
Stealing your SMS messages with iOS 0day - nstj
https://wojciechregula.blog/post/stealing-your-sms-messages-with-ios-0day/
======
captn3m0
The exploit author's blog post on why the extra entitlements work (and how
Apple fixed it) makes for a more interesting reading:
[https://siguza.github.io/psychicpaper/](https://siguza.github.io/psychicpaper/)

~~~
sinuhe69
An interesting read. If the problem is apps entitlements, I wonder why Apple
didn’t develop an AI to flag apps with suspicious entitlements? For a parser,
it might be a problem with complex nested tags, but for human reviewers I
argue it’s much easier to spot constructed entitlements. And Apple can always
require the developers to rewrite the entitlements falls needed. Automatic
sanitizing entitlements would be helpful, too because they are not designed
for being complex.

~~~
ksml
I think a much simpler solution would be to just use one consistent XML
parser. Throwing AI at things is not a good general solution. Black-box AI
models may work in the common case, but they have edge cases with bizarre
behaviors that are poorly understood. You'd end up with a result likely worse
than this.

------
TedDoesntTalk
All it's doing is POSTing the contents of
/private/var/mobile/Library/SMS/sms.db to a server. You can't get an app into
the app store that haz the required permissions to access that file.

Solution: Dont install apps outside the app store.

~~~
soulofmischief
That's not a real solution when we know Apple's walled garden is so
restrictive.

~~~
kennywinker
I've used iOS for over a decade without needing to install apps outside of the
app store. I would guess that the vast majority of iOS users share that
experience. I understand you might be frustrated by those limitations, but to
say "hold off on this until it's fixed" seems pretty reasonable.

It's pretty ironic to hear a complaint about the walled garden, when the only
apparent way to solve this "0day" is probably going to be to put up another
wall.

~~~
soulofmischief
"hold off on this until it's fixed" is definitely reasonable. However, that's
not what OP said. OP said, "Dont install apps outside the app store." That
reminds me of the kind of apologetic advice I get from the Microsoft community
when dealing with Windows' strange behavior and anti-user choices.

> It's pretty ironic to hear a complaint about the walled garden, when the
> only apparent way to solve this "0day" is probably going to be to put up
> another wall.

You're conflating two separate issues. Microsoft has a certification program
for Windows programs, Linux has extremely nuanced permissions, SELinux, etc.

This has been solved elsewhere but the walled garden of iOS is deliberately
ill-designed and is not a robust solution.

~~~
hugofloss
For me the walled garden of iOS attracts me to the platform. Its apps are
relatively safe, stable and curated. Sure, these restrictions might suck for
you as a power user. For me, someone who makes phone calls, chats with family,
takes pictures and reads the news this is just perfect. I don't need to think
a lot about security because the platform thinks about it for me. For you it
feels like prison, for me it feels like one thing less to worry about. For you
it's ill-designed, for me it's designed for me the consumer.

I'm curious what your definition of robust is.

~~~
soulofmischief
It sucks for me as a power user because I prefer Apple's corporate ethos, but
their increasingly quirky UI and no recourse for things like alternative
launchers make it an automatic no-go because I can't _stand_ Apple's
interfaces. It seems silly to most people but I get physical anxiety from
interfaces which don't behave consistently or make me feel claustrophobic, and
I've grown tired of relearning iOS every few years. To the point where I'm
using hole-ridden Android devices with bags of telemetry by default, but with
a consistent launcher I've used for many years and know how to navigate. No
hidden UI tricks.

If Apple would allow people like me to control the devices we buy, I would
finally have a home in the mobile market.

~~~
dkonofalski
>but I get physical anxiety from interfaces which don't behave consistently or
make me feel claustrophobic

I feel terribly for you. I can't imagine being in my own way so much that
Apple's UI would give me physical anxiety.

~~~
soulofmischief
It's not "in my own way", it's some kind of physical disorder where I
legitimately get a sense of panic if things aren't responsive for more than a
couple hundred milliseconds when they should be, a great example would be when
explorer.exe jams up in Windows and everything severely stutters.

I wish I didn't deal with this but a little sensitivity towards users like me
would be nice instead of ironically writing us off as close-minded. I have
diagnosed OCD and it's just a facet of that. It can be quite frustrating at
times when I'm trying to use an interface and, say, intrusive thoughts lead me
to repeating body movements like clicking or picking up and dropping my mouse
and next thing I know my browser is closed and I've opened up another program
without even realizing. Like it happens all day while I'm working and the more
invisible my interface the better. It's not easy to overcome these physical
impulses and reactions. I still deal with vocal tics and stuff like that.

~~~
dkonofalski
That doesn't really sound like an issue with the interface, though. Again, I'm
sorry you have to deal with that but you're basically saying that companies
need to account for the possibility that someone who clicked the "X" to close
a window may not have intended to close the window. That's just crazy talk.

~~~
soulofmischief
No, that's not what I said. If you want to have this discussion in good faith
then let's not mince words.

I said a proper platform allows user control and customization over the
interface, providing a way for users to continue using interfaces that make
sense to them even if some young engineer at Apple finds a clever new way to
shove some functionality into a screen gesture.

This isn't crazy talk. It's exactly how my Linux-based computer and Android-
based phone operate and I've been using the same window manager / launcher for
over a decade, while the mainstream default ones like Gnome 3 continue to make
the strangest and most anti-user design decisions. I just bought a MIUI phone
and if I couldn't flash my own Paranoid Android ROM in the coming weeks I
would have to return this phone because the UI is _bonkers_.

------
gok
"reading the SMS database of an iOS device to which you have full unlocked
physical access"

~~~
oxguy3
The point is that someone could slip this code into an innocuous-looking app
and trick an unsuspecting user into installing it.

~~~
formercoder
But not a security conscious user who knows once the USB cable is plugged in
the device is compromised.

