Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Finds Hidden Data-Dumping Services In iOS

samzenpus posted about 3 months ago | from the don't-take-my-data-bro dept.

Privacy 98

Trailrunner7 writes There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.
Update: 07/21 22:15 GMT by U L : Slides.

cancel ×

98 comments

Sorry! There are no comments related to the filter you selected.

Pedos, drug lords, and terrorists take notice!! (5, Funny)

rodrigoandrade (713371) | about 3 months ago | (#47502513)

Everyone else, every law-abiding citizen, may move on, nothing to see here...

Re:Pedos, drug lords, and terrorists take notice!! (2)

i kan reed (749298) | about 3 months ago | (#47502543)

It is not a positive reflection on your post that I can't even tell what kind of paranoid delusion you're trying to espouse.

Re:Pedos, drug lords, and terrorists take notice!! (4, Insightful)

gstoddart (321705) | about 3 months ago | (#47502849)

I'm going with "if you have nothing to hide, you have nothing to fear".

Which isn't so much a paranoid delusion, as it is a prevalent sentiment.

Re:Pedos, drug lords, and terrorists take notice!! (1)

cayenne8 (626475) | about 3 months ago | (#47503315)

So, are there *that* many people out there, that actually trust their phones enough to keep really private stuff on them?

Sheesh.

Re:Pedos, drug lords, and terrorists take notice!! (0)

Anonymous Coward | about 2 months ago | (#47506523)

If I have nothing to hide, then what reason do you have to spy on me as if I do? With altruism off the table (I am innocent, remember), the only explanation left is malice.

Re:Pedos, drug lords, and terrorists take notice!! (2)

gstoddart (321705) | about 2 months ago | (#47507089)

If I have nothing to hide, then what reason do you have to spy on me as if I do? With altruism off the table (I am innocent, remember), the only explanation left is malice.

The corollary to "if you have nothing to hide you have nothing to fear" is that everybody has something to hide.

And the people who spy on you are certainly not willing to give you the benefit of the doubt, and they care not a whit about your presumed innocence.

Re:Pedos, drug lords, and terrorists take notice!! (1)

KibibyteBrain (1455987) | about 3 months ago | (#47502565)

Yup, because the law-abiding can't know about these features so members of the former group use this to fund their illicit activities.

Re:Pedos, drug lords, and terrorists take notice!! (0)

Anonymous Coward | about 3 months ago | (#47502645)

you forgot to include mormons

Re:Pedos, drug lords, and terrorists take notice!! (1)

Anonymous Coward | about 3 months ago | (#47503317)

They're just a subset of pedos

? Well it's also kind of problematic (4, Insightful)

Crashmarik (635988) | about 3 months ago | (#47502655)

For people who lose/have their device stolen.

Re:Pedos, drug lords, and terrorists take notice!! (1)

CaptnZilog (33073) | about 3 months ago | (#47502971)

Everyone else, every law-abiding citizen, may move on, nothing to see here...

So you're a law-abiding citizen?
I'll correct you on that the next time I see you on the roads doing even 1mph over the speed limit - you'll be 'breaking the law' y'know?

Studies show normal ordinary people 'break the law' at least 3x/day on average.
Heck, getting a BJ from your wife is illegal in some states (as far as 'a law on the books') still.
So, they may not be 'strictly enforced' laws, but I'm willing to bet every 'law abiding citizen' (so they think) has broken the law, and does so quite often really.

Re: Pedos, drug lords, and terrorists take notice! (1)

Anonymous Coward | about 3 months ago | (#47503111)

Go whoosh yourself.

Re: Pedos, drug lords, and terrorists take notice (1)

Anonymous Coward | about 3 months ago | (#47503615)

That too is against the law in some states.

