Apple: We don't build back doors into our products

Amid new alleged security flaws, the company denies building back doors in its devices or services that allow for government or other third-party snooping.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

James Martin/CNET

Apple has issued a statement insisting that it does not build any back doors into its products or services.

In the following statement posted on Twitter by Financial Times journalist Tim Bradshaw, Apple denied working with any government agency to create back doors in its products:

We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.
As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products of services.

Charges of back door holes have dogged Apple and other tech companies in the wake of the leak of classified government documents by former National Security Agency consultant Edward Snowden. Such security vulnerabilities would allow government agencies, as well as third-party hackers and other malicious entities, to easily gain entry into devices in order to access user data. If true, such charges would damage a company's reputation and sales by implying that they're willing to cooperate with the government at the expense of the trust of their customers.

Apple and other tech players have already responded in the past to deny such allegations. Apple's latest statement is a response to a recent claim from forensic scientist and author Jonathan Zdziarski that the NSA may have exploited certain features and services in iOS to gather data on potential targets. Detailing his claim at a security conference last Friday, Zdziarski did not assert that Apple has cooperated with the NSA in creating back doors, but merely that such back doors seem to exist.

"I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets," Zdziarski said in a blog post. "I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices."

Apple's response on Monday didn't exactly impress Zdziarski. In another blog posted later in the day, the forensic scientist chided Apple for "inadvertently" admitting that certain back doors do exist in iOS, but that they exist for the purpose of diagnostics for enterprise IT customers. Zdziarski said Apple's seeming admission to these back doors opens up privacy weaknesses in that they bypass the backup password security offered in iOS.

"I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted," Zdziarski said. "The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user."

Zdziarski also raised skepticism over Apple's claim that the back doors are used solely for diagnostics.

"I don't buy for a minute that these services are intended solely for diagnostics." Zdziarski said. "The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a backdoor to bypass it?"

CNET contacted Apple for comment on Zdziarski's further claims and will update the story with any further information.

(Via Boy Genius Report)