Apple May Be Spying On You

While Apple is placing a lot of emphasis on iOS security and on privacy, it turns out that iOS might not be as secure or private as Apple has led customers to believe.

Cover image via

This is Jonathan Zdziarski, an iOS forensic examiner. He probably knows more about iPhones than any other non-Apple employee.

Researcher Jonathan Zdziarski

Image via

Yet even he can't find a reason for some of the mystery features buried within the iOS operating system, which look an awful lot like security backdoors that bypass user-designated data protections. The features could be there to let Apple — or even the National Security Agency or the FBI — get access to most of your iOS device's data without you knowing it.

On 18 July 2014, in a presentation at the HOPE X hacker conference, Jonathan detailed his discoveries about the data-collection tools hidden on iOS devices

Some tools are listed by name, yet not explained, in the Apple developer manual and do far more than advertised. Others are undocumented and buried deep within the iOS code.

The hidden features may partly explain allegations, based on documents leaked in the Snowden archive, in the German newsmagazine Der Spiegel that the NSA has had the ability to access data on BlackBerrys and Android and iOS devices. Der Spiegel did not detail how the NSA would do so.

Jonathan says the undocumented features can be accessed by any PC or Mac to which a targeted iOS device has been connected via USB. Some hidden features can also be accessed via Wi-Fi while the phone is at rest, or even while the owner is using it.

A backdoor is a hidden remote access from an outside source to the device (stock image pictured) that enables the hacker to have almost full access with little detection

Image via

Zdziarksi is certain that these mechanisms, whatever their purpose, are no accident. He has seen them become more complex, and they seem to get as much maintenance and attention as iOS' advertised features. Even as Apple adds new security features, the company may be adding ways to circumvent them.

"I am not suggesting some grand conspiracy," Zdziarski clarified in a blog post after his HOPE X talk. "There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.

"My hope is that Apple will correct the problem," he added in the blog posting. "Nothing less, nothing more. I want these services off my phone. They don't belong there."

In case you're wondering how exactly would someone connect to these mechanisms on an iPhone? Well, Jonathan explains that the trick has to do with iOS "pairing."

When an iOS device connects to a PC or a Mac via USB, the mobile device and the computer exchange security certificates that establish a trusted relationship between the two, and exchange encryption keys for setting up an encrypted SSL channel.

The keys and certificates are stored on the iOS device and on the desktop, and never deleted unless the iOS device is wiped (via the "Erase all contents and settings" feature) or the desktop is restored to factory settings. In most cases, this pairing relationship is established automatically as soon as the devices are connected.

The first step in spying on an iOS device is to get that pairing data. A targeted iPhone could be covertly connected to a computer without the owner's knowledge (sort of the James Bond approach). Or spyware could be installed on the targeted person's desktop, and the pairing data copied. With the pairing data, attackers can locate the targeted iOS device on a Wi-Fi network. Because iPhones are set up to automatically join networks whose names they recognize (like "linksys" or "attwifi"), attackers can also force an iPhone to connect to an attacker-controlled network.

Back in March 2014, in a research paper published in the journal Digital Investigation, Jonathan had written:

"It may even be possible for a government agency with privileged access to a cellular carrier's network to connect to the device over cellular (although I cannot verify this, due to the carrier's firewalls)."

This is all a lot of ifs, of course, writes Jill Scharr, of Tom', in his detailed report about Jonathan's findings

The attacker has to have the pairing keys; the attacker must know where the targeted iOS device is; the attacker has to get on the same Wi-Fi network as the device, and the iPhone needs to have its Wi-Fi switched on. This may be more than the average criminal could pull off, but it wouldn't be difficult for the NSA, an agency with an approximately $52 billion budget, or the FBI.

"Something in the mechanism"

Image via

Once the paired connection is established, access is granted to the mystery tools. Perhaps the most serious is one that Zdziarski described as an "undocumented file-relay service that really only has relevance to purposes of spying and/or law enforcement." The feature ( copies and relays nearly all the data stored on an iOS device, even when Backup Encryption is enabled. It is separate from iOS' documented backup and sync features.

Since around 2009, iOS devices have had an optional feature called Backup Encryption. The feature encrypts all data backed up from an iOS device to a PC or Mac running iTunes, complete with a separate password. File_relay bypasses the password.

