About six months ago, Russian developer Denis Tokarev discovered four vulnerabilities in the Apple iOS platform that allow applications to access confidential information without the user’s knowledge. He announced his findings to Apple, but so far the company has closed only one of them.

All vulnerabilities discovered by a domestic specialist have one class – Information Disclosure. When running iOS, many background processes are constantly running in the system, each of which is responsible for its own functionality. Their privileges vary, but they are higher than those of the App Store apps. However, using frameworks, applications can access data from these processes, and the data, in turn, can contain confidential information.

The vulnerabilities discovered by Denis Tokarev are logical. This means that when applications receive data from processes, the system does not always perform the necessary checks.

The first vulnerability, called Gamed, is associated with the GameKit framework and the corresponding background process com.apple.gamed. The specialist informed Apple about it back on March 10, 2021. The answer came only on August 25: Apple promised to close it in the next update, but even with the release of iOS 15, the corresponding changes in the platform did not appear.

In practice, this vulnerability allows an application to access the email of an Apple ID account and send requests to Apple servers on behalf of the user’s Apple ID. In addition, it opens access to four system files of the device, containing the contact lists of applications from the iOS suite and metadata on interaction with these contacts.

A vulnerability called Nehelper installed apps allows you to check whether an application is installed on a device by its bundle ID. Another vulnerability, Nehelper wifi info, is characterized by Mr. Tokarev as insignificant – it can be used to obtain information about the Wi-Fi access point to which the device is currently connected.

The only vulnerability fixed by Apple with the release of iOS 14.7 is called Analyticsd – it is associated with a background process responsible for collecting analytics. Using the “log-dump” method, which is not protected by any checks, it was possible to get access to extended data about the use of the device, to medical information (if any), to connected accessories, to data on application failures and even language pages that were opened in Safari.

Having informed Apple about the identified problems within the framework of the Security Bounty program, the Russian specialist received practically no reaction. After waiting about six months, Tokarev had to publish the details of his findings on Habré in two posts the day before: in Russian and in English. And only today, a day later, Apple still sent a response. The company reported that the posts were read and that it “Is still investigating these issues and how to overcome them to protect users.”…