CalvinBackup/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens
1
0
Fork 0
mirror of https://github.com/JGoyd/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens.git synced 2026-02-12 12:52:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Ghost-Push-Background-Deliv…/Technical Analysis .md
JG 313f7dbe13 Create Technical Analysis .md
2025-09-01 09:48:00 -04:00

56 lines
2.4 KiB
Markdown
Raw Permalink Blame History

# **Expired APNs Token Still Enables Push Delivery and Background Processing**
## Summary:
Observed in production: APNs delivered a push via cached token after failed token lookups, with no active app context or re-registration. Message was processed by background daemons (`cloudd`, `identityservicesd`). This appears to violate token lifecycle enforcement and enables unauthorized background push behavior.
## Environment:
* **Platform**: iPhone 14 Pro Max (APNs and system daemons)
* **OS Version**: iOS 18.6.2 (Production)
* **Context**: Observed in a real-world, non-laboratory setting
## Timeline (Key Logs):
```
18:07:50.236249 apsd: copyTokenForDomain push.apple.com (null)
18:07:52.580220 apsd: copyTokenForDomain push.apple.com (null)
18:07:54.012876 apsd: copyTokenForDomain push.apple.com <private>, PerAppToken.v0
18:07:54.119270 apsd: found cached token for topic: com.apple.icloud-container.com.apple.willowd
18:07:54.203283 StatusKitAgent: Received aps incoming message
18:07:54.408293 apsd: saveSalt failed (null) com.apple.icloud-container.com.apple.willowd.homekit
18:07:57.025320 cloudd: TCC approved access for container containerID=com.apple.homekit.config:Production, applicationBundleID=com.apple.willowd
```
## Observations:
* `apsd` failed multiple times to retrieve a valid token (`null` response).
* No `registerForPush`, `registerTopic`, or equivalent re-registration events occurred.
* Despite this, `apsd` used a cached token to deliver a push.
* Background system components (`identityservicesd`, `cloudd`, `StatusKitAgent`) processed the incoming message.
* There was no foreground app context at the time of processing.
## Impact:
* **Violates expected APNs behavior**: expired or unavailable tokens are reused.
* **Enables covert push delivery** without user interaction or app activity.
* **Potential for misuse**:
* Silent push channels post app removal
* Covert data exfiltration via system daemons
* Background command-and-control channel
## Recommendation:
To ensure lifecycle integrity of APNs tokens, Apple should:
* Invalidate and purge tokens when `copyTokenForDomain` returns `null`.
* Enforce rejection of pushes without a freshly registered token.
* Disallow background push handling by daemons when an app is no longer active or authorized.
* Audit APNs routing paths that rely on cached state rather than real-time validation.
## Suggested CVSS:
* **Vector**: AV\:N/AC\:L/PR\:N/UI\:N/S\:C/C\:L/I\:L/A\:N
* **Score**: 7.5 (High)
Reference in New Issue View Git Blame Copy Permalink