Create README.md

README.md

@@ -0,0 +1,95 @@
+# iOS TCC Framework Bypass – Undocumented `kTCCServiceLiverpool` Access
+
+## Overview
+
+This repository documents a critical flaw in the iOS TCC (Transparency, Consent, and Control) framework that allows **third-party applications to gain system-level privileges** through an undocumented service, `kTCCServiceLiverpool`. This bypass occurs silently, without user consent, and is not visible in iOS Privacy Settings.
+
+The issue was identified on iOS 26.1 through analysis of the TCC database (`TCC.db`) extracted from sysdiagnose logs. Multiple unrelated third-party apps have been observed with `auth_reason=5` grants, which are normally **reserved for Apple system processes**.
+
+---
+
+## Affected Components
+
+* **Service:** `kTCCServiceLiverpool`
+
+* **Apps Observed with Unauthorized System Bypass:**
+
+  * `com.kentoh.hackerfeed`
+  * `com.lifetimefitness.interests.ltfitness`
+
+* **auth_reason:** 5 (System Bypass Authority)
+
+* **Device Tested:** iPhone 14 Pro Max, iOS 26.1
+
+* **Timeframe of Grants:** 2024–2025
+
+---
+
+## Technical Analysis
+
+### Root Cause
+
+The TCC framework incorrectly assigns `auth_reason=5` to third-party apps due to a **logic flaw in the authorization assignment routine**. Key indicators of programmatic bypass include:
+
+* `pid: NULL` – no associated process
+* `boot_uuid: UNUSED` – not tied to a specific boot session
+* `last_reminded: never` – no user prompt recorded
+
+These metadata fields differ from standard TCC grants, which are tied to processes, sessions, and consent prompts.
+
+### Undocumented Service
+
+`kTCCServiceLiverpool` is **not listed in public TCC documentation** and **does not appear in Privacy Settings**. Access to this service provides **silent system-level privileges** to third-party apps, creating a hidden vector for data access.
+
+---
+
+## Evidence
+
+### SQL Query to Identify Unauthorized Grants
+
+```sql
+SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified
+FROM access
+WHERE auth_reason = 5
+  AND client NOT LIKE 'com.apple.%'
+  AND client NOT LIKE 'developer.apple.%';
+```
+
+### Sample Findings
+
+| Application                             | Service              | Last Modified        |
+| --------------------------------------- | -------------------- | -------------------- |
+| com.kentoh.hackerfeed                   | kTCCServiceLiverpool | 2025-09-19T20:56:37Z |
+| com.lifetimefitness.interests.ltfitness | kTCCServiceLiverpool | 2025-05-26T21:34:15Z |
+
+---
+
+## Impact
+
+* **Privilege Escalation:** Third-party apps can bypass normal user consent.
+* **Privacy Risk:** Apps can access sensitive services or telemetry without visibility.
+* **Persistence:** Observed across multiple iOS updates.
+* **Detection Difficulty:** Hidden from Privacy Settings; requires TCC database inspection.
+
+---
+
+## Recommendations
+
+1. **Audit TCC database** for any unauthorized `auth_reason=5` grants.
+2. **Revoke unauthorized grants** and force user re-consent for affected apps.
+3. **Restrict `auth_reason=5`** exclusively to Apple-signed system services.
+4. **Document or restrict `kTCCServiceLiverpool`** in official TCC framework documentation.
+5. **Add runtime assertions** to prevent unauthorized assignment of system bypass authority.
+
+---
+
+## Reproduction Steps
+
+1. Generate a sysdiagnose log on an iOS 26.1 device.
+2. Extract `TCC.db` from `sysdiagnose_*/logs/Accessibility/`.
+3. Run the SQL query above to identify third-party apps with `auth_reason=5`.
+4. Confirm unauthorized access to `kTCCServiceLiverpool` for affected apps.
+
+
+
+---