# iOS TCC Framework Bypass – Undocumented `kTCCServiceLiverpool` Access ## Overview This repository documents a critical flaw in the iOS TCC (Transparency, Consent, and Control) framework that allows **third-party applications to gain system-level privileges** through an undocumented service, `kTCCServiceLiverpool`. This bypass occurs silently, without user consent, and is not visible in iOS Privacy Settings. The issue was identified on iOS 26.1 through analysis of the TCC database (`TCC.db`) extracted from sysdiagnose logs. Multiple unrelated third-party apps have been observed with `auth_reason=5` grants, which are normally **reserved for Apple system processes**. --- ## Security Disclosure & Tracking - Reported to CERT-In: **2025-12-11** - Tracking ID: **CERTIn-15336025** ## Affected Components * **Service:** `kTCCServiceLiverpool` * **Apps Observed with Unauthorized System Bypass:** * `com.kentoh.hackerfeed` * `com.lifetimefitness.interests.ltfitness` * **auth_reason:** 5 (System Bypass Authority) * **Device Tested:** iPhone 14 Pro Max, iOS 26.1 * **Timeframe of Grants:** 2024–2025 --- ## Technical Analysis ### Root Cause The TCC framework incorrectly assigns `auth_reason=5` to third-party apps due to a **logic flaw in the authorization assignment routine**. Key indicators of programmatic bypass include: * `pid: NULL` – no associated process * `boot_uuid: UNUSED` – not tied to a specific boot session * `last_reminded: never` – no user prompt recorded These metadata fields differ from standard TCC grants, which are tied to processes, sessions, and consent prompts. ### Undocumented Service `kTCCServiceLiverpool` is **not listed in public TCC documentation** and **does not appear in Privacy Settings**. Access to this service provides **silent system-level privileges** to third-party apps, creating a hidden vector for data access. --- ## Evidence ### SQL Query to Identify Unauthorized Grants ```sql SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified FROM access WHERE auth_reason = 5 AND client NOT LIKE 'com.apple.%' AND client NOT LIKE 'developer.apple.%'; ``` ### Sample Findings | Application | Service | Last Modified | | --------------------------------------- | -------------------- | -------------------- | | com.kentoh.hackerfeed | kTCCServiceLiverpool | 2025-09-19T20:56:37Z | | com.lifetimefitness.interests.ltfitness | kTCCServiceLiverpool | 2025-05-26T21:34:15Z | --- ## Impact * **Privilege Escalation:** Third-party apps can bypass normal user consent. * **Privacy Risk:** Apps can access sensitive services or telemetry without visibility. * **Persistence:** Observed across multiple iOS updates. * **Detection Difficulty:** Hidden from Privacy Settings; requires TCC database inspection. --- ## Recommendations 1. **Audit TCC database** for any unauthorized `auth_reason=5` grants. 2. **Revoke unauthorized grants** and force user re-consent for affected apps. 3. **Restrict `auth_reason=5`** exclusively to Apple-signed system services. 4. **Document or restrict `kTCCServiceLiverpool`** in official TCC framework documentation. 5. **Add runtime assertions** to prevent unauthorized assignment of system bypass authority. --- ## Reproduction Steps 1. Generate a sysdiagnose log on an iOS 26.1 device. 2. Extract `TCC.db` from `sysdiagnose_*/logs/Accessibility/`. 3. Run the SQL query above to identify third-party apps with `auth_reason=5`. 4. Confirm unauthorized access to `kTCCServiceLiverpool` for affected apps. ---