Background: My buddy is a freelance journalist working on a story on one of the bigger software companies (a household name, starts with an A). Anyway, he asked me to take a look at his iPad because while he’s versed in InfoSec, this may be outside of his scope.
While examining the iPad I noticed that:
Entries seem to be selectively disappearing from the SSL enabled Charles iOS application.
Using the proxy I set up a block list of all Apple hostnames (Apple, iTunes, iCloud, iPhone.com) with wildcards. However, iMessage texts seem to be getting through with no issue, while last week text messages via iCloud were effectively blocked. It seems that the proxy behavior effectively changed.
Here is a video capture of an entry disappearing where you can see an entry disappear at the 13 second mark : https://youtu.be/E2loM_F0TVQ
Using another firewall, I also noticed that certain actions triggered https calls that don’t appear while Charles is enabled. Which suggests that the proxy is selectively printing certain connections and not others.
Even more bizarre, screen recordings and screenshots that I’ve taken on the iPad while observing non-normative network activity seem to have been mysteriously corrupted and unusable.
My question is a) whether anyone has observed this behavior with Charles before and b) how would I go about identifying a potential compromise on a device potentially facilitated/enabled by the manufacture? We’re considering this possibility because he may be a high value target because of his story and everything on his device is locked down extremely tight. I even factory reset the device, removed every stock application I could and installed no new apps except for the proxy and observed the same behavior.