Filed under: iPod Family, Security, iPhone
Wired: 'iPhone takes screenshots of everything you do'
On your iPhone or your iPod touch, when you press the Home button, there's a nice little animation that takes you back to the home screen.
To create that animation, your iPhone takes a screenshot of whatever it is you're doing, and uses it for the transition. Sounds innocent, right?
Not so much, says data forensics expert Jonathan Zdziarski (thank you, clipboard). The screenshot is presumably erased from the iPhone after the application closes, but is any digital file really gone after you delete it? Survey says no.
Forensics experts have mined for these screenshots, successfully recovering evidence against criminals accused of rape, murder, and drug deals. They can also recover data from the iPhone's keyboard and web caches, too.
In his presentation, Zdziarski also demonstrated how to bypass an iPhone's passcode in order to own the device and access personal data. Time-consuming? Sure (it took JZ about an hour and involved a custom firmware build). Impossible? No.
As with all things digital (and networked), your privacy is largely illusory. Time to go Don Draper on this one and just use Field Notes books, my stack of business cards, and the rotary dial.
[Via Wired.]
Thanks, Kenny!


![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 2)
Buckingham said 6:32PM on 9-11-2008
Nothing new. When you minimize a window in Mac OS X, a similar thing happens. The contents of the window frame buffer is saved to memory and this is the one that gets animated. That's how Core Animation works.
Reply
punkassjim said 7:57PM on 9-11-2008
Are you sure about that? I seem to recall that video windows continue to play while animating to the dock, as well as after they're minimized. Wasn't that the beauty of Core Animation? That it wasn't as resource-intensive as taking/manipulating bitmap screenshots all over the place?
Tavis Booth said 11:21AM on 9-12-2008
Nope, The video stops playing when minimized :D
Elijah Terrell said 6:36PM on 9-11-2008
Fast user switching does similar with privacy implications. If you switch from user A to user B, the screenshot of A's desktop used in the transition can under some circumstances be displayed on B's screen-I have only seen this in a bug in VLC but surely an application could exploit this on purpose. Also if it is even briefly on the hard drive it could be recovered if not overwritten.
Reply
Jon H said 2:28AM on 9-12-2008
" If you switch from user A to user B, the screenshot of A's desktop used in the transition can under some circumstances be displayed on B's screen-I have only seen this in a bug in VLC but surely an application could exploit this on purpose. "
I'm pretty sure no actual files are being created in this case. Why bother creating a file, when the bits are already in RAM and possibly in VRAM on the video card?
I'd guess what you're seeing is just an OpenGL glitch, using memory from the wrong buffer or texture.
Similarly, I seriously doubt the iPod is writing files. Why bother? The image of the currently visible screen content isn't going to take up much RAM, especially after the actual application has quit.
Why spend the cycles to write the bits out to a file, possibly compressing it at the same time, when it's already in memory, I/O is busy loading the new software and screen contents?
It's not like the quitting application's screen image needs to be persistent in case the device crashes during the transition.
J said 6:37PM on 9-11-2008
This is idiotic fear-mongering. "Presumably"? I take it to mean that Zdziarski hasn't actually checked to see where, if anywhere, the screenshots are stored. Moreover, even if it is taking a screenshot, it would make a lot more sense for it to go into volatile memory -- and a screenshot is entirely unnecessary for the effect because that's what Core Image is for.
Reply
punkassjim said 8:02PM on 9-11-2008
For those who may remember Jonathan Zdziarski's name (thanks again, clipboard), he's the dumbass who found the "blacklist" or "killswitch" website on Apple's servers. And went batshit. Thought it was Apple's means of killing apps on your iPhone remotely, once they've been removed from the AppStore.
He was wrong. It was a safety feature that was built into CoreLocation, in order to keep known-rogue applications from doing bad things with your private location data.
And, owing to the fact that his name is easily recognized, we're all quite well-equipped to start rolling our eyes whenever we hear from him. Carry on.
a ham sandwich said 6:39PM on 9-11-2008
NO ONE CARES. I'M NOT DOING ANYTHING MALICIOUS ON MY iPHONE. JEEZ.
Reply
a ham sandwich said 6:40PM on 9-11-2008
sorry robert if it seems like that meant you. id doesn't. i love you. i was referring to "data forensics expert Jonathan Zdziarski". and really. thanks clipboard!
caleb said 6:44PM on 9-11-2008
Honestly, just like any other information system, once physical security is defeated, you can have no expectation of privacy.
Reply
caleb said 6:46PM on 9-11-2008
"privacy" should have been "security" instead, but privacy works too.
Rubbinz said 7:02PM on 9-11-2008
Um... hmmmm... this isn't 'new' news. I first heard of the auto screenshot thing last year just after the iPhone went on sale.
Reply
Macroy said 7:29PM on 9-11-2008
Haha, I just started watching Mad Men (from the beginning!) this week. If you posted this last week that reference would have totally been lost on me (and would have spoiled the first episode!!)
Reply
Ernie Oporto said 9:48PM on 9-11-2008
As we say in the datacenter, if you already have physical access to the device, most of the job is done.
Reply
Ernie Oporto said 8:26PM on 9-11-2008
As we say in the datacenter, if you have physical access to the device, the job is mostly done.
Reply
Mike Schramm said 9:13PM on 9-11-2008
Mad Men is the best show on TV, by the way. R. Palmer gets a thumbs up from me.
Reply
umijin said 9:26PM on 9-11-2008
What I don't like about it is that the device has something that is treated like a photo on it.
So now when I plug in my iPod Touch, my Canon software (photo window) thinks it's a camera (or camera SD card) and boots up. Half the time it (Photo Window) crashes, the other half of the time I get an error message, and the app quits on it's own.
A quick check with Image Capture shows an image that may be downloaded, but my iPod touch is not a camera, dammit.
Way to go, Apple.
Reply
casey said 9:31PM on 9-11-2008
"Forensics experts have mined for these screenshots, successfully recovering evidence against criminals accused of rape, murder, and drug deals."
I'm guessing that's just a flat out lie.
Reply
Mathias said 12:15AM on 9-12-2008
You don't think it's common for rapists and murderers to take photos of their victims (with another camera, since it wasn't actually ON the iPhone), uploading them to a private server, and then watch them trough the web browser on an iPhone (again, since it wasn't actually ON it, just viewed from it)? Nah, I don't either. Don't think they brag about it through sms either.
Todd said 9:57PM on 9-11-2008
Mr. Zdziarski needs to release that firmware build as Public Domain immediately!
http://sourceforge.net/account/registration/
Reply