A security researcher has discovered several features on the iOS ecosystem that is responsible for circumventing the encrypted backup protection for sensitive data and metadata stored in iOS devices. Worse, these features can be used to remove those pieces of information from your iPhone or iPad or Mac.
According to Jonathan Zdziarski, a forensics expert, the mobile file_relay service in iOS system has the capability of acquiring data by bypassing encryption tools the Apple embedded into its line of products. When the file_relay feature was first installed on the iOS devices, it worked as a benign feature. It was only after a few years that the service grew into a malicious data-acquisition tool.
Attackers are able to access the iOS service through a remote server or via a USB link. The encryption bypassing feature works as long as the user has not yet changed the PIN that he entered last before the file_relay service turned into a data-acquiring tool for hackers.
What it further reveals is the loophole in what Apple said to be an all-encrypted data upon clicking on a button to encrypt the backup protection. The file_relay service has been on iOS for approximately five years now.
And it does not really matter whether you are a skilled developer or a novice when it comes to this field. As Zdziarski further disclosed, a packet capture feature also hounds iOS devices. It works to collect and unload data in transmitted through an inbound and outbound HTTP connection and users have no awareness when it happens because it operates in the background. Take note that the connection does not use encryption.
Some of the data that the file_relay tool can dump includes email addresses, social media accounts, address books, user caches, offline content and keyboard typing data, among others. The researcher also found a file_relay service component in iOS 7 that captures an image of the full metadata of a device. If it falls into the hands of hackers, they can gain access to metadata involving timestamps, sizes of data created and information on all apps that are stored in the device. Attackers can also learn of the names of files on your device, email attachment, keyboard autocorrect caches, photos and voicemails.
It is puzzling why these pieces of information should be found on an iOS device when in fact they should be quickly removed, being metadata only. Zdziarski observed that these features in iOS are somehow related to the tools used by the NSA as revealed by Edward Snowden.
