From 313f7dbe130293b7b86c1f169aebd6a52a78de5d Mon Sep 17 00:00:00 2001 From: JG Date: Mon, 1 Sep 2025 09:48:00 -0400 Subject: [PATCH] Create Technical Analysis .md --- Technical Analysis .md | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 Technical Analysis .md diff --git a/Technical Analysis .md b/Technical Analysis .md new file mode 100644 index 0000000..bfefe8f --- /dev/null +++ b/Technical Analysis .md @@ -0,0 +1,55 @@ +# **Expired APNs Token Still Enables Push Delivery and Background Processing** + +## Summary: + +Observed in production: APNs delivered a push via cached token after failed token lookups, with no active app context or re-registration. Message was processed by background daemons (`cloudd`, `identityservicesd`). This appears to violate token lifecycle enforcement and enables unauthorized background push behavior. + +## Environment: + +* **Platform**: iPhone 14 Pro Max (APNs and system daemons) +* **OS Version**: iOS 18.6.2 (Production) +* **Context**: Observed in a real-world, non-laboratory setting + +## Timeline (Key Logs): + +``` +18:07:50.236249 apsd: copyTokenForDomain push.apple.com (null) +18:07:52.580220 apsd: copyTokenForDomain push.apple.com (null) +18:07:54.012876 apsd: copyTokenForDomain push.apple.com , PerAppToken.v0 +18:07:54.119270 apsd: found cached token for topic: com.apple.icloud-container.com.apple.willowd +18:07:54.203283 StatusKitAgent: Received aps incoming message +18:07:54.408293 apsd: saveSalt failed (null) com.apple.icloud-container.com.apple.willowd.homekit +18:07:57.025320 cloudd: TCC approved access for container containerID=com.apple.homekit.config:Production, applicationBundleID=com.apple.willowd +``` + +## Observations: + +* `apsd` failed multiple times to retrieve a valid token (`null` response). +* No `registerForPush`, `registerTopic`, or equivalent re-registration events occurred. +* Despite this, `apsd` used a cached token to deliver a push. +* Background system components (`identityservicesd`, `cloudd`, `StatusKitAgent`) processed the incoming message. +* There was no foreground app context at the time of processing. + +## Impact: + +* **Violates expected APNs behavior**: expired or unavailable tokens are reused. +* **Enables covert push delivery** without user interaction or app activity. +* **Potential for misuse**: + + * Silent push channels post app removal + * Covert data exfiltration via system daemons + * Background command-and-control channel + +## Recommendation: + +To ensure lifecycle integrity of APNs tokens, Apple should: + +* Invalidate and purge tokens when `copyTokenForDomain` returns `null`. +* Enforce rejection of pushes without a freshly registered token. +* Disallow background push handling by daemons when an app is no longer active or authorized. +* Audit APNs routing paths that rely on cached state rather than real-time validation. + +## Suggested CVSS: + +* **Vector**: AV\:N/AC\:L/PR\:N/UI\:N/S\:C/C\:L/I\:L/A\:N +* **Score**: 7.5 (High)