Privacy Permissions Database (TCC.db)

Location

Description

SQLite database implementing the Transparency, Consent, and Control framework that records privacy permission grants for each application. Tracks which apps have been authorized to access sensitive resources including Contacts, Photos, Camera, Microphone, Location Services, Calendars, Reminders, Bluetooth, Health data, and Motion & Fitness. Each record contains the app bundle ID, the service type, the authorization status, and a modification timestamp.

Forensic Value

TCC.db reveals which applications were granted access to sensitive device capabilities, directly identifying potential stalkerware or surveillance applications that obtained camera, microphone, or location permissions. Comparing granted permissions against expected application functionality identifies over-privileged apps that may be operating maliciously. The modification timestamp on permission records establishes when access was granted, which can correlate with social engineering or physical access events. Applications granted accessibility or full device access permissions warrant particular scrutiny as these enable extensive device monitoring capabilities.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

idevicebackup2 extract --domain HomeDomain /forensics/tcc_extract/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References