After reports that deleted photos had resurfaced years after installing iOS 17.5, Apple released iOS 17.5 last week. 1 to solve this problem. But what caused it in the first place? Thanks to clever reverse engineering by researchers, we're able to take a look at the rare bug responsible.
9to5Mac Security Bite is exclusively brought to you by Mosyle, Apple's only unified platform. Everything we do is to ensure Apple devices are ready and secure in the enterprise. Our unique, integrated approach to management and security combines Apple's most advanced security solutions to fully automate the security and safety of your data. Compliance, next-gen EDR, AI-powered zero trust, and exclusive privilege management with the most powerful and advanced Apple MDM on the market. The result is Apple's fully automated, unified platform, now trusted by more than 45,000 organizations, to provision millions of Apple devices effortlessly and affordably. Request an EXTENDED TRIALtoday and see why Mosyle is all you need for your Apple experience.
How deletion of BTS photos works
When the user goes to delete an image from the photo library, the device moves it to the Recently Deleted album and actually deletes it after 30 days. Of course, the user can permanently delete any of these photos before the 30-day period expires.
Behind the scenes, the file is not necessarily erased. Because the iPhone uses NAND storage, the device instead marks the appropriate memory location as available for writing new data. Thus, old data is not physically deleted immediately; it remains untouched until it is overwritten.
The benefits of using NAND include faster read/write speeds, higher power efficiency, and the ability to recover deleted files. This is a pretty good non-volatile storage system, unless there is a bug.
The bug
Using old iPhone 13, Synacktiv researchers reverse-engineered the iOS 17.5.1 update released last week, identifying changes to shared DYLD caches by comparing IPSW files.
According to Synacktiv, the most significant changes between iOS 17.5 and iOS 17.5.1 occurred in the PLModelMigrationActionRegistration_17000 function in PhotoLibraryServices. This function registers migration handlers that convert data from the old format to the latest version.
PhotoLibraryServices is among the four dylibs that have undergone significant changes in iOS 17.5.1.
Image: Synacktiv pseudocode changes highlighted in the PLModelMigrationActionRegistration function.
Image: Synacktiv
Most importantly, Apple removed a segment of code in the function responsible for scanning and re-importing photos from the file system. This caused the system to initiate a process of reindexing old files stored on the local file system, inadvertently adding them back to the users' gallery.
Based on this code, we can tell that the photos that reappeared were still sitting on the file system and that they were simply found by the migration routine added in iOS 17.5. “The reason these files were there in the first place is unknown,” Synacktiv says.
This is consistent with the iOS 17.5.1 release notes, in which Apple said the bug was caused by “database corruption.”
Apple also told 9to5Mac last week that photos that weren't completely deleted from devices weren't syncing to iCloud Photos. The bug was local to the devices. The company stressed that the issue was rare and affected a small number of users.
More in this series
- The most prevalent macOS malware in 2024
- Apple updates platform security guidance, publishing for the first time details on App Store security, BlastDoor, and more
- Here's what malware your Mac can detect and remove
- Cybercriminals exploit third-party Apple Store Online features