Re:Pedos, drug lords, and terrorists take notice!! (1)

FictionPimp (712802) | about 2 months ago | (#47506703)

Recently, in a nearby city an office was injured arresting a criminal. The police response was that the people in that bad area didn't help the officer as he was being beaten, so they started patrolling that area more. The result was jaywalking tickets to people crossing the street from their house to their mailbox, and kids getting tickets for riding their bikes without a headlamp (in the daytime). Basically any tiny infraction to punish the populace.

Re:Pedos, drug lords, and terrorists take notice!! (0)

Anonymous Coward | about 2 months ago | (#47507381)

every law-abiding citizen, may move on, nothing to see here...

If the country is a democracy, and the govt is *by* the people, it means the govt is an employee of the people. What gives an employee (govt) the right to spy on the boss (people) whether it's warranted or not?

2 Questions (3, Interesting)

CanHasDIY (1672858) | about 3 months ago | (#47502521)

1) Can this method be used to bypass iCloud?

2) Does anyone have a write-up of how it works? I've got a lost-to-pawn iPad that need wiped, and will likely have more come into the shop in the future.

Re:2 Questions (0)

Anonymous Coward | about 3 months ago | (#47504883)

why not just jailbeak and flash again with stock?

Huge Caveat! (5, Informative)

rabtech (223758) | about 3 months ago | (#47502555)

There is a huge caveat here:

You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

Re:Huge Caveat! (-1)

Anonymous Coward | about 3 months ago | (#47502571)

"and will not hand over files to anyone who connects"

except if it's law enforcement using that tool that pulls all of your data, apparently breaking encryption in the process.

Re:Huge Caveat! (-1)

Anonymous Coward | about 3 months ago | (#47502663)

Master keys anyone? Oh no Apple would NEVER do that right?

The reality of the situation is this has been around for a very long time. When the forensics people do data collection on devices it's a plug and dump situation with very little hassle involved. Most of the phone vendors have a way of doing this. Moral of the story is if you don't want people to have access to your data don't store it in digital format. Encryption is only a minor inconvenience and most of the time's it's easily bypassed.

Re:Huge Caveat! (1)

gerardrj (207690) | about 3 months ago | (#47502839)

If there were master keys the Apple process to retrieve court ordered data would not take 4 months and $1,000.

Re:Huge Caveat! (0)

Anonymous Coward | about 3 months ago | (#47504075)

Tell that to your local forensics investigator with his special USB cable and software. Physical access to the device trumps going through Apple every time.

Re:Huge Caveat! (0)

Anonymous Coward | about 3 months ago | (#47504973)

Most departments that do have the software and the motivation don't have the time or the resources to keep up with the massive supply of tinfoil hats required to actually make it work.

Re:Huge Caveat! (1)

tehlinux (896034) | about 3 months ago | (#47504635)

"Most of the phone vendors have a way of doing this."

[Citation needed]

Re:Huge Caveat! (0)

Anonymous Coward | about 2 months ago | (#47505263)

"Master keys anyone? Oh no Apple would NEVER do that right?"

Not if they wanted to continue making a living out of selling their wares. Seriously, if there products were backdoored and the world finds out that is the end of the company. Nobody will pay over the odds for the latest shiny that just sits there stealing their data (iCloud sync would take care of this with a master key arrangement).

Too many words (5, Insightful)

joh (27088) | about 3 months ago | (#47502669)

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Re:Too many words (3, Informative)

Charliemopps (1157495) | about 3 months ago | (#47502817)

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app... [bgr.com]

But at least Apple held off for longer than some of the others:
http://static.guim.co.uk/sys-i... [guim.co.uk]

Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

Re:Too many words (4, Insightful)

joh (27088) | about 3 months ago | (#47503323)

People want to read something like "The iPhone has a secret backdoor for the NSA!!!". Anything much longer than that will never be read or understood by most people.

It's hopeless. Ask 100 people who have heard of this and 95 of them will tell you that it is proven now that the iPhone has a secret backdoor for the NSA over which all data can just be read by them.

(And I'm not even saying that it has NO such backdoor. Maybe it has. But this isn't it. This just isn't designed for mass surveillance, it needs a cooperating user and individual access to a device the user has connected his iPhone to. Maybe it's a side door for law enforcement and/or forensics additionally to a debugging tool.)