Other tools are are only partly documented in official Apple publications. One is a packet sniffer, or network traffic analyzer, called that views all network traffic and HTTP header data going to and from the iOS device. (Some packet sniffers can also analyze traffic to and from other devices on the same Wi-Fi network.) Packet sniffers can be useful for iOS developers testing their apps, but Zdziarksi said the feature is enabled on all iOS devices, even those not in developer mode.

"Why do we need a packet sniffer running on 600 million personal iOS devices?" Zdziarski asked during his presentation. No visual indication is given when is running; it could be triggered and run without the user's knowledge. "It remains a mystery why Apple decided that every single recent device needed to come with a packet sniffer," Zdziarksi wrote in his research paper.

So why do these features exist? While Jonathan can't prove that they were created as Backdoors for law enforcement, in his talk, he did eliminate some of the other possibilities.

Image via

Could the features be there for developers? No, said Zdziarski: Most of the mechanisms he identified are not in the official Apple developer manual. Are they there for Apple's engineers? No: Engineering tools don't need to be installed on every single iPhone.

Is it simply forgotten code? No: Zdziarksi has seen these tools grow more capable with each iteration of iOS. When Apple added the Backup Encryption feature, he said, it also added the means to circumvent it. Clearly, Zdziarski feels, Apple is keeping these secret abilities alive. "They're maintaining this code," Zdziarski said at the HOPE X talk. "Over the years, year after year, there are new data sources in file_relay ... nobody has forgotten about [these mechanisms]."

"I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices," Zdziarksi wrote on his blog. "At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy."

On 22 July 2014, following Jonathan's report, Apple responded back to address 'Backdoor' concerns on top of stating that it's not working with anyone to include Backdoors in any of its products

“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple wrote in an email statement that was published on Twitter by Financial Times journalist Tim Bradshaw.

“A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.”

“As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services,” the company concluded.

Jonathan responded to Apple's response saying that the mechanisms he documented can send information to Apple regardless of whether the user has authorized it

"Every single [iOS] device has these features enabled, and there's no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device," he wrote. "This makes it much harder to believe that Apple is actually telling the truth here."

The apparent Apple statement that stated that Apple has never worked with any government agency from any country to create a backdoor in any of their products or services. Zdziarski countered that the undocumented mechanisms he described in his presentation create security and privacy vulnerabilities that surveillance and law-enforcement agencies could exploit with relative ease.

"I understand that every OS has diagnostic functions," he wrote. "However, these services break the promise that Apple makes with the consumer when they enter a backup password: that the data on their device will only come off the phone encrypted."

On 23 July 2014, Apple then posted a support document on its website providing explanations for three of the undocumented features Jonathan had showcased

Image via

"Pcapd supports diagnostic packet capture from an iOS device to a trusted computer," the posting said in part. "This is useful for troubleshooting and diagnosing issues with apps on the device as well as enterprise VPN connections."

As for file_relay, it "is separate from user-generated backups, does not have access to all data on the device, and respects iOS Data Protection," the document stated. "Apple engineering uses file_relay on internal devices to qualify customer configurations. AppleCare, with user consent, can also use this tool to gather relevant diagnostic data from users' devices."

A third feature,, "is used by iTunes to transfer documents to and from an iOS device for apps that support this functionality."

Apple affirmed that using these functions requires a Mac or PC to first establish pairing with an iOS device, as Jonathan had noted, and that the functions may be accessed wirelessly

"Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer," the document said. "Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer."

Jonathan then responded on his blog: "I give Apple credit for acknowledging these services, and at least trying to give an answer to people who want to know why these services are there." But added that the company was being "misleading" and evasive.

Image via

"The problem I have with [pcadpd is with] its implementation," he wrote. "Pcapd is available on every iOS device out there, and can be activated on any device without the user's knowledge. ... it can be employed for snooping by third parties in a privileged position."

"Apple is being completely misleading by claiming that file_relay is only for copying diagnostic data," Zdziarski added. "If, by diagnostic data, you mean the user's complete photo album, their SMS, Notes, Address Book, GeoLocation data, screenshots of the last thing they were looking at, and a ton of other personal data, then sure — but this data is far too personal in nature to ever be needed for diagnostics."

"I suspect [Apple will] also quietly fix many of the issues I've raised," he wrote. "It would be wildly irresponsible for Apple not to address these issues, especially now that the public knows about them."

Meanwhile, read why China has labeled the iPhone a "national security threat"

You may be interested in: