CalvinBackup/iOS-TCC-Framework-Bypass
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS-TCC-Framework-Bypass.git synced 2026-02-12 12:52:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add report on iOS TCC framework bypass vulnerability

Browse Source 
Document critical TCC framework flaw in iOS 26.1 allowing unauthorized access to iCloud services by third-party apps. Provide evidence, technical analysis, and recommended remediation actions.
This commit is contained in:
Joseph Goydish II
2025-12-11 20:06:51 -05:00
committed by GitHub
commit 6634e82cfc
1 changed files with 96 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
.md Normal file
View File

@@ -0,0 +1,96 @@
# iOS TCC Framework Bypass via Unauthorized auth_reason=5 Grant Mechanism
**Severity:** CRITICAL
**Submission Date:** 2025-12-11 UTC
**Researcher:** Joseph Goydish II
---
## Executive Summary
Critical TCC framework flaw in iOS 26.1 incorrectly assigns `auth_reason=5` (system bypass authority) to third-party applications, enabling silent access to iCloud services and undocumented telemetry without user consent or Privacy Settings visibility. Analysis of TCC database from iPhone 14 Pro Max reveals 5 unrelated third-party apps with unauthorized system-level grants—evidence indicates framework logic defect, not malicious app behavior. Immediate remediation required: revoke unauthorized grants and fix authorization assignment logic.
**Database:** `sysdiagnose_2025.12.09_13-10-52-0500_iPhone-OS_iPhone_23B85/logs/Accessibility/TCC.db`
**SHA256:** `8c6fcd9e7c6ea44d9d2fab262887568978494b35eb298e2a92b0e92b47cef90a`
---
## Evidence: Unauthorized auth_reason=5 Grants
### SQL Query
```sql
SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified
FROM access
WHERE auth_reason = 5 AND client NOT LIKE 'com.apple.%' AND client NOT LIKE 'developer.apple.%';
```
### Third-Party Apps with System Bypass Authority
| Application | Service | Last Modified |
|-------------|---------|---------------|
| com.ubercab.UberClient | kTCCServiceUbiquity | 2025-10-24T21:12:37Z |
| com.linkedin.LinkedIn | kTCCServiceUbiquity | 2025-01-17T04:49:48Z |
| com.kentoh.hackerfeed | kTCCServiceLiverpool | 2025-09-19T20:56:47Z |
| com.lifetimefitness.interests.ltfitness | kTCCServiceLiverpool | 2025-05-26T21:34:15Z |
| com.google.chrome.ios | kTCCServiceWebKitIntelligentTrackingPrevention | 2024-10-25T14:53:03Z |
**Complete dataset:** `TCC_Anomalies_Sanitized.csv` (33 entries)
---
## Technical Analysis & Root Cause
### Framework Logic Flaw
The TCC framework's authorization assignment routine incorrectly evaluates client authority and grants `auth_reason=5` (system bypass) to third-party applications that should only receive `auth_reason=2` (user consent) or `auth_reason=4` (entitlement-based).
**Evidence of framework defect:**
- Five unrelated apps from different developers with no common functionality or SDK
- No exploit signatures or privilege escalation code detected
- Pattern persists across iOS updates (grants span Oct 2024 - Nov 2025)
### Programmatic Grant Characteristics
All unauthorized `auth_reason=5` grants share identical patterns indicating automated framework insertion without user interaction:
- `pid`: NULL (no process ID recorded)
- `boot_uuid`: UNUSED (not tied to specific boot session)
- `last_reminded`: 1970-01-01T00:00:00Z (epoch = never reminded user)
Normal TCC grants include PID, boot UUID, and reminder timestamps. Their absence confirms programmatic auto-grant outside standard consent flow.
### Undocumented Service Access
`kTCCServiceLiverpool`:
- Not documented in public TCC framework documentation
- Not visible in iOS Privacy Settings UI
- Accessed by 87 clients total (19 with `auth_reason=5`)
- Two third-party apps (HackerFeed, Lifetime Fitness) have unauthorized system bypass to this service
---
## Recommended Remediation
### Immediate Actions
1. Audit all `auth_reason=5` grants in TCC database; revoke unauthorized third-party app grants
2. Fix authorization logic: restrict `auth_reason=5` exclusively to Apple-signed system services
3. Force user re-consent for affected applications via standard TCC prompt flow
4. Add runtime assertion to detect and reject `auth_reason=5` assignment to non-system clients
### Follow-Up Actions
5. Implement TCC audit logging: record all `auth_reason=5` assignments with call stack traces
6. Document `kTCCServiceLiverpool` in public TCC documentation or restrict to system services only
7. Add Privacy Settings visibility for actual authorization levels (developer mode)
8. Implement cryptographic binding between `auth_reason` value and client code signature
---
## Reproduction
1. Generate sysdiagnose on iOS 26.1 device
2. Extract `TCC.db` from `sysdiagnose_*/logs/Accessibility/`
3. Query: `SELECT client, service FROM access WHERE auth_reason = 5 AND client NOT LIKE 'com.apple.%';`
4. Expected: Third-party apps listed with system bypass authority (see attached CSV for reference)
---
**End of Report**