~~~
verandaguy
Most security-conscious users do not assume this. Newer iOS versions ask for
credentials (and all recent smartphones that I've used ask for credential-less
permission) before transferring data over USB.

------
kennywinker
it pains me that there is no way to legitimately export your message history
for archival. I know it's backed up with icloud and local backups, but I would
love the ability to view message history, run analysis of my convos, and
"archive" convos to date (i.e. I want to be able to go back and read the
convo, but I don't want to have the 13.4TB of gifs on my phone anymore)

So, I may just replicate this "0day" and run it on myself... will be fixed
soon, but at least I'd have a single snapshot

~~~
kalleboo
You can use third-party software like iMazing or PhoneView to extract the
message history

~~~
joshspankit
I personally use iMazing for this, it’s pretty great

------
rock_artist
I'm actually eager to use this and write an app to finally migrate all my
messages from Android stuck in an xml since I didn't use Apple's migration
tool initially.

------
xvector
Doesn't iOS ask you for permissions when granting data to an app? This seems
completely bizarre to me.

The App Store verification process does not seem like a reasonable single line
of defense. If applications can just get data from the rest of your phone
without prompting the user then something is seriously broken here.

~~~
saagarjha
No, this is based on the Psychic Paper “exploit” that was described a few days
ago that allowed developers to sign their apps with extra entitlements,
including ones that would allow for accessing files outside of the normal
application sandbox. (To be clear: there is no app, other than Messages, that
should ever be able to access your messages. Such an app is not allowed on the
App Store.)

~~~
xvector
Ah, thanks.

------
tandav
Good example of using `http.server` in python

------
mkchoi212
Another reason why you shouldn’t make custom parsers, even if you are a multi-
billion dollar company like Apple. Trust in the power of open source!

------
jtchang
Of course it would be XML. XML is hell to parse. In fact I bet hell is trying
to write XSLT for the rest of eternity.

~~~
klodolph
What? XML is super easy to parse. If you think XML is hard to parse, maybe
you're trying to do it with a DOM interface, or wasting a bunch of time
manually shuffling data around. The XML 1.0 spec is super short, once you
ignore DTD stuff and things like entity references.

In this case it's just a plist, which makes things even easier.

~~~
saagarjha
And yet Apple has a handful of parsers which all parse it differently…

~~~
klodolph
Can you elaborate on that? I know it's really in fashion to hate on XML here,
I just want to understand what people's complaints are.

Having written parsers for JSON, YAML, and XML at various points, I can tell
you that XML was not much more complicated than JSON. It's got a good, clean
spec and not too many rules.

~~~
saagarjha
I think Siguza’s blog post describes the background for this issue in a
remarkably accessible way:
[https://siguza.github.io/psychicpaper/](https://siguza.github.io/psychicpaper/).
You may also find libplist (a third-party plist parser)’s woes interesting:
[https://github.com/libimobiledevice/libplist/issues/83](https://github.com/libimobiledevice/libplist/issues/83)

~~~
klodolph
The first article may be interesting or it may not be, it's four thousand
words long and I don't know what I'm looking for. It sounds like there are
some bugs in XML parsers. Well, people put bugs in simple code all the time.
People also try to be clever and make parsers Very Fast, and people are also
lazy and don't test simple edge cases. Mix these together and you get bugs.

Then, some third-party plist parsing library written in C can segfault. I'm
not surprised! Does that mean XML parsing is hard? No. It happened because
it's easy to make a library written in C segfault, no matter how easy the
problem you're solving is. C is like that.

I can say that I have actually authored a different plist parsing library in
C, and I don't remember running into a bunch of segfaults. What I do remember
is that of the major plist variants, the XML variant was the easiest to work
with. The text variant is more concise but you can't use an off-the-shelf XML
parser. The binary format is poorly documented. Clear win for XML plists, in
my book.

I'm not going to take Apple's hit-or-miss software quality or bugs in some
random third-party library as an indictment of XML.

~~~
saagarjha
Are you sure your parser parses it exactly how Apple’s does? Are you sure I
couldn’t just fuzz it a bit and get it to crash?

~~~
klodolph
Do you want me to explain my QA process to you? Or are you just trying to make
a point?

If you’re trying to make a point, just make your point, don’t waste my time by
leading me around with questions.

~~~
saagarjha
I am, actually: writing a parser that is bug-for-bug compatible with Apple is
nontrivial, and you haven't given me anything so far that convinces me that
you realize that complexity and have dealt with it in the way I am describing.

~~~
klodolph
I asked because a conversation about whether I “realize that complexity” is
exactly the kind of conversation I want to avoid. I’m not here to litigate how
good a developer I am.

The sense I’m getting—to be honest—is that you want to ask me questions until
I “submit”. Maybe I’m off the mark! There are a lot of interesting directions
that a conversation about parser correctness can go. You can discuss different
goals, the idea of parsing to a spec versus matching the behavior of a
reference implementation, fuzzing, attacks, stack overflow, and ergonomics
like the quality of error messages. It’s an interesting subject.

~~~
saagarjha
Note that this has nothing to do with how good a developer you are. I am
specifically talking about your accuracy with parsing property lists as Apple
does. You could have a perfect, XML spec compliant, stable parser and it would
still not be relevant here because Apple does not use one themselves and
third-party implementations which aim to be compatible must be bug-for-bug
compatible.

~~~
klodolph
You’re just rewording things that you said earlier and elaborating.

~~~
saagarjha
Right, because I'm hoping that might help you understand what I was trying to
say better. Were you expecting something else?

~~~
klodolph
I was hoping for a conversation.

