Apple’s placing a lot of emphasis on iOS security (especially when compared with that “toxic hellstew” Android) and on privacy (again, compared to its rival) but it turns out that iOS might not be as secure or private as Apple has led customers to believe. Security researcher Jonathan Zdziarski has a new paper out called “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices,” in which he reveals Apple’s complex tools inside iOS that would allow Apple to share certain user data at the request of law enforcement without the user knowledge.
More importantly, with or without Apple’s help, spying agencies such as NSA and other third parties that are very familiar with how iOS operates can apparently use these vulnerabilities to grab plenty of data from an iPhone, or to install applications for spying and other malicious purposes without the user’s knowledge.
Zdziarski shared his findings with “a room full of hackers,” explaining how Apple’s iOS has evolved over the years and describing some tools inside iOS that Apple is yet to acknowledge or account for. What Zdziarski did not do, is to reveal some sort of zero-days attack method that how they could have had “a little temporary fun with them for a few days.”
The researcher explains what kind of data Apple is able to pull from an iPhone, when law enforcement requires it, revealing that the company can easily access information stored in default iOS applications, but not in encrypted apps or apps from third parties. Following the receipt of a valid search warrant, Apple can give law enforcement SMS messages, photos, videos, contacts, audio recordings and call history data from the handset.
However, while that’s all that Apple can provide, advanced techniques exist – and Zdziarski says they’re facilitated by Apple’s code in iOS 7 for example – to allow certain third-party entities to take matters into their own hands when it comes to data access, and collect a lot more data than Apple can serve, including deleted items that can be recovered.
These iOS tools that facilitate spying are not for iTunes or Xcode, the Genius Bar/Apple Support, developers or engineers, and the code discovered in iOS versions isn’t something Apple forgot about as years passed. “Apple has been maintaining and enhancing this code, even with iOS 7; they know it’s there,” the researcher wrote.
“Installing invisible software that backgrounds is still easy to do in iOS 7,” Zdziarski writes, revealing that Apple did make a “crucial” security improvement in iOS 7, which is preventing “socket connections to localhost / local IP.” “Prior to this, I had spyware running invisibly that could dump a phone and send its contents remotely anywhere. (never released for obvious reasons),” he says.
In addition to revealing that invisible malware installation is possible in iOS 7, Zdziarski revealed a way of at least trying to make sure spy agencies aren’t able to control an iOS device, and that’s using an Apple Configurator app that’s available as a free OS X app.
Zdziarski has contacted Apple numerous times asking Steve Jobs and Tim Cook about his findings, but he was never offered answers. The researcher has several questions for Apple that are left unanswered, as seen in the following slide from the presentation.
The researcher concludes his presentation by saying Apple is “dishing out a lot of data behind our backs,” and that these uncovered tools in iOS are “conveniences” for enterprises “that make tasty attack points” for governments and criminals.
“It’s a violation of the customer’s trust and privacy to bypass backup encryption, he says. “There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission. Much of this data simply should never come off the phone, even during a backup.”
“Overall, the otherwise great security of iOS has been compromised… by Apple… by design” he concludes his presentation.
The full presentation and papers are available at the source links below.