Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In iOS, there are privileges and permissions for which apps can use what data often called entitlements. Most of the time, a big dialog pops up to ask "Do you want share your location with app X?" This is post is about bypasses in the permissions for sensitive data for applications.

The XPC service for com.apple.gamed does not properly check for the com.apple.developer.game-center entitlement. As a result, any app can read the Apple IDs Email and Username, get an auth token for several apple applications, read some mail/ messages and much more.

The second vulnerability was a app enumeration issue. By making a call to the XPC endpoint com.apple.nehelper with a bundle ID, it returns an array of the UUIDs if the app with the bundle IDs is installed. Knowing what other apps a user has installed could be used for targeting users in foreign countries.

The XPC endpoint com.apple.nehelper accepts a user parameter called sdk-version. if this value is larger than 524288 the entitlement check for com.apple.developer.networking.wifi-info is skipped. This results in the WiFi information, such as the SSID, being accessible to the application.

Any installed application can access Analyticsd. This allows for the stealing of medical information, device usages, screen time, crashes and few items. The author does not say the actual vulnerability, or if this was just open.

Apple fixed the final vulnerability but never gave the author credit. The first three were unfixed for 120 days and Apple refused to comment on his messages. It sounds like the Apple Bug Bounty is not something to trust.

Overall, it is interesting to see bad permissions in iOS being so prevalent. Most of the time, we talk about memory corruption bugs, not the lack of entitlement checks.