Safari/iOS – Cookies.binarycookies reader

Safari browser and iOS applications store the persistent cookies in Cookies.binarycookies file. This is different from other desktop browsers. For example Internet Explorer stores the persistent cookies in text files under Temporary internet files folder. Similarly Firefox and Chrome browsers store the cookies in Sqlite database files. It is very easy to read the cookies stored in the text files and Sqlite database files. But there is no tool available to read the cookies from Cookies.binarycookies binary file. So I wrote a python script (BinaryCookieReader.py), when executed takes a Cookies.binarycookies file as input and dumps all the cookies in that file.

Usage of BinaryCookieReader

1. Download and install Python.

2. Add python installation folder to system PATH.

3. Download BinaryCookieReader.py

4. Open command prompt and run the below command. It dumps all the cookies from Cookies.binarycookies file.

Python BinaryCookieReader.py [Cookie.binarycookies-file-path]

On the iPhone, Safari browser and third party iOS applications store the cookies in Cookies.binarycookies files located at the path shown below. Cookies created only with the future expiration date (persistent cookies) are stored in the binary Cookies.binarycookies file.

Most of the iOS applications create session cookies with future expiration dates as they don’t want to prompt the user for login every time. Usually those cookies will never get expire unless the user logout from the application. Also, during the iTunes backup, the Cookies.binarycookies file is copied to the backup folder. So if some one gain access to your iPhone backup folder (Metasploit: Apple iOS backup extraction module), they can also get access to your email accounts and social network websites by reading the cookies from Cookies.binarycookies file.

Cookies.binarycookies Format:

Cookies.binarycookies file is composed of several pages and each page can have one or more cookies. The complete file format is explained below:

File Format:

1. The file starts with a 4 byte magic string: cook. It is used to identify the file type.

2. Next four bytes is an integer specifying the number of pages in the file.

3. Following that, a 4 byte integer for each page, represents the page size.

4. Next to that, the file contains the actual page content. Each page is of length corresponding to the page size. Page format is explained below.

5. The file ends with an 8 byte value and it might be file checksum.

Page Format:

1. Every page starts with a 4 byte page header: 0x00000100.

2. Next four bytes is an integer specifying the number of cookies in the page.

3. Following that, a 4 byte integer for each cookie, represents the cookie offset. Offset specifies the start of the cookie in bytes from the start of the page.

4. Next to that, the page contains the actual cookie contents. Each cookie is of variable length. Cookie format is explained below.

5. Page ends with a 4 byte value and it is always 0x00000000.

Cookie Format:

1. First 4 bytes in the cookie is the size of the cookie.

2. The next 4 bytes are unknown (may be related to cookies flags).

3. The next four bytes are the cookie flags. This is an integer value (1=Secure, 4=HttpOnly, 5= Secure+HttpOnly).

4. The next 4 bytes are unknown.

5. The next 4 bytes is an integer specifying the start of the url field in bytes from the start of the cookie record.

6. The next 4 bytes is an integer specifying the start of the name field in bytes from the start of the cookie record.

7. The next 4 bytes is an integer specifying the start of the path field in bytes from the start of the cookie record.

8. The next 4 bytes is an integer specifying the start of the value field in bytes from the start of the cookie record.

9. The next 8 bytes represents the end of the cookie and it is always 0x0000000000000000.

10. The next 8 bytes are the cookie expiration date. Date is in Mac epoch format (Mac absolute time). Mac epoch format starts from Jan 2001.

11. The next 8 bytes are the cookie creation date.

12. Next to that, the cookie contains the actual cookie domain, name, path & value. The order is not specific and they can appear in any order.

*LE – Little Endian

*BE – Big Endian

References:

Tengu-Labs: Miyake%20-%20Safari%20Cookie.binarycookie%20Format%200_2[Draft].pdf

StackOverflow: safari-5-1-cookie-format-specs

Toolbox: understanding-the-safari-cookiesbinarycookies-file-format-49980