Update: Zdziarski put up a more detailed response.
Apple responded to the backdoor story.
Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer. Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer.
Zdziarski, the author of the article that started this all, is not impressed.
I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption. Tell me, what is the point in promising the user encryption if there is a back door to bypass it?
Apple response doesn’t actually deny or contradict anything Zdziarski stated, so in the end, it all comes down to trust. Apple claims they only use these tools for “diagnostics” (which is a stretch considering the extensive and pervasive nature of the data they expose, but alas), and it’s up to us to decide whether we trust them or not. If you still trust Apple – or Google, or Microsoft, or any other major technology company, for that matter – at this point, then I admire your child-like innocence.
What else are you going to do? What other phone/tablet/computer/etc are you going to buy? What other manufacturer makes and sells an absolutely secure device with absolutely no possible way of getting into it and stealing your information and data? Is the best option some no-name phone manufacturer with an obscure ROM installed by means of some Brobdingnagian process that no one but the nerdiest of the nerds can accomplish? The situation is exactly the same whether the device is made by Apple, Microsoft, LG, Sony, Motorola, Samsung, One+One, whoever it is. Every device and every OS has these flaws in them as well as the associated risks if you put everything about you, good or bad, legal or not, onto them, so it’s up to the user in the end to make the decision on what to buy and how much of their “identiy”, information, and secrets to put on the things. That’s where the ultimate responsibility lies.
Edited 2014-07-23 10:26 UTC