Feeds

iOS slurpware brouhaha: It's for diagnostics, honest, says Apple

Hidden packet sniffer claims hit Cupertino

Intelligent flash storage arrays

Faced with a growing backlash, Apple has added a page to its support website explaining iOS's previously unexplained data-slurping tools – which were recently highlighted by security researcher Jonathan Zdziarski.

The utilities – which includes a silent packet sniffer, a file relay system that bypasses Apple's Backup Encryption, and other information-shifting systems – sparked alarm this week: Cupertino hadn't officially warned millions of its iThing users about the built-in mechanisms nor the potential for attackers to harvest personal data from iOS devices using said entry points.

In the support document, Apple says the mysterious subsystems can only work when used between a desktop and iOS device that trust each other. Unfortunately, that doesn't completely stop miscreants and the feds from abusing that trust – thanks to the pairing system detailed by Zdziarski in an academic paper in March and presentation [PDF] at the Hackers On Planet Earth (HOPE X) conference.

Apple's side of the story

Apple says iOS's undocumented packet sniffer, com.apple.mobile.pcapd, is used for setting up enterprise VPN tunnels, and for troubleshooting problems on iPhones, iPads and iPods. The file relay, com.apple.mobile.file_relay, is designed to be used by its engineers and AppleCare staff, and the company insists that it "does not have access to all data on the device."

The third component under the microscope, com.apple.mobile.house_arrest, is used by Xcode to transfer test data to a device and to shift documents around in iTunes, Apple claims.

Cupertino's explanations haven't impressed Zdziarski. In a detailed blog post, he has taken apart Apple's documentation, and highlights some fairly worrying aspects of the code as it stands.

Researcher's rebuttal

He points out that in all cases, the under-fire software in iOS is activated and run without the owner's consent or knowledge. Some of the tools may be just for developers and enterprise IT managers, but that it is built into every iOS device as standard is just plain weird or lazy.

The network packet sniffer in particular can be activated silently in the background and used to send a whole host of personal data from the gadget wirelessly, provided the correct pairing data is available. There's no way for normal folk to know if their iPhone, iPad or iPod is leaking data.

As for the file relay system, Zdziarski scoffed at Apple's insistence that it is only needed for diagnostic data. The software can download text messages, notes, a device's address book, personal photos, location data, and screenshots – something a diagnostics engineer would never need, he argued.

In addition, the file relay bypasses the inbuilt data encryption to gather all this information – and this can be done wirelessly and without the user's knowledge or consent. "File relay is far too sloppy with personal data, and serves up a lot more than 'diagnostics' data," he concludes.

As for the House Arrest function, Zdziarski agrees that iTunes and Xcode use the software, but points out that it also accesses a wealth of personal data, including the OAuth tokens that can be used to access personal accounts and private conversations, which isn’t strictly speaking needed for the functions Apple states.

"I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there – prior to this, there was no documentation about file relay whatsoever, or its 44 data services to copy off personal data," he wrote. (Bear in mind Zdziarski's website has been buckling under the weight of visitors hitting it.)

"They appear to be misleading about its capabilities, however, in downplaying them, and this concerns me. I wonder if the higher ups at Apple really are aware of how much non-diagnostic personal information it copies out, wirelessly, bypassing backup encryption."

In response to some of the more excitable media reports of NSA backdoors being built in by Apple, Zdziarski tells users not to panic. Many of the problems with the software are down to their overly broad reach and have flaws that could be used by an outside attacker, but there's no evidence that they were put there for any reason other than poor engineering. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.