Security researcher suggests 600M iOS devices have Apple-created backdoors for data

How secure is the data your iPhone(s aapl) or iPad? A little less than perhaps you thought, according to Jonathan Zdziarski, who has a slideshow of findings that may surprise you. A security researcher with several books to his credit, Zdziarski suggests that 600 million iOS devices have built-in backdoors and undocumented services put in place by Apple.

Zdziarski’s slides came to light on Monday through ZDNet and were used in a recent conference talk he gave called “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices.”
The full set of slides are available in a PDF download here, but some of the highlights include:

  • Library and cache files are not encrypted although since iOS 7, third-party documents are.
  • Some of the undocumented services in iOS — “lockdownd,” “pcapd” and “mobile.file_relay” — can get at encrypted data for access over USB and perhaps thorough a cellular connection.
  • Third-party forensic software companies that know how to access data through these backdoors are selling their services to law enforcement agencies.

Zdziarski suggests these services are part of iOS by design, perhaps so that Apple can comply with legal requests for data from the government. It’s difficult to say, of course, and Apple hasn’t commented on the original story.
I can understand why Apple might want such software loopholes; it makes it easier to provide such data if ever it needs to. And generally, Apple has put security issues at the forefront of iOS: Sure, there have been occasional security holes found, but the company is quick to deal with them. It also offers a number of security features for personal and enterprise use: Full device encryption, sandboxed applications, app code signing, and a secure boot chain.
Zdziarski thinks this situation is still a breach of customers’ trust, however, mainly because these services are undocumented and not mentioned to consumers. I can see his point: People don’t like to be surprised by learning that services have long been running on their personal devices without their knowledge.