A number of undocumented features in iOS have been found to essentially create backdoors for siphoning large amounts of users’ personal data from Apple devices.
Jonathan Zdziarski, a researcher who often trains federal and state law enforcement agencies in forensic techniques, revealed the existence of the mostly hidden features.
Zdziarski said a lot of the data that can be pulled off iOS devices should never even leave them, even when they are being backed up. For example, he said one HTTP data “packet sniffer” service that runs on every single iOS device could potentially be accessed over Wi-Fi without the user ever knowing.
The one service he seems to have the biggest problem with is one that first showed up in iOS 2 but has since been developed with each successive release of the operating system. He said the service bypasses the encryption and then exposes “a forensic trove of intelligence.” Hackers could potentially access the user’s contacts, clipboard, notes, voicemails, calendars and CoreLocation logs.
Zdziarski alleges that a number of forensic software makers like Elcomsoft, AccessData and Cellebrite turn a profit by using the back door iOS security services to collect user data and then sell it to law enforcement.
In response, Apple has released a statement to Tim Bradshaw, a tech reporter at the Financial Times. Unsurprisingly, Apple’s statement denies Zdziarski’s allegations:
We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.
Apple also says in its statement that it “has never worked with any government agency from any country to create a backdoor in any of our products or services.” This is a reiteration of an assertion it made in its response to a report publicized earlier this month by a state-run broadcaster in China, declaring Apple’s location-tracking function in iOS a “national security concern.”