Apple has "inadvertently admitted" to creating a "backdoor" in iOS, according to a new post by a forensics scientist, iOS author and former hacker, who this week created a stir when he posted a presentation laying out his case.
Apple has created "several services and mechanisms" that let Apple -- and, potentially, government agencies or malicious third parties -- extract lots of personal data from iOS devices, says Jonathan Zdziarski. There is, he says, no way to shut off this data leakage and there is no explicit consent granted by endusers.
He made his case in a talk, "Identifying back doors, attack points, and surveillance mechanisms in iOS devices," [available in PDF] at the annual HOPE X hackers conference last week in New York City. The talk was based on a paper published in the March issue of "Digital Investigation," which can be ordered online.
Essentially, Zdziarski says that Apple over time has deliberately added several "undocumented high-value forensic services" in iOS, along with "suspicious design omissions...that make collection easier." The result is these services can copy a wide range of a user's personal data, and bypass Apple's backup encryption. That gives Apple, and potentially government agencies, such as the National Security Agency, or just bad people intent on exploiting these service, the ability to extract personal data without the user knowing this is happening.
In the past two years, Apple has become much more open about the iOS security architecture, and how and why it's making changes to it, according to security professionals and IT consultants who are praising both the company's transparency and its approach to protecting iOS devices, Internet security and users' data. [see "Apple reveals unprecedented details in iOS security"] The latest Apple-authored iOS Security whitepaper is available as a PDF.
The Zdziarski presentation slides were the basis of a round of summarizing news and blog postings about his claims, such as this one at ZDNet by Jason O'Grady. But Apple responded officially to a query by Rene Ritchie, editor of the Apple-focused iMore website, saying it had never worked with "any government agency...to create a backdoor in any of our products." Here's the text of the Apple response, as posted by Ritchie:
"We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent. As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services."
Sign up for CIO Asia eNewsletters.