Open source
  • Bandwidth benchmark
  • TouchWidgets UI lib
  • Diviner big number math
  • Documentation
  • x86 instructions ref
  • GIT quick ref
  • GPG quick ref
  • Avoid Ubuntu
  • Android malware risks
  • iOS malware risks
  • OS/X security tips
  • Who blocks Tor
  • Software engineering
  • BASH aliases
  • I.B. pro/con
  • Nutrition
  • Other apps
  • Blog
  • Contact
    1 at zsmith dot co

    iOverwrite: Overwrite deleted files' data on your iOS device.

    Version 7.
    © by
    All rights reserved.

    Overview

    iOverwrite was an app that filled the unused space of your iPad or iPhone's flash storage with random data. This is useful in case you want to prevent any future owner (or thief) of your iOS device from un-deleting your data. Wiping the unused space from a drive is a standard security measure that some people perform regularly.

    Postmortem

    When I recently uploaded a new version to fix an urgent bug, Apple asked me to take this app down. Their rationale however did not hold up to critical analysis.

    0. Spam app (bogus)

    This was their initial bogus allegation, and they made the same claim of two other apps of mine, so three apps were flagged as spam. It turns out that a great many apps have been marked as spam, and mine were caught up in that purge. Apple wildly overshot.

    After I wrote an email to Tim Cook, which was read, all three complaints were deemed inappropriate and officially dismissed.

    1. Physical harm (bogus)

    They then alleged that iOverwrite was still violating their rules. They said that writing to data to the flash drive repeatedly could cause excessive wear of the flash memory. This is utterly bogus.

    If an app were writing to one particular sector of flash over and over, this claim might make sense. However the app doesn't do that. In fact, no app can because the OS prevents it. What iOverwrite does is, it writes random data to the drive, which writes sectors one after the other, but each only once. With modern flash memory, each sector can be written 10,000 to 100,000 times before it fails. Writing to a sector just once causes no significant wear-and-tear.

    iOverwrite's impact is not different an app that records a 4K video that fills the entire drive, except that iOverwrite purposely tries to fill as much space as it can and does not spare any sector.

    Why is this distinction important? Because if there were some official directive in effect to save the user's deleted data from being overwritten at all cost, any video recording app from Apple would find a way to tip-toe around sectors that contain juicy tidbits of your data e.g. deleted emails, deleted texts.

    2. Random data is unacceptable

    I contested everything Apple was claiming, and I eventually spoke with a few Apple employees.

    It is always important to debate Apple's employees. They are not always right, and contrary to some fanboys' belief Apple is not a cult, and they sometimes have an open mind.

    One Apple employee (I forgot the name) indicated verbally but not in writing that an app that writes random data to the flash drive is a cause for concern. Note, Apple's rules do not prohibit writing random data to flash. But this was the real issue with the app.

    This was a very odd complaint. I pointed out that this new complaint was not what they formally complained about, and nowhere was it put in writing, to which this person had no response.

    I offered to write all zero bytes instead, but this too the Apple representative pretended not to hear.

    By then their decision to reject the app was final. It was a business decision.

    So why would Apple, or anyone for that matter, be concerned about random data?

    First you need to know, the following three types of data look the same at the drive sector level:

    • Random data
    • Highly compressed data
    • Encrypted data

    (Files are stored in one or more sectors, which are small chunks of data of fixed length.)

    At the file level, the following two types of data look the same:

    • Data that is encrypted
    • Data that is random

    (A compressed file normally begins with certain bytes indicating it's compressed.)

    Writing random data would only be a concern if there were some need to identify the encrypted files in flash memory, and to process them in some way. Processing of encrypted files is laborious, because they require human intervention and they have to be brute-force decrypted.

    If a drive contains random files, these would be misidentified as encrypted, especially if the people doing the surveillance are lazy or not very smart, and time would be wasted.

    If someone is analyzing your encrypted files, they are presumably stealing your non-encrypted files as well. And this would all be a part of a data-theft and surveillance program.

    How they would steal and analyze your data

    Imagine one day, you put a new lock on your home's door. The next day, a neighbor shows up and asks why there is a new lock on your door. You didn't tell him you put it there. He wasn't supposed to know about it. He isn't supposed to care. His interest reveals what he has likely been doing -- entering your house.

    This is similar.

    1. It has been revealed that Apple cares that a particular type of data is on your iPhone.
    2. It is a type of data (random data) that is indistinguishable from encrypted data.
    3. Encrypted data holds secrets.
    4. Someone wants your secrets.

    Every sector of an iPhone's flash drive is already encrypted by iOS; thus somehow the someone is getting access to sectors after being decrypted by iOS. This can only happen with Apple's help.

    Assuming that I was not wildly misinformed by this Apple worker about writing random data being unacceptable and the real reason why iOverwrite was rejected, I propose that someone for some reason wants to steal and analyze the contents of your iPhone's flash memory. The euphemism for stealing that hides the criminal aspect of that is exfiltrate.

    Let us now ask: How would this theft be done? Either they would exfiltrate it sector-by-sector or file-by-file.

    a. Sector-by-sector exfiltration

    Imagine that, at some point in the future, someone will get their hands on your iPhone's entire flash drive contents, which includes deleted files. Obviously the default full disk encryption will not have been in effect when the data was stolen, which might be done through the baseband processor with the help of the phone's firmware which would have to decrypt each sector.