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government.
http://cdn.bgr.com/2013/11/app... [bgr.com]

According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

Re:Too many words (3)

hsthompson69 (1674722) | about 3 months ago | (#47504399)

We're missing a number here - how many requests were *made*?

http://cdn.bgr.com/2013/11/app... [bgr.com]

The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

100% success rate in complying with requests sounds pretty cozy to me...

Re:Too many words (1)

Smurf (7981) | about 3 months ago | (#47504979)

The data for the US is almost laughably vague. It could very well be that 1000 requests were made, and 1000 requests were granted.

100% success rate in complying with requests sounds pretty cozy to me...

Following that exact same logic we could argue that 2000 requests were made (involving 3000 accounts) and 0 were granted.

A 0% success rate in complying with requests sounds pretty un-cozy to me...

I agree that the data is worthless, though.

Re:Too many words (1)

AmiMoJo (196126) | about 2 months ago | (#47506633)

What's "cozy" about that?

Did a judge authorize every release of data? I don't know, I'm asking. If they just handed it over when asked then that is a cozy relationship, if they demanded a warrant and gave the target notice and an opportunity to contest it then that's fair enough.

Re:Too many words (2)

Plumpaquatsch (2701653) | about 2 months ago | (#47507701)

Except for the fact that Apples handing all of your data over to the NSA anyway. Apple has a very cozy relationship with the US federal government. http://cdn.bgr.com/2013/11/app... [bgr.com]

According to that table there were 0 - 1000 cases in which "some" content data was disclosed to law enforcement in the US (and 1 in the UK and 0 in about 30 other countries). You call this "a very cozy relationship"? With 313 million citizens in the US there were less than 1000 requests granted. What's "cozy" about that?

Not to mention that this number includes all requests for tracking down stolen phones and those from missing persons.

Re:Too many words (1)

drinkypoo (153816) | about 2 months ago | (#47506649)

Long story short? The NSA doesn't need this backdoor, it's a lot easier to just go strait to apple.

This isn't about the NSA in particular, this is about all law enforcement. It's ordinary for law enforcement to confiscate your phone and drop it into a cradle for analysis when you're arrested.

Re:Too many words (0)

Anonymous Coward | about 3 months ago | (#47505121)

Nope. I don't trust your "nothing to see here, move along". Breaking encrypting through brute-force techniques has been around for a long time, and if there is a 'you have to do this and that' and you are relying on 'this and that' is not enough to save you, because there is always a simpler verions of 'this and that', and even if there isn't an easier version, as said before, brute-force might be really hard for some, and childs play for others. Breaking it and all others like it is a billable job, and people who enjoy doing it can automate the hell out of it, and in a short time, make it a button press for a novice (working for the 3 letter agency).

Re:Huge Caveat! (4, Informative)

93 Escort Wagon (326346) | about 3 months ago | (#47502677)

That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

Re:Huge Caveat! (4, Informative)

jittles (1613415) | about 3 months ago | (#47502721)

That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

The article made that very clear. But it's not clear to me where these keys are stored - is it on the disk, unprotected, or is it in your encrypted keychain? If the former, it seems to me that - unless you encrypt your computer's hard disk - this means anyone with unfettered access to your computer could get at these keys and thereby get at everything on your iOS device. If the latter, it would be much more difficult to do, even if they otherwise got access to your account.

The guy said he uses this to monitor his kids (which, depending on their age, might be a bit jerky in my opinion). However since he seems like an overzealous parent, I'm wondering if he has his kids' passwords etc., which would be necessary if these keys are in the keychain.

