Follow-up: Apples PR-Statement zu den Forschungsergebnisse von Jonathan Zdziarski

IPhoneBlog de Pairing

Apple äußert sich in einem PR-Statement zu den Bedenken über den (zu freizügigen) Umgang mit iOS-Nutzerdaten von Sicherheitsforscher Jonathan Zdziarski.

„We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,“ Apple told iMore. „A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.“

As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services.“

Rene Ritchie |

Zufrieden stellt ihn die knappe Presseaussage nicht. Insbesondere der Pairing-Prozess, bei dem Systemdienste Zugriff auf (zu viele) persönliche Daten beim Austausch zwischen iOS und dem Mac entblößen, bleibt für ihn ohne ersichtlichen Grund.

I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.

Apple Responds, Contributes Little

Er hält jedoch weiter an seiner ‚Don’t Panic‘-Einstellung fest, die für mich angemessen klingt:

I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They don’t belong there.

Slides from my HOPE/X Talk