“What happens on your iPhone, stays on your iPhone” really?

Even though Apple occasionally comes up with vulnerabilities that cause data leaks, it is generally known for attaching great importance to privacy policies in its products.
Especially Sign in with Apple feature announced with iOS 13, is one of the latest examples of this.
However, when it comes to data security and privacy, not everything may go as Apple intended.
Let's touch upon what a malicious app developer or various SDKs innocently added to the apps can do without any permission from the user or abuse various permissions granted:

What happens on your iPhone, stays on your iPhone.
Photo credit: Chris Velazco

Paste Board

Paste Board is the unit where copy-paste operations are managed on iOS.
All apps can read copied text or images from here without any permission.
It does not matter whether the app is actively on the screen or in the background, it just needs to be running.
An explicit action such as "paste" command by the user is also not required.
So, text or images copied by the users are vulnerable to abuse.

In addition, apps can write their own text or images to the Paste Board, without user's consent.
Thus, things that may put the user in a difficult situation can be placed to the Paste Board, as if the user copied them.

For technical details, please see Apple's docs.

Update: On WWDC 2020, Apple announced that there will be a notification banner, if an app reads data from Paste Board on iOS 14+.

Update: On WWDC 2022, Apple announced that there will be permission dialog, if an app attempts to read data from Paste Board on iOS 16+.

Photos

Apps that are granted photos access, along with all the photos, can also access the data embedded in these photos such as location and time.
Hence, regardless of location permission, apps can obtain location info both retroactively and continuously as the user keeps taking photos.

With iOS 11, Apple had announced a solution that could partially work.
A photo selection UI component called UIImagePickerController, designed to give only the selected photos to the app once, instead of granting access to all photos forever.
However, since Apple does not force the use of this component, it is not preferred by the app developers and the apps often require unnecessary full photos access.

For technical details, please see this issue on GitHub.

Update: On WWDC 2020, Apple announced that there will be a Limited Photos Library Access mode (PHAuthorizationStatusLimited) on iOS 14+.

Microphone

Apps that are granted microphone access do not have to show any warning during voice recording.
If the app is recording audio while in the background or making a voice call, iOS automatically changes the color of the status bar and notifies the user visually.
However, if the app is recording audio while actively on the screen, it may not always be possible to notice this.
For example, an app like WhatsApp granted microphone access for voice calls, may be recording audio, not only during the voice calls, but also while text messaging or even on its settings screen.

Update: On WWDC 2020 keynote, Apple announced that there will always be an indicator dot in the status bar, while an app is recording audio on iOS 14+.

Camera

Procedure of video recording with the camera is similar to the audio recording with the microphone.
Apps with camera permission can secretly record video while actively on the screen without any indicators.

Update: On WWDC 2020 keynote, Apple announced that there will always be an indicator dot in the status bar, while an app is recording video on iOS 14+.

Bluetooth

Until iOS 13, iOS apps that are actively running could scan the surrounding Bluetooth beacons without any permission.
Thus, with the beacons placed in points with high pedestrian traffic such as shopping malls, stadiums and public transportation, it was possible to track how much time a user spends at an exact point, with exact day and time info.
With iOS 13, Apple restricted this feature, and now requiring explicit user permission to use Bluetooth.

For technical details, please see Apple's docs.

WiFi SSID and Local Network

WiFi SSID the device is connected to can be read by all apps without any permission.
This may give a clue about the user's location, especially if it is a publicly available network.
Also, all the devices connected to the same local network can be scanned without any permission.

Apple first attempted to fix this flaw with an entitlement requirement on iOS 12, then further tightened the requirements with iOS 13.
As of iOS 13, apps must have location permission or be capable of network settings, to access SSID information.

For technical details, please see Apple's docs.

Update: On WWDC 2020, Apple announced that there will be a new permission for local network access on iOS 14+.

URL Scheme

URL scheme, in simple terms, is the first part of a URL and specifies its type.
The best known examples are such as http://, ftp://, mailto://.

All apps can define their own URL schemes like twitter://, instagram:// youtube://, nflx://.
If a URL starts with a URL scheme defined by any app, iOS will open the URL with that associated app.
This feature is very important for cross-app transitions, deep linking and 3rd party login features.

However, all apps can discover which other apps are installed on a user's device by querying if some specific URL schemes are defined or not.

