Jonathan Zdziarski, an iOS forensic examiner, gave a presentation at the HOPE X hacker conference last Friday detailing hidden data-collection processes that run on iOS devices. This data can then be seen by a 'trusted' computer that has been 'paired' with the iOS device via USB. and How would someone connect to these mechanisms on an iPhone? Zdziarski explained the trick has to do with iOS "pairing." Once the pairing has been done, the keys and certificates that identify this element of 'trust' are stored on both the iOS device as well as the desktop.
Anyone with access to this pairing data, the researcher claims, can then locate the specific iOS device on a Wi-Fi network. However, perhaps the most interesting bit is what happens once the pairing relationship has been established. Tools like com.apple.mobile.file_relay - which Zdziarski describes as a "undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement" - are allegedly given automatic access to data, allowing copying and relay of all data stored on iOS device.
Another tool, according to the researcher, is a packet sniffer that views all network traffic and HTTP header data going to and from the iOS device.
"Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked during his presentation.
While his presentation, expectedly, sent everyone in a tizzy, Zdziarski himself tried to downplay the presentation, though he urged Apple to come clean.
"I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets," he said in a blog post. "I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."
Apple issued a statement on Monday terming the features 'diagnostic' in nature. Here is Apple's statement in full:
We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues," Apple told iMore. "A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services.
Zdziarski dismissed Apple's explanation, saying any diagnostic feature must have a way it can be disabled.
"The problem with this is that these services dish out data (and bypass backup encryption) regardless of whether or not "Send Diagnostic Data to Apple" is turned on or off, and whether or not the device is managed by an enterprise policy of any kind," Zdziarski said in another blog post. "So if these services were intended for such purposes, you'd think they'd only work if the device was managed/supervised or if the user had enabled diagnostic mode. Unfortunately this isn't the case and there is no way to disable these mechanisms."
Clearly, we haven't heard the last on this subject.