Is Apple’s iOS Backdoor Not a Backdoor?

Man uses an Apple iPhone in Tokyo, Japan on July 16, 2014

Atsushi Tomura/ Getty Images

Last week, in a widely publicized presentation made by iOS forensic expert Jonathan Zdziarski at the recent Hackers On Planet Earth (HOPE/X) conference, the security researcher identified a number of backdoor services in Apple’s (NASDAQ:AAPL) iOS that could be used by law enforcement agencies, commercial forensic software operators, or Apple to covertly collect a user’s personal data from iOS-based devices. As noted in presentation slides provided by Zdziarski, besides “a number of undocumented high-value forensic services running on every iOS device,” Apple’s iOS also included “surveillance mechanisms to bypass personal security,” and “suspicious design omissions in iOS that make collection easier.”

Although Zdziarski made it clear that he was not suggesting a “grand conspiracy” or accusing Apple of collaborating with the NSA, he wanted the company to explain why services “that bypass backup encryption while copying more of your personal data than ever” have been added to mobile devices’ firmware. On Monday, Apple gave an initial response to Zdziarski’s research in a statement provided to Financial Times reporter Tim Bradshaw, who posted it on his Twitter account.

“We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” stated Apple. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent. As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services.”

Apple later provided a more detailed explanation of some of the specific services identified by Zdziarski in a document posted to the company’s support website. Apple’s support document referred to the “mobile.pcapd,” “mobile.file_relay,” and “mobile.house_arrest” services as “diagnostic capabilities to help enterprise IT departments, developers, and AppleCare troubleshoot issues.”

However, Zdziarski appeared to anticipate Apple’s explanations in his original presentation and he dismissed the idea that the services would be used for Genius Bar or Apple support by noting that the “data is in too raw a format to be used for tech support” and that the “data is far too personal in nature for mere tech support.” He also disputed the contention that the services could be intended for “Engineering / Debugging” by pointing out that “not all 600 million devices need debugging always on” and that “engineering wouldn’t need access to such personal data.”

In his response to Apple’s explanations for three of the services, Zdziarski claimed that the company essentially “admitted to having backdoors on the device,” while noting that the strict definition of a backdoor is “an undisclosed mechanism that bypasses some of the front end security to make access easier for whoever it was designed for.” While Zdziarski credited Apple for acknowledging the services, he also claimed that Apple was misleading about “how much non-diagnostic personal information it [the backdoor services] copies out, wirelessly, bypassing backup encryption.”

It should also be noted that Apple’s support document does not address other iOS security vulnerabilities identified by Zdziarski, including “more benign services” that are intended for enterprise use, but due to their design, make “good attack targets.” On Friday, Zdziarski provided further evidence for his claims with a “quick proof-of-concept” video (see above) to demonstrate how the “unnecessary, undisclosed services” found in iOS can be used by attackers to “bypass user encryption to acquire personal data” from an iPhone.

So who is right, Apple or Zdziarski? Besides the larger disagreement between Apple and Zdziarski over the purpose of some of these services and the type of information that these services copy, there appears to be a smaller quibble over semantics. Based on a definition of backdoors provided by the Open Web Application Security Project (OWASP) organization, Zdziarski calls the services he identified in iOS “backdoors,” while Apple prefers to label them “diagnostic capabilities.” However, to paraphrase Shakespeare, a backdoor service by any other name would still appear to be a security vulnerability.

More from Tech Cheat Sheet:

Follow Nathanael on Twitter (@ArnoldEtan_WSCS)