HostName is a sample application demonstrating how a third-party app can access a user's device name without the com.apple.developer.device-information.user-assigned-device-name entitlement.
In iOS 16, Apple added the com.apple.developer.device-information.user-assigned-device-name entitlement to prevent third-party applications from fingerprinting a user by device name. However, the ProcessInfo.processInfo.hostName API broke in the process, which allowed a third-party developer to get the network hostname of the device without an entitlement. While the hostname is not a percent 1:1 copy of the device name, it's close. For example, my device is named Astronaut Sloth, which gives me a hostname of Astronaut-Sloth.
When a third-party developer accesses the ProcessInfo.processInfo.hostName API, the user gets presented with a "Allow to communicate with Local Network Devices" prompt. In iOS 15, the ProcessInfo.processInfo.hostName API would return localhost if the user denied this API. However, in iOS 16 this also broke - a device name was always returned regardless of user input.
- Discovered & reported this entitlement leak/bypass in August 2022 during the iOS 16 beta period.
- Apple patched the issue with iOS 17.0 in September 2023.
- Apple verified that the issue was fixed with iOS 17.0 in September 2023. This issue was not eligible for a bug bounty.
- The public disclosure was added to the iOS 17.0 Security Notes in September 2023.
- I can't blame Apple for not wanting to pay a bug bounty for a one-line device-name bypass, but I'll admit it was a little frustrating to hear that an API leaking entitlement-gated information didn't qualify for a bug bounty. If anyone from Apple stumbles upon this, I would take a moment to update the bug bounty categories page to include more information about similar issues that fall in the "it's a sensitive data bypass, but the data is not that sensitive." I still plan to finish up the other user fingerprinting issues I've found, but this experience has taken a bit of the wind out of my sails.