Thus, fine targeted ads becomes possible via advanced segmentations such as 'Netflix and Amazon Prime Video apps are installed on this user's device, but not there are no social media apps'.

Although Apple has introduced some restrictions for querying URL schemes with iOS 9, this method is still technically possible as of iOS 13.

Another important point is that there are no restrictions on which app can define which URL schemes on iOS.
For this reason, a completely irrelevant app can manage to open all the URLs that start with youtube:// just by defining youtube:// URL scheme.
This may also allow various phishing attacks.

For technical details, please see Apple's docs.

Update: On WWDC 2021, Apple announced that URL schemes to be queried will be limited to 50 on iOS 15+.

In-App Browser

In some apps, the links that are clicked by user can be opened with an interface component called WKWebView (or older UIWebView) within the app, without switching to Safari app.
All browsing activity inside this in-app browser can be read by the app.
It can be associated with previous or future browsing activities and may be used for profile linking.

Apple introduced the component called 'SFSafariViewController' which could be the solution to this problem with iOS 9.
The browsing activity under SFSafariViewController cannot be read by the apps.
But, since Apple does not force the use of this component, there are still some apps that use 'WKWebView'.

For technical details, please see Apple's docs.

Fingerprinting

Although it is not only specific to iOS devices, it may be possible to detect and track the user by collecting all kinds of permanent or dynamic info that can be obtained from the device.
This includes but not limited to; selected language and region settings, time zone, device model, storage capacity, percentage of free storage, battery percentage, whether the charging cable is connected or not, operator information, device name, Apple Watch pairing status, connection type, IP address and access permission states.

Device Name

The device name is the name of the device displayed in places such as iTunes, AirDrop and Find My iPhone.
Generally, it is like "John's iPhone" or "Jane's iPad", and it can give clues about the user's name and gender.
It can be read by all apps running on the device without requiring any permission.
It can be set from Settings > General > About screen of iOS.

Update: On WWDC 2022, Apple announced that User Assigned Device Name entitlement will be required to access device name on iOS 16+.

Operator

The cellular service operator name and code can be read by all apps without permission.
This can give a clue about the user's whereabouts.
In addition, when the user visits another country and changes SIM card, this can give clues about which country the user is visiting, even if there is no internet connection or location permission.

For technical details, please see Apple's docs.

Update: On WWDC 2022, Apple announced that carrier name is deprecated and will always return "--" on iOS 16+.

NSNull

NSNull is a singleton instance representing null values on iOS.
However, the NSNull singleton remains in system-wide memory, not application-specific.
Therefore, if the pointer value is printed and examined from different applications, it can be observed that it is exactly the same address.
This value will change only when the device is rebooted, otherwise it will stay the same.

Exactly the same memory address values such as 0x1ebe1bc30 can allow user detection and tracking even among the apps that do not belong to the same developer.

For technical details, please see Apple's docs.

IDFA

Identifier for Advertisers (IDFA) is Apple's official way for app developers to track users and serve advertisements.
Unfortunately, as of iOS 13 it is still enabled by default, and can be opted-out using Limit Ad Tracking switch under Settings > Privacy > Advertising screen of iOS.

Until iOS 10, IDFA value was accessible even for opted-out users, and app developers were just asked to respect users' preference about it, without further limitation.
But with iOS 10, IDFA value was replaced with a hardcoded 00000000-0000-0000-0000-000000000000 value for all opted-out users.

For technical details, please see Apple's docs.

Update: On WWDC 2020, Apple announced that there will be a new permission for tracking users or accessing their device's IDFA on iOS 14.5+.

Keychain - iCloud - GameCenter

Encrypted data store Keychain, cloud data service iCloud and online gaming service Game Center, may allow developers to identify the user even after the app is deleted and reinstalled.

In some apps that require login, this can be a convenience for the user.
But it can also be used for user detection and tracking before the user logs in, or even logs in with a different account.

While the data stored in the local Keychain is cleared only when the device is reset, iCloud and Game Center data are accessible unless the user logs out from iOS Settings.

Summary

These are some of the examples of what a malicious app developer or various SDKs in the apps can do.
Apple regularly removes some apps from the App Store, and even terminates Apple Developer Program memberships for violating its review guidelines.
But, usually this happens only if the issue is reported by the users or detected by review team by chance.
So, it is always better to know the systems we use everyday, and to err on the side of caution.