CalvinBackup/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens
1
0
Fork 0
mirror of https://github.com/JGoyd/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens.git synced 2026-02-12 12:52:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Ghost-Push-Background-Deliv…/Technical Analysis .md
JG 313f7dbe13 Create Technical Analysis .md
2025-09-01 09:48:00 -04:00

2.4 KiB
Raw Permalink Blame History

Expired APNs Token Still Enables Push Delivery and Background Processing

Summary:

Observed in production: APNs delivered a push via cached token after failed token lookups, with no active app context or re-registration. Message was processed by background daemons (cloudd, identityservicesd). This appears to violate token lifecycle enforcement and enables unauthorized background push behavior.

Environment:

  • Platform: iPhone 14 Pro Max (APNs and system daemons)
  • OS Version: iOS 18.6.2 (Production)
  • Context: Observed in a real-world, non-laboratory setting

Timeline (Key Logs):

18:07:50.236249 apsd: copyTokenForDomain push.apple.com (null)
18:07:52.580220 apsd: copyTokenForDomain push.apple.com (null)
18:07:54.012876 apsd: copyTokenForDomain push.apple.com <private>, PerAppToken.v0
18:07:54.119270 apsd: found cached token for topic: com.apple.icloud-container.com.apple.willowd
18:07:54.203283 StatusKitAgent: Received aps incoming message
18:07:54.408293 apsd: saveSalt failed (null) com.apple.icloud-container.com.apple.willowd.homekit
18:07:57.025320 cloudd: TCC approved access for container containerID=com.apple.homekit.config:Production, applicationBundleID=com.apple.willowd

Observations:

  • apsd failed multiple times to retrieve a valid token (null response).
  • No registerForPush, registerTopic, or equivalent re-registration events occurred.
  • Despite this, apsd used a cached token to deliver a push.
  • Background system components (identityservicesd, cloudd, StatusKitAgent) processed the incoming message.
  • There was no foreground app context at the time of processing.

Impact:

  • Violates expected APNs behavior: expired or unavailable tokens are reused.

  • Enables covert push delivery without user interaction or app activity.

  • Potential for misuse:

    • Silent push channels post app removal
    • Covert data exfiltration via system daemons
    • Background command-and-control channel

Recommendation:

To ensure lifecycle integrity of APNs tokens, Apple should:

  • Invalidate and purge tokens when copyTokenForDomain returns null.
  • Enforce rejection of pushes without a freshly registered token.
  • Disallow background push handling by daemons when an app is no longer active or authorized.
  • Audit APNs routing paths that rely on cached state rather than real-time validation.

Suggested CVSS:

  • Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Score: 7.5 (High)
Reference in New Issue View Git Blame Copy Permalink