Apple, stung by allegations that it has deliberately left ‘back doors’ in its iOS iPhone and iPad operating system, has issued a half-denial that is already adding fuel to the fire. A back door is a method of bypassing authentication in a computer system.
Allegations that iOS and other operating systems have such intentionally engineered weaknesses that allow user data to be accessed have been around for some time. They have achieved currency since Ed Snowden’s revelations about how the US and other government conduct massive surveillance programs on their citizenry, and how the NSA has expressly asked software companies to create back doors in their products to make surveillance easier.
Those disclosures have also spurred publicity about the extent to which software and Internet companies are complicit, and even cooperative, with government surveillance efforts. Google, Facebook, Microsoft an d Yahoo, amongst others, have publicly stated that they are not part of such programs.
Now Apple has issued a kind of semi-denial. Its hand has been forced by an extraordinarily detailed analysis from Jonathan Zdziarski, author of Author of ‘Hacking and Securing iOS Applications’ and an experienced student of Apple and iOS forensics.
Zdziarski’s analysis is publicly available and other undocumented services that bypass user backup encryption. His analysis explains in great technical details how this is done.
“Apple is dishing out a lot of data behind our backs. It’s a violation of the customer’s trust and privacy to bypass backup encryption. There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
“Much of this data simply should never come off the phone, even during a backup. Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals. Overall, the otherwise great security of iOS has been compromised - by Apple, and by design.”
"I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption."
Apple’s CEO Tim Cook has responded. “We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues.
“A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.
“As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services.”
That statement falls well short of a denial. Indeed, Zdziarski’s analysis appears irrefutable. He has since posted his response on his website.
“So again, Apple has, in a traditional sense, admitted to having back doors on the device specifically for their own use. Perhaps people misunderstand the term ‘back doo’ due to the stigma Hollywood has given them, but I have never accused these ‘hidden access method’” as being intended for anything malicious, and I’ve made repeated statements that I haven’t accused Apple of working with NSA.
“That doesn’t mean, however that the government can’t take advantage of back doors to access the same information. What does concern me is that Apple appears to be completely misleading about some of these, and not addressing the issues I raised on others.”
The issue has set the blogosphere alight. Some Apple fans say they trust the company implicitly to do the right thing, others say they will never use Apple again. But the main effect seems to have been to sow further seeds of doubt about the extent to which the whole IT industry has, wittingly or unwittingly, helped the wholesale spying on innocent citizens by their own government.