A hacker this week claimed hidden iOS backdoors are used by government, law enforcement and other out-of-control groups to collect personal data without permission, but the allegations are incorrect, a leading security developer told AppleHolic.
[ABOVE: Genuine concern, pink elephant, or hot air? You decide -- state your case in comments below. Image c/o Elsie Hue.]
Hot air attack
The background: Security researcher/hacker Jonathan Zdziarski (aka. "NerveGas") made the claims at the HOPE/X hacker conference, saying these "undocumented" services could be used by law enforcement. Typically, his story quickly became a cause célèbre among those who seek to damage Apple's robust reputation for security.
Apple swiftly rejected Zdziarski's accusations, pointing out that end users are in complete control of the claimed hacking process -- the person owning the device must have unlocked it and "agreed to trust another computer before the computer is able" to access the diagnostic data the claimed NerveGas attack focuses on.
In other words the NerveGas attack is a non-story. It's hot air.
Security boffin says NerveGas is hot air
In order to confirm Apple's claim, I spoke with Mark Curphey, founder and CEO of SourceClear. (SourceClear develops modern security platforms focused on developers, so I figured he'd know).
He confirmed Apple's position:
"Apple's position is that this functionality was intended for developers and requires explicit interactive permission of the user before being able to be maliciously exploited."
He stressed:
"The functionality highlighted here appears to be only ever accessible after you have connected your device physically and hit trust or you have jailbroken your device (in which case all bets are off anyways)."
This pretty much supports Apple's rebuttal.
Spinning the Web
Much was made of the original hacker's claims that these tools were used as backdoors by the NSA and others, but the hacker himself later wormed out of making the claim, saying he'd only suggested these could be used in this way, not that they had. All the same, the spin was spun and the slur made.
Apple has been adamant in rejecting the slur.
"Apple has never worked with any government agency from any country to create a backdoor in any of our products or services," the company said.
Despite Apple's denial, NerveGas -- a noted jailbreaker of Apple's iOS -- continues to insist that these services aren't just intended for diagnostics.
Attention seeking
Curphey doesn't agree. While he agrees these diagnostic services "may indeed be useful in backdoors or computer forensics," he said "they could also be useful for developers and mobile device management software," adding, "two things Apple openly promotes."
"The reality is when you have software and devices that scale you need ways to manage them and all the edge cases that come with supporting millions of users."
And in the most damning indictment of these well-reported claims, Curphey condemned the claims as little more than those of a researcher seeking, "fifteen minutes of fame."
Tips to stay safe
Security and privacy should never be taken lightly and users on any relatively secure platform (basically Apple's platforms) should exercise some common sense to stay protected.
- Never share your passcode.
- Use two-factor authentication if possible.
- Use complex passcodes if available.
- Never give "Trusted" status to a computer that belongs to someone you do not trust.
- Never jailbreak your device.
- Don't install software from unauthorized sources.
- Never click on links in emails from people you do not know.
- Never use a public Wi-Fi network to access your most private services, such as your bank account.
There's more ways to stay secure using a mobile device, and if you'd like to read more about them take a look through the links below.
Apple has also published a little information detailing the three diagnostic tools identified by the hacker.
Also read:
- 6 ways Apple protects your privacy in iOS 8
- iOS 8: Apple kills creepy Wi-Fi Location Tracking? Not really
- How to defend against Apple's Oleg Pliss iCloud attack
- Apple has no Heart (bleed)
- Apple's 'Gotofail' bug sucks, but here's 8 ways to stay safe online
- Apple values your privacy, ads firms complain
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.