Apple Find My Recurring Notification Consent Bypass
A while back, I set up a jailbroken iPhone to intercept HTTP(S) traffic for a different project I was working on. This involved using the wonderful SSL Kill Switch 3 tweak from NyaMisty, which can globally disable SSL certificate validation on jailbroken iOS devices. While working on that other project, I noticed that the Find My app on iOS 16.2 was sending location update events over HTTPS to Apple’s servers.
This piqued my interest, I was not expecting Find My to be communicating over HTTPS through a JSON API. I decided to poke around with the functionality of the Find My app and see if I could find any interesting behavior.
In case you haven’t used the Find My app before, it allows users to share their location with friends, family, enemies, or anyone else with an Apple ID. When you share your location with someone, they can see your location on a map and even set up notifications for when you arrive at or leave a specific location. These notifications are called “Recurring Notifications” and can be easily set up in the Find My app’s UI.
Recurring notifications are only able to be created with the consent of the person being tracked. Apple states on their page above “Your friend must approve the notification before it’s set. They get an alert asking for approval on the time and day the notifications start.”
/cloudfront-us-east-2.images.arcpublishing.com/reuters/2ZJFJEPJQRKPPGAEOEZP4XYNZY.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/18329976/akrales_190723_3560_0055.jpg)
