Hacker News new | past | comments | ask | show | jobs | submit login

Is there any verified info showing a backdoor in Apple iOS?

From my brief reading it sounds like the person writing the memo may not be able to distinguish between surveillance of the carriers and putting backdoors into the devices themselves. I can believe that the carriers would be compromised, sooner than I'll believe that the operating systems are.

Specifically, one of the things Apple did with iOS 5 for iCloud was put in end-to-end encryption into the system. iOS has for an even longer period contained protections to make it less easy for an app to read data belonging to other apps, and the storage on Flash has been encrypted since at least iOS 4 (I believe.)

Yet the iOS 5 binaries are subject to the scrutiny of the jail breaking community, and if there is a backdoor here, I'd think that it might have been found. (Or will be soon now that its existence has apparently been leaked.)

Further, how could this actually work? (the memo is so full of jargon and nonsensical to me that I stopped trying to interpret it pretty quickly.)

Its tricky to get intentional communication- FaceTime, iMessage, etc, working on devices, let alone back doors for a specific government. I don't think the indian government could successfully delver to Apple a spec for them to implement that wouldn't intrinsically cause noticeable problems and thus reveal its existence regularly.

In short, I suspect that a backdoor is kinda infeasible from a software reliability viewpoint.

Finally, its also quite possible that this is a psyops campaign. By announcing that they have a back door (thur a leaked memo) the indian government could be attempting to bring pressure to bear from other governments to get their own backdoors, and thus, enable india to ultimately actually get a backdoor. I remember months ago reading that the indian government wanted more access to the mobile devices but were being stymied by manufacturers.

I've been observing Apple fairly closely for over 30 years and working with their operating systems, often at a fairly low level for almost 20 years. I've never seen Apple do anything that would betray their customers trust. People may object to the decisions Apple makes, but I have never seen a decision that, at the end of the day, didn't have at least the intent to do right by the customer (even when they failed to achieve that intent.)

Thus I'm highly suspicious at any claim that Apple has put in a backdoor. I think this kind of claim is extraordinary and out or character, and Apple has far more integrity in my eyes than these documents.

So, I'd like to see some evidence before we accept that this is fact.




"one of the things Apple did with iOS 5 for iCloud was put in end-to-end encryption into the system."

I'm not familiar with iCloud. Does it have strong client side encryption?


Nope, you can easily get access to your files via USB. As for storage on iCloud, any keys would need to be recoverable via your Apple ID password which would likely make it the weak point of the scheme.

Any telecommunications device in the US is subject to CALEA so expect backdoors.


Actually from IOS4 and on, you can't get files via USB directly without entering the passcode. The filesystem itself is encrypted (AES256) and unlocked once the passcode is entered on the device.

However I believe without a passcode you can still just use USB to access everything.


Could you clarify this a bit? It seems to be contradictory.


CALEA only applies to the back end, server side infrastructure, not end user equipment.


Actually CALEA mandates two things: 1. the ability to intercept, 2. that intercepts not be detectable by end users. You can implement the functionality anywhere in your stack that you'd like, including the consumer device.


True, but putting it end the end user equipment is a bad idea (and probably opens you up to liability) because it can be detected and mitigated from that side. You have to assume that whatever code you're running on a device not under your direct control will be observed and poked and prodded.


Governments are full of bad ideas. I was just pointing out your summary of CALEA was incorrect.


The jailbreak community is not that infallible. Not like they have the source to analyze or something (and "bugs" slip by even when the community has the source)

end to end encryption means nothing if the other end has to hand over your data anyway.


Brings to mind the 2003 attempt to backdoor the linux kernel: http://kerneltrap.org/node/1584 - even that wasn't spotted at first glance.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: