Plugging the iPhone Screenshot Leak

I recently did a forensics webinar about cracking the iPhone’s passcode, in which I demonstrated some of the techniques from my latest book. I cited the fact that the iPhone takes screen grabs every time you push the home button, so that the 3D “zoom” effect can be processed when the application zooms in and out, when suspending and resuming applications. Many people asked me if there was a way to disable this writing to disk, so that screenshots couldn’t be recovered forensically. I did some further digging and found that the screenshots themselves actually get written to /var/mobile/Library/Caches/Snapshots. If you delete this folder and symlink it to /dev/null, the screenshots don’t get written to disk. The side effect to this is that when resuming an application, you’ll get the default screen in the zoom-in effect. Once the application resumes, however, you’ll have your application screen back. For example, your mail application will always zoom to the front as if you had an empty inbox, but will quickly correct itself once the application resumes. On a jailbroken iPhone, you can disable these screenshots with the following commands:

# rm -rf /var/mobile/Library/Caches/Snapshots
# ln -s /dev/null /var/mobile/Library/Caches/Snapshots

To return to the default behavior, just delete the symlink and the directory will get recreated. Mind you, this has no effect on the many other pieces of data stored on the iPhone, and therefore your iPhone will always be at risk for leaking private data, especially to seasoned forensic examiners. To find out what else your iPhone leaks, you’ll have to buy the book :)

About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and scientist. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski
This entry was posted in Forensics, iPhone. Bookmark the permalink.

One Response to Plugging the iPhone Screenshot Leak

  1. Pingback: Carrier IQ software: A big risk to enterprise mobile security? | SecOps

Leave a Reply