Categories
Research

Automatic contact sharing in iOS leaks emails to Lockdown Mode devices

A few days ago I submitted the following report to Apple:

When other iPhone users attempt to contact an iPhone in Lockdown Mode, for example by calling its number or sending an iMessage, the Lockdown Mode exposes emails of these other users to the iPhone in Lockdown Mode via a push alert on the lock screen titled “Lockdown Mode blocked Name and Photo” with text “[email address] attempted to share their Name and Photo.”

UPDATE: This behaviour is most likely triggered when the calling user adds the receiving number to their contacts. The automatic Name & Photo sharing settings are located in Settings > Phone > Share Name and Photo. However, there is no information there that states email is also shared.

Steps to reproduce

1. Set your iPhone to Lockdown Mode

2. Get another iPhone with a number not in your contacts to call you, do not pick up.

3. Your iPhone in Lockdown Mode (and all your other iOS/iPadOS devices in Lockdown Mode as well) will receive a push notification on the lock screen titled “Lockdown Mode blocked Name and Photo” with text “[email address] attempted to share their Name and Photo.”

Expected results

Lockdown Mode should not expose email addresses of people who attempt to call you, because they expect that only their phone number is shared.

Actual results

Lockdown Mode exposes email addresses of people who attempt to call you. I assume that these email addresses are their Apple IDs.

Apple response

“Thanks for contacting us. The behavior you reported is expected when using Lockdown Mode.”

Thanks Apple. I think that’s a privacy issue, but ok. Maybe it’s a security issue as well if we consider this a leak of Apple IDs.

Or maybe it’s just an interesting feature. Dear reader, what do you think?

By Marek

I graduated Oxford University Computing Laboratory in 2008 and since then have been a full-stack lead on many projects, in different technologies. Myself, I like to code in Perl, Solidity and JavaScript, run on Debian & Nginx, design with Adobe CC & Affinity and work remotely, but overall I always do whatever gets the job done. I like to learn new things all the time!

3 replies on “Automatic contact sharing in iOS leaks emails to Lockdown Mode devices”

Given how important metadata alone can be, especially in light of the recent news where push notifications are being harvested by governments and likely any organization with enough money, it’s considered a breach of privacy just to be told the user using that phone number is using lock down mode to begin with let alone exposing e’mail addresses like that. It exposes 1) person has an iPhone, 2) the device is new enough to be able to enable lock down, 3) exposes e’mail addresses, 4) and it may reveal a person’s face if it wasn’t already known, assuming a person uses a face picture as their iCloud account icon (by default that option is turned on I believe). This could be considered some pretty important data points for some adversaries. There are other ways to remotely reveal whether a person owns an iPhone or not, but at least some of them are under a person’s control (for example you can force iMessage to always use SMS which eliminates the distinguishing blue/green dichotomy although it can expose the messages – always a trade off somewhere).

Hey, I wanted to ask you a few questions about this.
+ Are you sure you don’t have your iCloud email address set as the “Start new conversations from” option in iMessage settings?
+ If you send them an iMessage, does the sender show as the email address, or the phone number?

In any case, I’m pretty sure that this isn’t actually related to Lockdown Mode, iOS just happens to expose information that it was apparently receiving anyway.
The reason I’m asking about iMessage even though you’re calling them, is I’m pretty sure the name & photo sharing for phone calls reuses the iMessage mechanism.

As a definitive fix for anyone who is concerned, you should be able to just turn off name and photo sharing on the calling iPhone.

After a bit more discussions on Reddit I think what actually is happening is that the default setting for Name & Photo sharing found in Setting > Phone is set to ON and Contacts Only. Therefore, if my device is in Lockdown Mode, when someone calls me and then adds me to their contacts, my Lockdown Mode will block the reception of their Name & Photo data sent via Apple ID contact sharing system, but then inadvertently expose their Apple ID email address in the notification. I think the Settings > Phone > Share Name and Photo should state that email address is shared as well.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.