Unless Apple has changed the way this process works, the keys you need to get it to sync aren't in the keychain at all. ON a mac you can find them in ~/Library/MobileSync or something like that. On later versions of Windows it'll be in Users\\AppData\Roaming\Apple\MobileSync

You can quite literally copy and paste them from one machine to another in order to trick an iDevice into syncing with multiple iTunes libraries at once, though you can run into problems with that if you're not careful. However, if encryption is enabled on backups, then you must know the passphrase to actually access a device backup. It's been years since I've played around with this, so I may bit a bit off on the exact directory locations, but they are basically just files sitting around in your user folder.

Re:Huge Caveat! (0)

Anonymous Coward | about 2 months ago | (#47505277)

Always encrypt your hard disk these days. There's that much data snooping going on it is the least you can do. That way they either need to know your passcode, guess your passcode, or prove to you the encryption is either trivial or backdoored (doesn't even matter which). Getting your passcode would then at least require some judicial oversight - UK citizens need no longer apply.

ANOTHER Huge Caveat! (0)

Anonymous Coward | about 3 months ago | (#47502865)

The iDevice has to be jailbroken to get at these features.

Re:Huge Caveat! (2)

Lumpy (12016) | about 3 months ago | (#47503465)

In other words, over sensationalized slashdot summary carefully glazes over the facts that make it moot.

Re:Huge Caveat! (-1)

Anonymous Coward | about 3 months ago | (#47503495)

Gotta LOVE new tech. Check out www.xcommsdirect.com Email is Dead

Re:Huge Caveat! (1)

Guy Harris (3803) | about 2 months ago | (#47505397)

but no your iPhone is not running a packet sniffer

Not even if you're using a Remote Virtual Interface [apple.com] ? If that can only be used by plugging the device into a Mac and running rvictl on the Mac, that's one thing, but if you can also get it to act as a remote pcap daemon over the network, as he claims, that's a different matter.

Huge Caveat! (0)

Anonymous Coward | about 2 months ago | (#47506351)

Or to put it another way, they're the services used for syncing (or at least, don't offer any more access than the sync functionality).

Of course a computer set to sync data can access the fucking data.

Attacker or law enforcement? (4, Insightful)

Anonymous Coward | about 3 months ago | (#47502561)

whether by an attacker or law enforcement

For those who are innocent, law enforcement IS the attacker.

DROPOUTJEEP backdoor (4, Interesting)

Animats (122034) | about 3 months ago | (#47502567)

This may be the backdoor known as DROPOUTJEEP [iclarified.com] , which was described in some Snowden-leaked documents last year.

Looks like Apple sold out, put in a backdoor, and then lied about it.

Re:DROPOUTJEEP backdoor (-1)

Anonymous Coward | about 3 months ago | (#47502649)

This may be the backdoor known as DROPOUTJEEP [iclarified.com] , which was described in some Snowden-leaked documents last year.

Looks like Apple sold out, put in a backdoor, and then lied about it.

Apple lied?

Say it ain't so!

What's next? Spout some inane meaningless marketing babble to the masses about not being evil?

Re:DROPOUTJEEP backdoor (2)

Animats (122034) | about 3 months ago | (#47502885)

Apple's reputation management service is reacting faster now. It used to take them an hour to mod criticism down. Now it only takes 15 minutes. Who are they using?

Re:DROPOUTJEEP backdoor (2)

Lumpy (12016) | about 3 months ago | (#47503473)

The MS shills are pretty much whores, I'm betting they paid them $0.03 a mod.

Re:DROPOUTJEEP backdoor (3, Funny)

HornWumpus (783565) | about 3 months ago | (#47503745)

Not a MS shill. But a consultant. Just because I'm a whore, doesn't mean I'm cheap.

Re:DROPOUTJEEP backdoor (-1)

Anonymous Coward | about 3 months ago | (#47502915)

Maybe you should try to get over the Snowden related paranoid delusions. People here have gone just as crazy as people did after 9/11. Time to get back to reality.