    If the exfiltration were happening via a USB cable, the drive contents would transfer quickly. They would just grab it all. Afterwards they will care about what data is encrypted versus random because this distinction impacts their analysis.

    (Some types of data require more analysis effort than other types of data. Encrypted data is the worst: It would require the attention of a human specialist and a time-consuming brute-force decryption.)

    If the exfiltration is happening via a GSM/CDMA connection, which can be slow, they will want to avoid transferring blank sectors' contents. The perpetrator will want every single sector that contains interesting data and nothing else. They will be especially interested in encrypted sectors.

    Therefore one motive for the thieves to not want any randomized data on the iPhone would be that uploading the loot takes much longer.

    b. File-by-file exfiltration

    It is known that Samsung was caught allowing file-by-file exfiltration to happen via the baseband processor over GSM, uncovered during the Replicant project's analysis of Samsung's firmware. So this phenomenon of a corporate-supplied backdoor into a phone is not novel.

    If the putative iPhone file-level exfiltration were happening via a GSM/CDMA, uploading large random files such as those produced by iOverwrite from the flash drive would greatly slow down the data theft and give the perpetrators files that appear encrypted but are not.

    File-level exfiltration would miss deleted files such as deleted emails, photos and texts as well as perhaps a spook's dead drop files -- unless there is a mechanism to keep deleted files around in case someone wants to exfiltrate them.

    Preliminary conclusion

    The available evidence is a clearly stated claim by one Apple worker that storing random data to the flash drive is a cause for concern and the real reason for iOverwrite being rejected.

    Assuming this is true:

    • I deduce that a data theft mechanism may exist in iPhones already, because there is concern about specific data file types on iPhones.
    • I infer that it involves the broadband processor making requests for file- or sector-level exfiltration, mainly because it has been done before in Samsung phones.
    • I deduce this mechanism would have to be supported in the iOS operating system and in the baseband firmware, because the flash already has full-disk encryption, meaning the OS is needed to decrypt sectors.

    The baseband firmware support is needed to permit a remote party to make requests for data exfiltration (theft) directly to the baseband processor that it passes on to iOS.

    The baseband would be preferable because it can be individually addressed from a remote location, which is not true of Wi-Fi or Bluetooth, and exfiltration via a USB cable would require rare physical access.

    Modifications to iOS and baseband firmware require engineering effort supported by a managerial decision to allow the backdoor.

    Counterarguments

    Question 0:
    Why even believe what the Apple representative said? Perhaps it was just an invented excuse to remove an app that enhances privacy by overwriting deleted files.

    Assertion:
    That still raises the question of how those deleted files would be obtained. With full disk encryption always on, Apple would still have to provide a mechanism to steal them somehow.

    Question 1:
    Why wouldn't the method of exfiltration be syncing with iTunes? Once the data is on a hard drive on a PC or Mac they are more easily accessible to thieves.

    Fact:
    Many people never sync their iPhone or iPad with a computer.

    Fact:
    Deleted files, which if this were entirely about those being overwritten, would not be e.g. synced via iTunes.

    Question 2:
    Let's say some government agency is using a backdoor to steal your data. If they know an app exists is called iOverwrite, which produces randomized files that are of zero surveillance value, why would they not just revise their surveillance code to ignore this app's files?

    Assertion:
    It was an Apple representative I was speaking with, who may have been conveying a directive that was nonspecific. It surely would be smart of spooks to just ignore iOverwrite's random data files.

    Assertion:
    There are so few of these spooks, and there are so many apps out there, that they do not have the time to adapt their surveillance code to exclude one app's useless files. Therefore my huge randomized files get uploaded, very slowly, which takes up a lot of space on their servers.

    Counter-assertion:
    Assuming spooks are responsible enough to prioritize their work, it would be no problem to add an exception for a particular app.

    Question 3:
    If the number of targeted individuals is fairly small, as it absolutely should be, shouldn't the attackers have more than enough personnel to handle each individual spying target, and time enough to exclude iOverwrite's files during exfiltration?

    Assertion:
    Evidence indicates the number of targeted individuals is vast, and always was vast. Everyone is being surveilled.

    Assertion:
    This assumes that the mechanism can differentiate between the files of different apps. It may be a dumb mechanism.

    A business decision

    Apple's app reviewers said their rejection of iOverwrite was a business decision. (Note, I was the one who went into the account and removed the app.) So even if I didn't violate any particular rules, in spirit or in letter, in some way the idea of writing random data to a drive harms their profit motive. Think about that. The application does not harm your flash memory any more than a video recording app. You are the owner of the phone or tablet, so it is yours to do with what you want. Imagine if Toyota were to tell customers that taking their Camry to a car wash, or vacuuming it at home to get it clean, in some way is bad for them, so you must stop. It would be ridiculous.

    So we should ask Apple: What monetary loss could arise from an app's writing random data to a flash drive, unless that data is being exfiltrated for analysis?

    • Q: Is someone paying Apple for the users' data?
    • Q: Is there some monetary penalty for not providing it?



    © Zack Smith