CalvinBackup/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens
1
0
Fork 0
mirror of https://github.com/JGoyd/Ghost-Push-Background-Delivery-via-Expired-APNs-Tokens.git synced 2026-02-12 12:52:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Joseph Goydish II d6fa577daf Update README.md
2025-11-06 15:41:43 -05:00
README.md
Update README.md
2025-11-06 15:41:43 -05:00
Technical Analysis .md
Create Technical Analysis .md
2025-09-01 09:48:00 -04:00

README.md

Ghost Push: Background Delivery via Expired APNs Tokens

Overview

This repository documents a vulnerability observed in iOS 18.6.2, where expired or unavailable Apple Push Notification service (APNs) tokens are still reused by system daemons to deliver silent push messages — even without an active app context or token re-registration.

This violates the expected APNs token lifecycle and enables unauthorized background processing. It introduces risks such as covert communication, post-removal message delivery, and potential data leakage.

Affected Platform

  • Operating System: iOS 18.6.2 (Production)
  • Components: apsd, cloudd, identityservicesd, StatusKitAgent
  • Context: Observed in a real-world, non-laboratory production environment

Technical Summary

  • The system repeatedly invoked copyTokenForDomain to retrieve a push token, but received null responses.

  • No evidence of registerForPush, registerTopic, or re-registration events.

  • Despite this, apsd retrieved a previously cached token and delivered a push message.

  • System daemons processed the push, even though:

    • The corresponding app was not active
    • The app had not freshly registered for push notifications

  • This behavior bypasses lifecycle validation checks and introduces a persistent, unauthorized communication path.

Timeline (Sample Logs)

18:07:50.236249 apsd: copyTokenForDomain push.apple.com (null)
18:07:54.012876 apsd: copyTokenForDomain push.apple.com <private>, PerAppToken.v0
18:07:54.119270 apsd: found cached token for topic: com.apple.icloud-container.com.apple.willowd
18:07:57.025320 cloudd: TCC approved access for container com.apple.homekit.config

Log Evidence: https://ia601600.us.archive.org/28/items/ghost-push/Ghost%20Push.mov

Impact

  • Violation of expected APNs token lifecycle enforcement
  • Silent push delivery without user interaction or app activity
  • Persistence of push capability even after app removal
  • Potential for covert communication, data exfiltration, or command-and-control (C2) channels via system daemons

Recommendations

Apple should consider the following mitigations:

  • Invalidate cached tokens when copyTokenForDomain returns null
  • Enforce rejection of push messages that lack a recently registered token
  • Prevent background system daemons from processing pushes associated with unregistered or removed applications
  • Audit APNs routing logic to ensure real-time token validation and eliminate reliance on stale cached data

Suggested CVSS

  • Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Base Score: 7.5 (High)

References

  • Apple Push Notification Service (APNs) Documentation
  • Affected system daemons: apsd, cloudd, identityservicesd, StatusKitAgent

Disclaimer

This repository is provided for educational and defensive security research purposes only.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
apnsapsdbackground-processingclouddiosios-securitysecurity-researchvulnerability-disclosurezero-day
Readme 53 KiB
Languages
Markdown 100%