It's called trauma (1)

joh (27088) | about 3 months ago | (#47503461)

Really, very much as after 9/11 people are actually training themselves into a deep trauma. As you should know avoiding a trauma means NOT to do that. Sadly if you leave people to do what they want (and have this amplified by the headline-addicted press and of course the Internet) they will do exactly that. They will over and over come back to what did hurt them, they will stare at it all day long and become more and more fascinated by it, until they can't think of anything else anymore. Feelings of intense anger that is targeted at often logically totally unrelated persons or things will be more and more common.

http://en.wikipedia.org/wiki/P... [wikipedia.org]

To "get back to reality" isn't easy then.

Re:DROPOUTJEEP backdoor (2)

Plumpaquatsch (2701653) | about 2 months ago | (#47507891)

This may be the backdoor known as DROPOUTJEEP [iclarified.com] , which was described in some Snowden-leaked documents last year.

Looks like Apple sold out, put in a backdoor, and then lied about it.

Yeah. Or the guy who wrote that is either a moron or a jerkass, and completely ignored some important info given. Like the fact that DROPOUT.JEEP was actually the codename for a wired jailbreak for the first iPhone that NSA had to develop themselves. It's not like that info is hard to gain once you strip out the boasting and bullshit bingo from the l33t NSA haX0r slide.

XOR (4, Insightful)

Himmy32 (650060) | about 3 months ago | (#47502591)

The summary seems to imply that law enforcement and being an attacker are mutually exclusive...

Good way to bypass iTunes... (0)

Anonymous Coward | about 3 months ago | (#47502609)

Does this mean I can back it up over USB without iTunes? That's not a bug, it's a feature!

DON'T PANIC (5, Informative)

Anonymous Coward | about 3 months ago | (#47502625)

Why link to a re-post and not to the source: http://www.zdziarski.com/blog/ [zdziarski.com]

There we find this:

DON'T PANIC

Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

Re:DON'T PANIC (2)

dos1 (2950945) | about 3 months ago | (#47502661)

>I want these services off my phone.

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

Re:DON'T PANIC (4, Insightful)

0123456 (636235) | about 3 months ago | (#47502691)

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

Yes, they could buy Android instead. Or Windows.

Oh, hang one...

Re:DON'T PANIC (3, Funny)

TechyImmigrant (175943) | about 3 months ago | (#47502727)

Try BeOS.
Not a high profile target for the feds, the police or the Russian mob.

Re:DON'T PANIC (0)

Anonymous Coward | about 3 months ago | (#47503471)

Given the choice I'd hang Android. At least I've managed to get some work done on Windows.

Re:DON'T PANIC (1)

dos1 (2950945) | about 3 months ago | (#47538745)

Android and Windows Phone aren't the only alternatives out there. There are even devices and OSes that are supported entirely by FLOSS community, like OpenPhoenux. There is a choice, you just have to keep your eyes wide open.

Re:DON'T PANIC (5, Insightful)

gstoddart (321705) | about 3 months ago | (#47502831)

How can you say that and yet still buy such devices? It's not like one doesn't have a choice...

And how much crap is installed on Android you can't disable (or know is there) without rooting your phone?

How much crap on Windows phone? I bet you can neither disable nor know it's there.

Your BlackBerry?

So, please, tell us, how are Android, Windows or BlackBerry phones any better? Can you prove none of them has something similar?

I very much doubt you can.

You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about.

Re:DON'T PANIC (2)

Lumpy (12016) | about 3 months ago | (#47503481)

The only secure Android phone is what is running Cyanogenmod.

Re:DON'T PANIC (2)

Rick Zeman (15628) | about 3 months ago | (#47504459)

The only secure Android phone is what is running Cyanogenmod.

Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

Re:DON'T PANIC (0)

mjwx (966435) | about 2 months ago | (#47505941)

The only secure Android phone is what is running Cyanogenmod.

Only if you personally are capable of security auditing every single line of source code. Otherwise, you'll be trusting someone or something...as virtually everyone else is doing.

And how much source code does Apple give you to audit.

There are levels of trust we accept because not everyone has the time or skills to audit source code. However many actions (like simply making source code available) make others more trustworthy than their competitors.

