diff --git a/README.md b/README.md new file mode 100644 index 0000000..83d8aa6 --- /dev/null +++ b/README.md @@ -0,0 +1,95 @@ +# iOS TCC Framework Bypass – Undocumented `kTCCServiceLiverpool` Access + +## Overview + +This repository documents a critical flaw in the iOS TCC (Transparency, Consent, and Control) framework that allows **third-party applications to gain system-level privileges** through an undocumented service, `kTCCServiceLiverpool`. This bypass occurs silently, without user consent, and is not visible in iOS Privacy Settings. + +The issue was identified on iOS 26.1 through analysis of the TCC database (`TCC.db`) extracted from sysdiagnose logs. Multiple unrelated third-party apps have been observed with `auth_reason=5` grants, which are normally **reserved for Apple system processes**. + +--- + +## Affected Components + +* **Service:** `kTCCServiceLiverpool` + +* **Apps Observed with Unauthorized System Bypass:** + + * `com.kentoh.hackerfeed` + * `com.lifetimefitness.interests.ltfitness` + +* **auth_reason:** 5 (System Bypass Authority) + +* **Device Tested:** iPhone 14 Pro Max, iOS 26.1 + +* **Timeframe of Grants:** 2024–2025 + +--- + +## Technical Analysis + +### Root Cause + +The TCC framework incorrectly assigns `auth_reason=5` to third-party apps due to a **logic flaw in the authorization assignment routine**. Key indicators of programmatic bypass include: + +* `pid: NULL` – no associated process +* `boot_uuid: UNUSED` – not tied to a specific boot session +* `last_reminded: never` – no user prompt recorded + +These metadata fields differ from standard TCC grants, which are tied to processes, sessions, and consent prompts. + +### Undocumented Service + +`kTCCServiceLiverpool` is **not listed in public TCC documentation** and **does not appear in Privacy Settings**. Access to this service provides **silent system-level privileges** to third-party apps, creating a hidden vector for data access. + +--- + +## Evidence + +### SQL Query to Identify Unauthorized Grants + +```sql +SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified +FROM access +WHERE auth_reason = 5 + AND client NOT LIKE 'com.apple.%' + AND client NOT LIKE 'developer.apple.%'; +``` + +### Sample Findings + +| Application | Service | Last Modified | +| --------------------------------------- | -------------------- | -------------------- | +| com.kentoh.hackerfeed | kTCCServiceLiverpool | 2025-09-19T20:56:37Z | +| com.lifetimefitness.interests.ltfitness | kTCCServiceLiverpool | 2025-05-26T21:34:15Z | + +--- + +## Impact + +* **Privilege Escalation:** Third-party apps can bypass normal user consent. +* **Privacy Risk:** Apps can access sensitive services or telemetry without visibility. +* **Persistence:** Observed across multiple iOS updates. +* **Detection Difficulty:** Hidden from Privacy Settings; requires TCC database inspection. + +--- + +## Recommendations + +1. **Audit TCC database** for any unauthorized `auth_reason=5` grants. +2. **Revoke unauthorized grants** and force user re-consent for affected apps. +3. **Restrict `auth_reason=5`** exclusively to Apple-signed system services. +4. **Document or restrict `kTCCServiceLiverpool`** in official TCC framework documentation. +5. **Add runtime assertions** to prevent unauthorized assignment of system bypass authority. + +--- + +## Reproduction Steps + +1. Generate a sysdiagnose log on an iOS 26.1 device. +2. Extract `TCC.db` from `sysdiagnose_*/logs/Accessibility/`. +3. Run the SQL query above to identify third-party apps with `auth_reason=5`. +4. Confirm unauthorized access to `kTCCServiceLiverpool` for affected apps. + + + +---