Researcher Identifies Hidden Data-Acquisition Services in iOS

There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data.

There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.

“Between this tool and other services, you can get almost the same information you could get from a complete backup.”

“Between this tool and other services, you can get almost the same information you could get from a complete backup,” Zdziarski said in an interview. “What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.”

Using the hidden services that bypass the encrypted backup protection don’t require the use of developer mode and many of them have been present in iOS for five years. Zdziarski, who designed many of the initial methods for acquiring forensic data from iOS devices, said there also is a packet capture tool present on every iOS device that has the ability to dump all of the inbound and outbound HTTP data and runs in the background without and notification to the user.

“It’s installed by default and they don’t prompt the user. If you’re going to start packet sniffing every device that’s out there, you really should be prompting the user,” Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device.

There’s also a component of the file_relay service called HFSMeta that appeared in iOS 7 and can create a complete metadata image of the device’s file system. The data it provides includes metadata on all files, such as timestamps, sizes and dates of creation, all of the apps installed on the device, filenames of all of the email attachments on the device and all of the email accounts configured on the device. It also can provide a copy of the keyboard’s autocorrect cache, all of the photos in the user’s album and the user’s voicemail database.

“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”

Some of the undocumented services and features in iOS map pretty closely to capabilities attributed to some of the NSA’s tools, specifically DROPOUTJEEP, which was revealed by documents leaked by Edward Snowden. Zdziarski said that he is not pointing to these services as intentional backdoors for the intelligence community, but he believes there is evidence that the agency may be using them, nonetheless.

“I’m not saying at all that Apple is working with the NSA,” he said. “But at the very least, there’s a very strong case to say that the NSA knows about and exploits these capabilities.”

Suggested articles


  • W. Anderson on

    The results of these findings should call into question IBM partnering with Apple to offer Apple iOS devices to enterprise customers. Unless of course, IBM has been appraised or already knew of these iOS vulnerabilities from Apple, and intent to secure devices before providing them to clients.
  • Tjp on

    The quickest way for Apple to fix these, Just have a tool that exploits these holes. So writing such would be a great service to the community. If it's at large in the wild Apple wouldn't have any choice but to resolve these issues in favor of more privacy for the user. Likely they violate EU privacy concerns as well, but I'm not a lawyer.
  • Brian m on

    If even a fraction of this is true, it means Apple devices need to be kicked out of corporate pronto - perfect timing for the announcement with the Apple/IBM hookup! So much for apple platforms being secure (not that any really are!).
  • Rick Chase on

    Wow. Who would quess. Not another way for Big Brother to keep tabs on all of us bad little children. Get use to it. No one can do anything to stop it, and we all know it.
  • David LaVeque on

    Go to and read the whole story and what is not fixed in ios 8. Apple refuses to give any credit to him,however,consumers owe him big time! And so the story continues,with Apple hidding things,and others exposing them. Look under subjects: Apple ,on johnathans blog.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.