I know Google collects info from my Nexus 5 and 7 but Google are at least honest about what they collect, give me options on what gets sent and have demonstrated how it's annonymised.

Apple collects the same, if not more info from Iphone/Ipad users but they don't openly admit to it, they hid it deep in the fine print of the T&C's (something about sharing data with "partners") nor do they demonstrate that the data is anonymised at all.

Unless you're a complete idiot, it's easy to see who's the more trustworthy.

Re:DON'T PANIC (0)

Anonymous Coward | about 3 months ago | (#47504559)

Cyanogenmod is a venture-backed for-profit business now.
Cyanogenmod had been flirting with Google for a while now in the interests of shipping with Play services.
Stock Cyanogenmod makes continuous access to Google's servers (no cite, but check the AFWall+ logs). ...and more...

Don't get me wrong, it's a great ROM and what I use, but there is nothing even remotely "secure" about it.

Re:DON'T PANIC (3, Funny)

mysidia (191772) | about 3 months ago | (#47504927)

The only secure Android phone is what is running Cyanogenmod.

No... the only secure Android phone is the one you pulled the battery out on.

iPhone is trickier... since there's no removable battery: it is very hard to secure. Best bet is to wrap it in tin foil and let the battery drain down on its own, then when it reaches 0% it will be secure

Re:DON'T PANIC (0)

Anonymous Coward | about 2 months ago | (#47505717)

The only secure Android phone is what is running Cyanogenmod.

oh right so it has no security holes, you continue to pretend that.

Re:DON'T PANIC (2)

exomondo (1725132) | about 2 months ago | (#47505723)

The only secure Android phone is what is running Cyanogenmod.

If you take "secure" to mean "i don't know of any security vulnerabilities in it" then sure, but that's unlikely to be very secure.

Re:DON'T PANIC (4, Insightful)

joh (27088) | about 3 months ago | (#47503613)

Android has the Google Play Services that has all permissions, that can update itself without asking or even telling the user and that has access to EVERYTHING on the phone. If the NSA wants you data, it gets it. Period.

And really, you need to do some reality-check here. You can't protect yourself against that. No way. Not without building your own hardware, writing your own software, including the firmware and the baseband.

All the geeks dreaming of technical solutions to political problems are just dreamers. What we need is some sane checks and balances for when and in which cases such things are used. This is a political problem and the first step to home in to a solution is accepting that there ARE cases where law enforcement and government agencies indeed have a right and a need to do this. Without accepting this you will only continue to shake your fists and even IF you may get into power with steadfastly requiring 100% security against everyone: Once you will notice that people will use the Internet and mobile devices to organize against you then, you WILL turn around and cry for surveillance and WILL try to defend yourself. Freedom has to have some teeth and hands and eyes to defend itself. The point is not to pull the teeth, the point is how to tame them. There are no technical solutions to that problem.

Re:DON'T PANIC (1)

viperidaenz (2515578) | about 3 months ago | (#47503909)

Not if you block it with a HOSTS file!

Re:DON'T PANIC (0)

Anonymous Coward | about 2 months ago | (#47505551)

APK! APK! APK! Sing it, brother!

Okay, I'm trying not to vomit from laughing too hard now.

Re:DON'T PANIC (1)

Kamien (1561193) | about 2 months ago | (#47506963)

Just buy an Android phone without Google Apps pre-installed.
I have one (Huawei).

No Google Play Services (and any other Google Apps - Maps, Mail, etc.)

Re:DON'T PANIC (1)

Plumpaquatsch (2701653) | about 2 months ago | (#47509397)

Just buy an Android phone without Google Apps pre-installed. I have one (Huawei). No Google Play Services (and any other Google Apps - Maps, Mail, etc.)

Yeah, having everything send to the Chinese intelligence agencies is soooo much better. Not to mention the NSA backdoors in the Linux kernel that Google itself hasn't found.

