, and adding it to the list of other data such as call logs, photo libraries, passwords, messages, and more that can already be extracted by Elcomsoft’s forensic tools. However, although Phone Breaker 9.0 can now access Apple Health data, this shouldn’t be considered an iOS security issue as the tool still requires the user’s Apple ID and password to access even basic Health data, while access to more detailed health information will also require an investigator to supply the user’s lock screen password. Apple Health data is end-to-end encrypted within iCloud, preventing Apple itself from releasing most of this data when serving law enforcement or GDPR requests, however the user’s Apple ID and password along with the device passcode provides the keys necessary to decrypt the data that is stored in iCloud, in much the same way that the user’s own iPhone accesses this data.
For forensic investigators, access to Health data can provide additional useful evidence, including records of heart rate, sleeping habits, location points, workouts, steps, and walking routines. As Elcomsoft notes, the Apple HealthKit framework makes use of low-energy sensors that constantly collect information about the user’s physical activities, and can collect even more information if users have an Apple Watch or Bluetooth fitness tracker connected to Apple Health, and the user may also use the Health app to manually add information such as water, caffeine, and food intake, either directly or via other third-party apps which integrate with the HealthKit framework.
