There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.
Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”
Using the hidden services that bypass the encrypted backup protection don’t require the use of developer mode and many of them have been present in iOS for five years. Zdziarski, who designed many of the initial methods for acquiring forensic data from iOS devices, said there also is a packet capture tool present on every iOS device that has the ability to dump all of the inbound and outbound HTTP data and runs in the background without and notification to the user.
“It’s installed by default and they don’t prompt the user. If you’re going to start packet sniffing every device that’s out there, you really should be prompting the user,” Zdziarski said.
Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device.
There’s also a component of the file_relay service called HFSMeta that appeared in iOS 7 and can create a complete metadata image of the device’s file system. The data it provides includes metadata on all files, such as timestamps, sizes and dates of creation, all of the apps installed on the device, filenames of all of the email attachments on the device and all of the email accounts configured on the device. It also can provide a copy of the keyboard’s autocorrect cache, all of the photos in the user’s album and the user’s voicemail database.
“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”
Some of the undocumented services and features in iOS map pretty closely to capabilities attributed to some of the NSA’s tools, specifically DROPOUTJEEP, which was revealed by documents leaked by Edward Snowden. Zdziarski said that he is not pointing to these services as intentional backdoors for the intelligence community, but he believes there is evidence that the agency may be using them, nonetheless.
“I’m not saying at all that Apple is working with the NSA,” he said. “But at the very least, there’s a very strong case to say that the NSA knows about and exploits these capabilities.”