Re:DON'T PANIC (1)

hweimer (709734) | about 3 months ago | (#47504133)

So, please, tell us, how are Android, Windows or BlackBerry phones any better?

Many Android vendors have well-documented procedures how to unlock the bootloader of the device and install a custom ROM, which can be mostly built from source (the remaining proprietary blobs come from non-US companies and/or are unlikely to contain backdoors because of the greatly reduced codebase). None of the other major players allow this.

Re:DON'T PANIC (1)

knarf (34928) | about 3 months ago | (#47504203)

Android: you have the source. Not the source of the binary blobs so the device can still be compromised through those, but the rest is 'up to you'. Apple, Microsoft, Blackberry... no source.

Is Android the bees knees of mobile software? No, far from it. It is up to par with the competition, though. And it is free software (most of it). The non-free bits can be replaced, mostly. The non-replaceable bits... need to be replaceable. In other words, as it stands now Android is a local optimum.

Re:DON'T PANIC (1)

Anonymous Coward | about 3 months ago | (#47504585)

Android (as shipped with most phones) is about as open source as iOS is [apple.com] . iOS's kernel and most of the userspace is open source, just like Android's. A huge amount of what users expect from the devices is closed source, just like Google Apps and Google Play Services.

Read the AOSP/Cyanogenmod/etc forums sometime. Most people install Google Apps, and at that point you're well back into mothership calling blackbox land.

Re:DON'T PANIC (0)

Anonymous Coward | about 3 months ago | (#47521135)

"You can choose to not have a device at all, but I have my doubts you can choose a phone which doesn't have similar security holes you know nothing about."

I wonder how this was modded up?

I'm pretty sure that Cyanogenmod doesn't have similar security holes. You basically answered your own question: just root the Android phone and you can get rid of all the crap, and replace OS completely. This is simply not possible with Iphone/Windows/Blackberry.

Re:DON'T PANIC (1)

dos1 (2950945) | about 3 months ago | (#47538761)

You have a choice to buy iOS, Android, Windows or BlackBerry phones.

My Openmoko, SHR, Maemo, QtMoko and Debian based phones are a nice example. And they all work pretty well! It wasn't always the case, especially in their early days, but things have stabilized pretty well over time.

If you don't want any "crap", support projects like Neo900. You do have a choice.

Re:DON'T PANIC (1)

dos1 (2950945) | about 3 months ago | (#47538771)

to not buy*, of course.

Re:DON'T PANIC (1)

johanwanderer (1078391) | about 3 months ago | (#47502807)

You mean, DON'T PANIC [adafruit.com] .

Re:DON'T PANIC (1)

Kamien (1561193) | about 2 months ago | (#47506911)

The blog post also says this:
"(...) I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.
I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a back door to bypass it?"

Legitimate engineering uses (4, Interesting)

tipo159 (1151047) | about 3 months ago | (#47502639)

Apple is often prone to adding capabilities without thinking through the security implications. But this researcher should do some more research into what constitutes legitimate engineering uses.

From TFA:

“Some of this data shouldn’t be on the phone. HFSMeta creates a disk image of everything that’s on the phone, not the content but the metadata,” Zdziarski said. “There’s not even an engineering use for that.”

I can imagine plenty of legitimate uses of just metadata. For example, the old iOS backup mechanism basically took a snapshot of everything and something like HFSMeta could be used to identify the files that have changed so only those files are backed up.

Re:Legitimate engineering uses (0)

Anonymous Coward | about 3 months ago | (#47502777)

You have officially been banned from the circle jerk.

Re:Legitimate engineering uses (-1)

Anonymous Coward | about 3 months ago | (#47502829)

Well, I don't care what use Apple has for these features. I don't want them on my phone if I get one. So how do I remove them? Oh, I can't? And why didn't Apple tell others about these legitimate uses before? Fucking assholes as usual. Rape Job's widow as punishment.

