iPhones allow extraction of deep personal data without user’s knowledge

iPhone users be warned: Personal data including text messages, contact lists and photos can be extracted from your device through techniques that do not require a user’s explicit permission. A security expert revealed these insights in a presentation this week, prompting Apple Inc to admit they knew about them. Researcher Jonathan Zdziarski showed how the services take a surprising amount of data – much more information than was needed, with too little disclosure.

This data is far too personal in nature to ever be needed for diagnostics. In fact, diagnostics is almost the complete opposite of this kind of data… the user is never prompted to give their permission to dump all of this data, or notified in any way on-screen.

Researcher Jonathan Zdziarski

Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections. Apple denied creating any “back doors” for intelligence agencies, and said the services are meant for their engineers. Apple also posted its first descriptions of the tools on its own website, and Zdziarski and others who spoke with the company said they expected Apple to make at least some changes to the programs in the future. However, Zdziarski said he did not believe that the services were aimed at helping the National Security Agency to spy on iPhone users.

We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.

Apple Inc statement