[jatoben]

I was surprised Zdziarski made such a big deal over the packet capture tool. It's been documented in the referenced developer Q&A and in various blog posts[1] since iOS 5, and I've personally found it very useful for troubleshooting connectivity problems on enterprisey networks.

[1]: http://useyourloaf.com/blog/2012/02/07/remote-packet-capture...

[dunham]

Zdziarski also claimed house_arrest was not used by the dev tools (slide 32), but Xcode allows you to archive and restore your app's entire filesystem. (I believe it uses house_arrest for this.) I tend to use "ifuse" to access this data, but definitely find it an invaluable development resource.

I hadn't seen the packet capture thing before, but after reading the slides a quick google search turned up the link to the apple dev util that you referenced.

I'm also not sure how big of deal the "doesn't require developer mode" thing is, since the issues he raises require pairing records, and I believe you can enable developer mode if you have that much access. I've never had the device ask for confirmation when I turned on developer access.

[youngtaff]

It's worth reading his response to Apple's latest documentation - http://www.zdziarski.com/blog/?p=3466

[iamshs]

So why is it not a developer option then? Why is it continuously on?

[jatoben]

An IT tech isn't going to want to enable developer mode on Joe User's iPhone just to find out why it can't get an IP or join the VPN. The device still has to be paired with a Mac (and on iOS 7, unlocked and the Trust button tapped) in order to activate pcap.

[iamshs]

" The Pcapd service, for instance, allows people to wirelessly monitor all network traffic traveling into and out of the device, even when it's not running in a special developer or support mode. "

So does this mean a private key ripped off a paired Bluetooth speaker ends up pwning me? If you are taking case of IT, I think a valid hacking scenario also needs to be considered. Furthermore, all the data in available un-encrypted. I don't know how comfortable I would be with that. Also, once trusted means permanently a slave?

[dunham]

This only allows access to the raw packets that are being broadcast over wifi/cell. (It's like tcpdump, if you're familiar with that.) For stuff sent encrypted over the internet (https/imaps/etc), it's pretty much useless. If stuff is being sent unencrypted, there are other means of looking at it anyway.

The "pairing" refers to when you connect via a USB cable and say "trust this computer". (The iOS device must be unlocked.)

An encrypted copy of the some keys are sent to the computer. These allow the iOS device to decrypt data that normally can only be decrypted after the passcode is entered. (Making it possible to back up the device without entering the passcode.) Those encrypted keys can only be decrypted by a trusted computing module on that specific device. So you are kinda screwed if someone has both your laptop and your iphone, and they have Apple-level access to the iphone. I recommend using file vault or other full disk encryption to protect your laptop.

[jatoben]

The Escrow Keybag is described in the iOS Security Guide, page 14:

http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...

[makomk]

Yeah, and I think the version of the keys on your laptop and desktop can be copied and used to access your iOS device at a later date if someone gains brief access to any computer paired to it. GCHQ and the NSA apparently have tools to take advantage of this.

[jatoben]

Bluetooth pairing is totally unrelated.

[higherpurpose]

It's too much of a security liability for most of Apple's market. It shouldn't be there. Some slight convenience for 5 percent of Apple's market isn't a good trade-off.

[chmars]

I am surprised that users like you simply don't care that Apple makes it easy for security authorities and criminals alike to access your iOS devices. Thanks to Snowden, we should know that we cannot trust any IT companies, and we should also have learnt to understand the meaning of overspecific denials.

[andreyf]

That sounds scary. Could you clarify: how can criminals or security authorities use this to access my device?

[chmars]

Please allow me to refer to http://www.zdziarski.com/blog/?p=3466, Jonathan Zdziarski is far more qualified than I am to provide further information.

[st3fan]

They would need physical access to the device and know your unlock code.

[dmishe]

Wait, if they have that, they already have everything