iOS Call Syncing: How It Works

November 17th, 2016 by Vladimir Katalov

In our previous article, we figured that iPhone call logs are synced with iCloud. We performed multiple additional tests to try to understand exactly how it works, and are trying to guess why.

A Continuity Artifact?

The first idea we checked was Continuity. According to Apple:

Use iPhone Cellular Calls with any Mac iPhone, iPad, or iPod touch that meets the Continuity system requirements. It works when your devices are near each other and set up as follows:

  • Each device is signed in to iCloud with the same Apple ID.
  • Each device is signed in to FaceTime with the same Apple ID.
  • Each device has Wi-Fi turned on.
  • Each device is connected to the same network using Wi-Fi or Ethernet.
  • On iPhone, go to Settings > Phone > Calls on Other Devices, then turn on Allow Calls on Other Devices.
  • On iPad or iPod touch, go to Settings > FaceTime, then turn on Calls from iPhone.
  • On Mac, open the FaceTime app, then choose FaceTime > Preferences. Click Settings, then select Calls From iPhone.

This is not it. One of our test scenarios was performed with the device signed in with a certain Apple ID but with Wi-Fi turned off and FaceTime not signed in. We also explicitly disabled the “Allow Calls on Other Devices” setting on the test iPhone. Yes, call logs continued to sync with iCloud.

FaceTime?

Apple FaceTime can be used to make audio and video calls across iOS devices. Our second guess was this call syncing has something to do with FaceTime. Indeed, we were able to sign in to the FaceTime app on an iPad (both the iPad and FaceTime must be using the same Apple ID), and the calls were displayed right away under the “Voice” tab. Sounds logical?

According to Apple, one must do the following to enable FaceTime:

  • Open your FaceTime app and sign in with your Apple ID (you can also do this from Settings > FaceTime).
  • If you’re using an iPhone, FaceTime automatically registers your phone number. To also register your email address on your iPhone, tap Settings > FaceTime > Use your Apple ID for FaceTime, and sign in.

In our tests, we explicitly disabled FaceTime by ensuring the application has not been signed in on any test device. The calls continued syncing into iCloud. The sync is not about FaceTime.

Backups?

Call logs were traditionally part of both local and cloud backups. They continue to be part of these backups, yet with a backup you obviously only get information about calls placed or received before the backup was committed. On the other hand, once you restore an iPhone, any calls you’ve made or received after the backup will still be synced onto the newly restored handset using an alternative mechanism. This offers the user that extra bit of convenience, but was it the thing that warranted the development of this new syncing mechanism?

What Else Is Synced?

Starting with iOS 10, the call log lists VoIP calls made and received via apps using Apple CallKit. These applications include WhatsApp, Viber and Skype, with more to come. Some of these calls (in fact, only incoming, but missed) are also synced into the cloud. If you thought of FaceTime, its calls are also synced (all of them, incoming/outgoing).

No Notification

If somebody tries to download a backup created by your iPhone in your iCloud account, you will likely receive an email notification. This does not happen when somebody downloads synced call logs, which effectively allows spying upon you without you even knowing.

Government Requests?

What you read below is pure speculation.

As you may know, Apple rejects government requests when it comes to extracting data from physical devices citing encryption and tight overall security of post-iOS8 devices. However, the pressure from law enforcement could just be too much, so Apple could start moving more data into the cloud, allowing government access without losing face.

In Apple’s Legal Process Guidelines, the company puts III.G (iCloud): “iCloud only stores content for the services that the subscriber has elected to maintain in the account while the subscriber’s account remains active”. This does not mention call logs.

The III.P (FaceTime) reads: “Apple has FaceTime call invitation logs when a FaceTime call invitation is initiated. These logs do not indicate that any communication between users actually took place. Apple has no information as to whether the FaceTime call was successfully established or duration of a FaceTime call. FaceTime call invitation logs are retained up to 30 days.” Now this information is plain wrong. “…no information as to whether the FaceTime call was successfully established or duration” does not match our records: synced data contains full information including call duration and both parties. In addition, the “logs are retained up to 30 days” is false since we were able to extract information going back more than 4 months ago.

Of course, the possible cooperation with government requests are just one of the many possibilities, but we cannot think of anything better at this time.

How to Protect Yourself

There is no way to hide your calls from government requests other than disabling iCloud Drive. However, if you’re considering protection against hackers, there is a reasonably strong protection method. We recommend activating Apple’s Two-Factor Authentication (as opposed to using the older and less secure Two-Step Verification). If you do that, a hacker would have to social engineer a single-use code from you. These codes are short-lived and expire every 30 seconds, making the hacker’s job considerably more complicated.

Tags: , , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz