CalvinBackup/iOS-TCC-Framework-Bypass
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS-TCC-Framework-Bypass.git synced 2026-02-12 12:52:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
iOS-TCC-Framework-Bypass/README.md
Joseph Goydish II 87764bab44 Add security disclosure section to README 
Added security disclosure and tracking information.
2025-12-12 20:36:51 -05:00

3.6 KiB
Raw Permalink Blame History

iOS TCC Framework Bypass Undocumented kTCCServiceLiverpool Access

Overview

This repository documents a critical flaw in the iOS TCC (Transparency, Consent, and Control) framework that allows third-party applications to gain system-level privileges through an undocumented service, kTCCServiceLiverpool. This bypass occurs silently, without user consent, and is not visible in iOS Privacy Settings.

The issue was identified on iOS 26.1 through analysis of the TCC database (TCC.db) extracted from sysdiagnose logs. Multiple unrelated third-party apps have been observed with auth_reason=5 grants, which are normally reserved for Apple system processes.

Security Disclosure & Tracking

  • Reported to CERT-In: 2025-12-11
  • Tracking ID: CERTIn-15336025

Affected Components

  • Service: kTCCServiceLiverpool

  • Apps Observed with Unauthorized System Bypass:

    • com.kentoh.hackerfeed
    • com.lifetimefitness.interests.ltfitness

  • auth_reason: 5 (System Bypass Authority)

  • Device Tested: iPhone 14 Pro Max, iOS 26.1

  • Timeframe of Grants: 20242025

Technical Analysis

Root Cause

The TCC framework incorrectly assigns auth_reason=5 to third-party apps due to a logic flaw in the authorization assignment routine. Key indicators of programmatic bypass include:

  • pid: NULL no associated process
  • boot_uuid: UNUSED not tied to a specific boot session
  • last_reminded: never no user prompt recorded

These metadata fields differ from standard TCC grants, which are tied to processes, sessions, and consent prompts.

Undocumented Service

kTCCServiceLiverpool is not listed in public TCC documentation and does not appear in Privacy Settings. Access to this service provides silent system-level privileges to third-party apps, creating a hidden vector for data access.

Evidence

SQL Query to Identify Unauthorized Grants

SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified
FROM access
WHERE auth_reason = 5
  AND client NOT LIKE 'com.apple.%'
  AND client NOT LIKE 'developer.apple.%';

Sample Findings

Application Service Last Modified
com.kentoh.hackerfeed kTCCServiceLiverpool 2025-09-19T20:56:37Z
com.lifetimefitness.interests.ltfitness kTCCServiceLiverpool 2025-05-26T21:34:15Z

Impact

  • Privilege Escalation: Third-party apps can bypass normal user consent.
  • Privacy Risk: Apps can access sensitive services or telemetry without visibility.
  • Persistence: Observed across multiple iOS updates.
  • Detection Difficulty: Hidden from Privacy Settings; requires TCC database inspection.

Recommendations

  1. Audit TCC database for any unauthorized auth_reason=5 grants.
  2. Revoke unauthorized grants and force user re-consent for affected apps.
  3. Restrict auth_reason=5 exclusively to Apple-signed system services.
  4. Document or restrict kTCCServiceLiverpool in official TCC framework documentation.
  5. Add runtime assertions to prevent unauthorized assignment of system bypass authority.

Reproduction Steps

  1. Generate a sysdiagnose log on an iOS 26.1 device.
  2. Extract TCC.db from sysdiagnose_*/logs/Accessibility/.
  3. Run the SQL query above to identify third-party apps with auth_reason=5.
  4. Confirm unauthorized access to kTCCServiceLiverpool for affected apps.
Reference in New Issue View Git Blame Copy Permalink