[transpute]

Has anyone seen an iOS device fail to boot due to an integrity violation?

Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit, which itself can only identify a small subset of real-world attacks. For evidence, look no further than the endless stream of zero-day CVEs in Apple Security Updates for iOS. Recovery from iOS malware often requires DFU (Device Firmware Update) mode reinstallation from a separate device running macOS.

Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.

[FirmwareBurner]

>Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.

The question is how often do users usually reboot their phone these days?

[transpute]

Regularly, if using iOS Lockdown Mode to increase resilience to malware.

[fdb345]

the people who need it. use it.

the fact some people may need it and dont reboot isn't relevant. The option is there.

[FirmwareBurner]

And how many users do that regualrly?

[transpute]

Before or after their device, data and communication is compromised?

[FirmwareBurner]

How many users know when their data is compromised?

[transpute]

We're approaching "if a tree falls in a forest" territory.. the cryptocurrency community has a few stories.

[bri3d]

> Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit

One of these assertions absolutely does not support the other; the newest persistent malware detected on iOS by MVT is from 2023 and targeted iOS 14. In iOS 15, Apple introduced System volumes and SSV. The OS lives on a separate APFS volume snapshot which is verified using a hash tree (think like dm-verity, although the implementation is at a slightly different level). Even Operation Triangulation couldn't achieve reboot persistence for their implant (which Kapersky call TriangleDB); rebooting would require re-exploitation.

This also affects your argument about "forensic" imaging (also - if you're asking the device for the image, it's always a logical extraction; if you don't trust the device, why do you trust the backup data you asked it for?): post-iOS-15, unless boot security was compromised, in which case you have bigger problems, you'll get the same bytes back for system files anyway.

[transpute]

> why do you trust the backup data you asked it for?

Devices could load minimal recovery/forensic images from a trusted external source (Apple Configurator USB in DFU mode?) or trusted ROM (Secure Enclave?), rather than loading a potentially-compromised OS.

> the newest persistent malware detected on iOS by MVT is from 2023

Thanks for the details on dm-verity-alike protection. There's been no shortage of zero-days patched by Apple since 2023. If there's a zero-day vulnerability in an iOS binary which parses persistent user data from the non-OS partition, the vulnerability can be re-exploited after reboot.

Now that you mention APFS snapshots, it would be wonderful if Apple could enable a (hotkey-selected) advanced boot option to (a) boot iOS without parsing any data from the user partition, (b) transfer control to Apple Configurator for user data snapshot export or rollback.

Do you know how iOS is isolated from non-Apple radio baseband firmware?

[saagarjha]

Persistent iOS malware is quite rare these days.

[transpute]

Rare, expensive and extant.