Feeds

iOS slurpware brouhaha: It's for diagnostics, honest, says Apple

Hidden packet sniffer claims hit Cupertino

Choosing a cloud hosting partner with confidence

Faced with a growing backlash, Apple has added a page to its support website explaining iOS's previously unexplained data-slurping tools – which were recently highlighted by security researcher Jonathan Zdziarski.

The utilities – which includes a silent packet sniffer, a file relay system that bypasses Apple's Backup Encryption, and other information-shifting systems – sparked alarm this week: Cupertino hadn't officially warned millions of its iThing users about the built-in mechanisms nor the potential for attackers to harvest personal data from iOS devices using said entry points.

In the support document, Apple says the mysterious subsystems can only work when used between a desktop and iOS device that trust each other. Unfortunately, that doesn't completely stop miscreants and the feds from abusing that trust – thanks to the pairing system detailed by Zdziarski in an academic paper in March and presentation [PDF] at the Hackers On Planet Earth (HOPE X) conference.

Apple's side of the story

Apple says iOS's undocumented packet sniffer, com.apple.mobile.pcapd, is used for setting up enterprise VPN tunnels, and for troubleshooting problems on iPhones, iPads and iPods. The file relay, com.apple.mobile.file_relay, is designed to be used by its engineers and AppleCare staff, and the company insists that it "does not have access to all data on the device."

The third component under the microscope, com.apple.mobile.house_arrest, is used by Xcode to transfer test data to a device and to shift documents around in iTunes, Apple claims.

Cupertino's explanations haven't impressed Zdziarski. In a detailed blog post, he has taken apart Apple's documentation, and highlights some fairly worrying aspects of the code as it stands.

Researcher's rebuttal

He points out that in all cases, the under-fire software in iOS is activated and run without the owner's consent or knowledge. Some of the tools may be just for developers and enterprise IT managers, but that it is built into every iOS device as standard is just plain weird or lazy.

The network packet sniffer in particular can be activated silently in the background and used to send a whole host of personal data from the gadget wirelessly, provided the correct pairing data is available. There's no way for normal folk to know if their iPhone, iPad or iPod is leaking data.

As for the file relay system, Zdziarski scoffed at Apple's insistence that it is only needed for diagnostic data. The software can download text messages, notes, a device's address book, personal photos, location data, and screenshots – something a diagnostics engineer would never need, he argued.

In addition, the file relay bypasses the inbuilt data encryption to gather all this information – and this can be done wirelessly and without the user's knowledge or consent. "File relay is far too sloppy with personal data, and serves up a lot more than 'diagnostics' data," he concludes.

As for the House Arrest function, Zdziarski agrees that iTunes and Xcode use the software, but points out that it also accesses a wealth of personal data, including the OAuth tokens that can be used to access personal accounts and private conversations, which isn’t strictly speaking needed for the functions Apple states.

"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data," he wrote. (Bear in mind Zdziarski's website has been buckling under the weight of visitors hitting it.)

"They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption."

In response to some of the more excitable media reports of NSA backdoors being built in by Apple, Zdziarski tells users not to panic. Many of the problems with the software are down to their overly broad reach and have flaws that could be used by an outside attacker, but there's no evidence that they were put there for any reason other than poor engineering. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.