Security Bite: here is the iOS 17.5 bug that caused deleted photos to resurface

After reports of deleted photos resurfaced years later after installing iOS 17.5, Apple released iOS 17.5.1 last week to address the issue. But what caused it in the first place? Thanks to some clever reverse engineering by researchers, we have a glimpse of the rare bug responsible.

9to5Mac Security Bite brought to you exclusively by Mosyle, the only unified Apple platform. Making Apple devices work-ready and enterprise-secure is everything we do. Our unique integrated approach to management and security combines industry-leading Apple-specific security solutions for fully automated hardening and compliance, next-generation EDR, AI-powered Zero Trust, and proprietary privilege management with the most powerful and modern Apple MDM. on the market. The result is a fully automated unified Apple platform, currently used by more than 45,000 organizations to make millions of Apple devices ready to work effortlessly and affordably. Request your EXTENDED TRIAL today and understand why Mosyle is all you need to work with Apple.

How Deleting BTS Photos Works

When a user wants to delete an image from the Photos library, the device moves it to the Recently Deleted album and deletes it 30 days later. Of course, a user can permanently delete any of these photos before the 30 day mark.

Behind the scenes, the file is not necessarily erased. Since the iPhone uses a NAND storage system, the device marks the corresponding memory location as available for writing new data. This means that old data is not physically deleted immediately; it remains intact until crushed.

The benefits of using NAND include fast read/write speeds, better power efficiency, and the ability to recover deleted files. It’s a very good non-volatile storage system, unless there’s a bug.

The insect

Using an old iPhone 13, Synacktiv researchers reverse-engineered last week’s iOS 17.5.1 update, identifying changes in DYLD shared caches by comparing IPSW files.

According to Synacktiv, the biggest changes between iOS 17.5 and iOS 17.5.1 occurred in the PLModelMigrationActionRegistration_17000 operate inside Photo library services. This function registers migration managers that convert data from an old format to the latest version.

More importantly, Apple removed a segment of code in the function responsible for scanning and reimporting photos from the file system. As a result, the system initiated a process of reindexing old files stored in the local file system, inadvertently adding them to users’ galleries.

“Based on this code, we can say that the photos that reappeared were still hanging around on the file system and were just found by the migration routine added in iOS 17.5. “It’s unknown why these files were there,” says Synacktiv.

This matches the release notes for iOS 17.5.1, in which Apple said the bug was caused by “database corruption.”

Apple also said 9to5Mac Last week, photos that weren’t fully deleted from devices weren’t syncing with iCloud Photos. The bug was local to the devices. The company stressed that this issue was rare and affected a small number of users.

More in this series