Faced with a growing backlash, Apple has added a page to its support website explaining iOS's previously unexplained data-slurping tools – which were recently highlighted by security researcher Jonathan Zdziarski.
The utilities – which includes a silent packet sniffer, a file relay system that bypasses Apple's Backup Encryption, and other information-shifting systems – sparked alarm this week: Cupertino hadn't officially warned millions of its iThing users about the built-in mechanisms nor the potential for attackers to harvest personal data from iOS devices using said entry points.
In the support document, Apple says the mysterious subsystems can only work when used between a desktop and iOS device that trust each other. Unfortunately, that doesn't completely stop miscreants and the feds from abusing that trust – thanks to the pairing system detailed by Zdziarski in an academic paper in March and presentation [PDF] at the Hackers On Planet Earth (HOPE X) conference.
Apple's side of the story
Apple says iOS's undocumented packet sniffer,
com.apple.mobile.pcapd, is used for setting up enterprise VPN tunnels, and for troubleshooting problems on iPhones, iPads and iPods. The file relay,
com.apple.mobile.file_relay, is designed to be used by its engineers and AppleCare staff, and the company insists that it "does not have access to all data on the device."
The third component under the microscope,
com.apple.mobile.house_arrest, is used by Xcode to transfer test data to a device and to shift documents around in iTunes, Apple claims.
Cupertino's explanations haven't impressed Zdziarski. In a detailed blog post, he has taken apart Apple's documentation, and highlights some fairly worrying aspects of the code as it stands.
He points out that in all cases, the under-fire software in iOS is activated and run without the owner's consent or knowledge. Some of the tools may be just for developers and enterprise IT managers, but that it is built into every iOS device as standard is just plain weird or lazy.
The network packet sniffer in particular can be activated silently in the background and used to send a whole host of personal data from the gadget wirelessly, provided the correct pairing data is available. There's no way for normal folk to know if their iPhone, iPad or iPod is leaking data.
As for the file relay system, Zdziarski scoffed at Apple's insistence that it is only needed for diagnostic data. The software can download text messages, notes, a device's address book, personal photos, location data, and screenshots – something a diagnostics engineer would never need, he argued.
In addition, the file relay bypasses the inbuilt data encryption to gather all this information – and this can be done wirelessly and without the user's knowledge or consent. "File relay is far too sloppy with personal data, and serves up a lot more than 'diagnostics' data," he concludes.
As for the House Arrest function, Zdziarski agrees that iTunes and Xcode use the software, but points out that it also accesses a wealth of personal data, including the OAuth tokens that can be used to access personal accounts and private conversations, which isn’t strictly speaking needed for the functions Apple states.
"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data," he wrote. (Bear in mind Zdziarski's website has been buckling under the weight of visitors hitting it.)
"They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption."
In response to some of the more excitable media reports of NSA backdoors being built in by Apple, Zdziarski tells users not to panic. Many of the problems with the software are down to their overly broad reach and have flaws that could be used by an outside attacker, but there's no evidence that they were put there for any reason other than poor engineering. ®