Jonathan Zdziarski, who flared up the initial round of iOS surveillance claims a couple of months ago, is now reporting that some of these flaws have been rectified with iOS 8. Apple said that these services were used for debugging purposes, and had no connection to government agencies. It then proceeded to detail these processes in a support note.

Zdziarski’s post explains that many issues have been addressed, particularly with File Relay. Before, this service blindly sent data from the device to an external source, without authentication. In iOS 8, he says that the service has been disabled. It seems that data is no longer available either through physical connection or wirelessly. Zdziarski notes law enforcement will not be able to use current tools to access any of this previously-exposed information.

Try Amazon Prime 30-Day Free Trial

He also details some other areas where improvements have been made. Wireless access to app containers, user media and other data has been removed completely. This means potential exploits will require a wired link, removing a big potential attack vector.

However, he notes that USB access to data is still possible (using the same gateway that iTunes uses for device communication) as is wireless backup. He recommends enabling backup encryption (and strong passwords) for maximum security. Concerned individuals should also be vigilant about turning off their phone when going through detainment, as protected data is not re-encrypted until the phone is rebooted.

While closing off the file_relay service greatly improves the data security of the device, one mechanism that hasn’t been addressed adequately is the ability to obtain a handle to application sandboxes across a USB connection, even while the device is locked. This capability is used by iTunes to access application data, but also presents a vulnerability: commercial forensics tools can (and presently do) take advantage of this mechanism to dump the third party application data from a seized device, if they have access to (or can generate) a valid pairing record with the device. For example, if you are detained at an airport or arrested and both your laptop and your phone is seized, or if your phone is seized unlocked (without a laptop present), a number of forensics tools including those from Oxygen, Cellebrite, AccessData, Elcomsoft and others are capable of dumping third party application data across USB.

Full details about Zdziarski’s findings can be found on his blog.


About the Author