Re:Legitimate engineering uses (0)

Anonymous Coward | about 3 months ago | (#47503235)

she was buried with him in his pyramid

Re:Legitimate engineering uses (1)

joh (27088) | about 3 months ago | (#47503633)

In iOS 7 or later just do not tap on "Yes" if it asks you if you trust the device you connected you iPhone to if you don't trust it.

Re:Legitimate engineering uses (4, Informative)

thoromyr (673646) | about 3 months ago | (#47503361)

not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

In Soviet USA (0)

Anonymous Coward | about 3 months ago | (#47503307)

iOS iSpies on you.

biZnatch (-1)

Anonymous Coward | about 3 months ago | (#47503377)

of business and Irc.secsup.org or AT THIS POINT is also a miserable Towel under the least I won't real problems that and shouting that SLING you can Result of a quaarel

I knew it! (0)

Anonymous Coward | about 3 months ago | (#47503767)

I frikken knew it. That's why China won't allow iPhones. I bet you 83% odds Windows has it too. Government backdoor is 99% the reason.

Whoa. (1)

edrobinson (976396) | about 3 months ago | (#47503821)

Is Apple beginning to get like M$?

Whoa. (0)

Anonymous Coward | about 3 months ago | (#47503899)

Is Apple beginning to get like M$?

It always was.

Re:Whoa. (1)

mjwx (966435) | about 2 months ago | (#47505951)

Is Apple beginning to get like M$?

What do you mean by "beginning"?

Oh snap! (2)

viperidaenz (2515578) | about 3 months ago | (#47503895)

You'll have to close this back door in iOS 8 and add a new one that's harder to find.

JCS does not like Crypto devices (0)

Anonymous Coward | about 3 months ago | (#47503933)

Smartphones could theoretically be perform the function of an unbreakable crypto endpoint, very much like a "SIGABA in your Pocket".

That would make their ears deaf. Billions of SIGABAs in the hand of civilians !!!

So they "broke" the crypto machine security by adding backdoors. Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard. A small controller, an LCD display and a keyboard will do.

Re:JCS does not like Crypto devices (3, Insightful)

Anonymous Coward | about 2 months ago | (#47505583)

Don't by the corporate colored glass beads, but roll your own crypto. Its not actually hard.

WHAT THE FUCK ARE YOU SMOKING? Rolling your own crypto is HARD. The near infinite number of ways you can screw up (fucked implementations like "optimizations", timing attacks, electromagnetic leakage, poor handling of entropy and key material--the list goes on and on) automatically make rolling your own crypto a bad idea.

You want better security, support the open source hardware and software guys (especially crypto devs who put out established/trustworthy products like OpenBSD).

And yes, I've written plenty of crypto code and STILL don't trust any of it.

Re:JCS does not like Crypto devices (1)

Sloppy (14984) | about 2 months ago | (#47507889)

He was obviously talking about building your own hardware. Did you really think his parts list of "A small controller, an LCD display and a keyboard," was in reference to writing an alternative to OpenBSD?

Law Enforcement should cost (1)

cant_get_a_good_nick (172131) | about 2 months ago | (#47507871)

Process is now taking about four months on average, and costs
about $1,000, so LE is looking for streamlined / inexpensive
tools to collect evidence.

Part of the protection against tyranny isn't the gun, but simply that certain law enforcement has certain costs. Part of it is red tape - a warrant sticks some glue in the process, slows it down. Part of it is monetary costs. In the 1970's wire taps cost a lot.

These costs force some filtering of resources. You can't just go after everyone, you need to be somewhat efficient with resources. It doesn't eliminate bad actors, but it makes the consequences more intense.

Part of what the NSA is doing, they can do because the surveillance is so cheap. If it cost them 1000 a person, then just in America it would cost them 350 Billion a year to spy. The world would cost 7 Trillion. We can't afford that, only that surveillance is (too) cheap does mass surveillance make sense.

Memo to Self : don't buy iAnything (1)

RockDoctor (15477) | about 3 months ago | (#47515055)

Memo from Self : Like I was going to do that? After the last time I worked on a Mac?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?