CalvinBackup/iOS-TCC-Framework-Bypass
1
0
Fork 0
mirror of https://github.com/JGoyd/iOS-TCC-Framework-Bypass.git synced 2026-02-12 21:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
iOS-TCC-Framework-Bypass/README.md
Joseph Goydish II 87764bab44 Add security disclosure section to README 
Added security disclosure and tracking information.
2025-12-12 20:36:51 -05:00

102 lines
3.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# iOS TCC Framework Bypass Undocumented `kTCCServiceLiverpool` Access
## Overview
This repository documents a critical flaw in the iOS TCC (Transparency, Consent, and Control) framework that allows **third-party applications to gain system-level privileges** through an undocumented service, `kTCCServiceLiverpool`. This bypass occurs silently, without user consent, and is not visible in iOS Privacy Settings.
The issue was identified on iOS 26.1 through analysis of the TCC database (`TCC.db`) extracted from sysdiagnose logs. Multiple unrelated third-party apps have been observed with `auth_reason=5` grants, which are normally **reserved for Apple system processes**.
---
## Security Disclosure & Tracking
- Reported to CERT-In: **2025-12-11**
- Tracking ID: **CERTIn-15336025**
## Affected Components
* **Service:** `kTCCServiceLiverpool`
* **Apps Observed with Unauthorized System Bypass:**
* `com.kentoh.hackerfeed`
* `com.lifetimefitness.interests.ltfitness`
* **auth_reason:** 5 (System Bypass Authority)
* **Device Tested:** iPhone 14 Pro Max, iOS 26.1
* **Timeframe of Grants:** 20242025
---
## Technical Analysis
### Root Cause
The TCC framework incorrectly assigns `auth_reason=5` to third-party apps due to a **logic flaw in the authorization assignment routine**. Key indicators of programmatic bypass include:
* `pid: NULL` no associated process
* `boot_uuid: UNUSED` not tied to a specific boot session
* `last_reminded: never` no user prompt recorded
These metadata fields differ from standard TCC grants, which are tied to processes, sessions, and consent prompts.
### Undocumented Service
`kTCCServiceLiverpool` is **not listed in public TCC documentation** and **does not appear in Privacy Settings**. Access to this service provides **silent system-level privileges** to third-party apps, creating a hidden vector for data access.
---
## Evidence
### SQL Query to Identify Unauthorized Grants
```sql
SELECT client, service, auth_reason, datetime(last_modified, 'unixepoch') as last_modified
FROM access
WHERE auth_reason = 5
AND client NOT LIKE 'com.apple.%'
AND client NOT LIKE 'developer.apple.%';
```
### Sample Findings
| Application | Service | Last Modified |
| --------------------------------------- | -------------------- | -------------------- |
| com.kentoh.hackerfeed | kTCCServiceLiverpool | 2025-09-19T20:56:37Z |
| com.lifetimefitness.interests.ltfitness | kTCCServiceLiverpool | 2025-05-26T21:34:15Z |
---
## Impact
* **Privilege Escalation:** Third-party apps can bypass normal user consent.
* **Privacy Risk:** Apps can access sensitive services or telemetry without visibility.
* **Persistence:** Observed across multiple iOS updates.
* **Detection Difficulty:** Hidden from Privacy Settings; requires TCC database inspection.
---
## Recommendations
1. **Audit TCC database** for any unauthorized `auth_reason=5` grants.
2. **Revoke unauthorized grants** and force user re-consent for affected apps.
3. **Restrict `auth_reason=5`** exclusively to Apple-signed system services.
4. **Document or restrict `kTCCServiceLiverpool`** in official TCC framework documentation.
5. **Add runtime assertions** to prevent unauthorized assignment of system bypass authority.
---
## Reproduction Steps
1. Generate a sysdiagnose log on an iOS 26.1 device.
2. Extract `TCC.db` from `sysdiagnose_*/logs/Accessibility/`.
3. Run the SQL query above to identify third-party apps with `auth_reason=5`.
4. Confirm unauthorized access to `kTCCServiceLiverpool` for affected apps.
---
Reference in New Issue View Git Blame Copy Permalink