Frequently Asked Questions (FAQ)

We know, it is frustrating clicking on Settings > Privacy & Security > Analytics & Improvements > Analytics Data and then searching for the sysdiagnose files to submit them. Unfortunately there is no way for any iOS app to directly access them without the user taking these steps. If an app does not request you to make such steps it means there is no way it can access the data required to provide any real security scanning.

We do have a solution to make it easier though, a shortcut that when triggered takes you directly to the Analytics Data page when initiated. We use an accessibility shortcut to trigger it when double tapping the back of our iPhones but you can also trigger it however you want using the Shortcuts app. If you click on the link below on an iOS device you should be asked if you wish to add the shortcut to your phone.

https://www.icloud.com/shortcuts/0aac8fef6ce347ab9931f13928e71014

After it is installed, you can use it by following the instructions at the link below or adding it to your Siri shortcuts "Hey Siri, sysdiagnose".

https://support.apple.com/en-ca/111772

Your sysdiagnose data is first encrypted on your device with end-to-end encryption so only our analyzer server is able to decrypt it and read it. This is part of why it takes a second to begin an upload, a ~300MB file is being encrypted first. The submission first goes to Firebase Cloud Storage in the US (Oregon) but due to the end-to-end encryption,  Firebase is unable to decrypt or read the contents of the file. Our analyzer servers then download submissions, decrypt them locally and analyze them with the results being sent back to Firebase's Firestore database where the app pulls them and displays the results to the user. Our analyzer servers are Mac minis that physically reside in properties controlled by Numbers Station Inc. staff in Canada. This is the only location where the decryption keys reside. Your sysdiagnose data is always stored in an encrypted state when in cloud storage so it is unreadable by anyone accessing it other than Numbers Station Inc. Our analyzer servers are only permitted to connect to Firebase and Apple (for macOS updates), have iMessage disabled and are not used for any other purpose making their exploitation high unlikely.

The bandwidth fees and processing and analysis costs for each sysdiagnose file that is submitted are relatively expensive. To keep subscription costs down we have no choice but to impose a limit otherwise we risked having higher costs than revenue.  We recommend users initiate a sysdiagnose "run", let it complete and submit it via the app before rebooting their device or shutting it down. Some users shutdown the device at bedtime and start it again in the morning to ensure routine reboots but this is optional.

Short answer is no iOS app, even a security one, can detect and then stop an attack as it is happening due to restrictions Apple has placed on apps on iOS. Am I Secure? is the only app that can detect an existing infection/compromise though so victims are aware and can take action. While our Numbers Station Messenger app can stop zero-click attacks directed at it, it cannot protect other messaging apps or protect from other categories of exploitation, such as tricking a user in to visiting a malicious web site.

The longer answer... All iOS apps operate within an "app sandbox", a restricted space within iOS that limits an app to accessing only its own data and specific data a user has provided permission to, such as contacts or location data. This is to ensure security and privacy. Due to these restrictions, no iOS apps, including security focussed ones, are able to directly access the operating system to detect exploitation as it is occurring or stop it. Any app that says otherwise is lying. While some iOS apps market themselves as antivirus solutions, unlike real antivirus solutions that run on Windows or macOS, they are not actually able to perform any traditional antivirus functions on iOS and these apps add little, if any, security value.

Am I Secure? bypasses the limitations of the app sandbox by having users of the app share iOS system diagnostic data with the app so access can be obtained. Without access to this data, no app can perform a proper analysis for spyware. Via the app, this data is then uploaded to Numbers Station's servers where it is analyzed and the results are reported back to the user within the app and, if spyware is found, to the email address tied to their account. No private user data such as messages or photos are contained within the system diagnostic data so user privacy is preserved.

It is important to note though that the system diagnostic data Am I Secure? accesses was created in the past, at least ten minutes ago, so the results of the spyware scanning are tied to that time period, not the moment the user is looking at the results in the app. Once again, there is no way to perform real time detection and blocking on iOS, Apple simply does not allow it on iOS. It is allowed on macOS though, where real time detection and blocking can exist.

Am I Secure? detects the spyware (also called an "implant"). Once spyware has been detected, we recommend that victims perform a full iPhone backup which can contain evidence of the exploit chain and the method used (i.e. zero-click exploit delivered via a messaging app, a malicious web site that exploits Safari, etc.). This backup data can then be shared with Numbers Station Inc. for manual analysis or with another organization the user chooses. This backup data though, unlike the sysdiagnose data the app analyzes, will contain large amounts of personal information and will often be many gigabytes in size.  This is why analyzing backup data is not part of our normal routine unless spyware is confirmed first. Users are under no obligation to share backup data with Numbers Station Inc. or any 3rd party.

There are hundreds of files in a typical sysdiagnose package. Our analyzer servers select the security relevant ones to look for specific known Indicators of Compromise (IoCs). They also parse out each individual item contained in a file and compare them against our "prevalence list". For example, in the "ps.txt" file within sysdiagnose, one of the entries is the following: 

root                 0   200    72     1  4004004   0.0  0.0   0  0        0      0 -        ??  ?s    2:01PM   0:00.00 /usr/libexec/containermanagerd --runmode=agent --default-user=mobile --user-container-mode=fixed --bundle-container-mode=proxy --bundle-container-owner=_installd --system-container-mode=proxy --system-container-owner=root --kernel-upcall=yes

First we discount the time stamp, as that constantly changes, and our analyzer server queries how often we have seen the rest of the entry before across all user submissions, if it was seen on our "known good" devices that we know are not compromised and how often does it show up as a percentage of all of our scans. In this case the answer is it almost always shows up, both on our "known good" devices that we know are not compromised, as well as a very high percentage across all of our user's devices (which of course are a mix of primarily not compromised and a small number of compromised ones).  Because this is very common, including the exact command line, we can discount this specific entry on its own as an IoC.

Similar processing occurs across other files contained within the sysdiagnose package.

Finally, the security relevant files are ingested by our AI/ML analyzer that performs a "is this normal" analysis but not based on direct match prevalence.

Any low prevalence entries or AI/ML detected anomalies are then manually reviewed to make a final determination. The majority end up being previously unseen but legitimate apps with a small percentage indicating an active infection of the user's device or a prior infection.

The initial results in the app are based on known IoCs being detected. If there is follow on manual analysis it can result in a previously "no spyware found" result changing to a "spyware found" result. In such cases we usually attempt to contact the user via email before changing the result in the app.

There has been much attention paid to checking the shutdown.log file, which is part of the sysdiagnose package, due to Kaspersky releasing a tool in January that  can help aid in checking it for signs of infection. The tool created by Kaspersky only checks one file, shutdown.log, which is one of hundreds of files contained in a sysdiagnose package. As a result, it can only detect spyware that does not properly respond to system shutdowns or hung, which cause it to end up being in the shutdown.log. It should be assumed that spyware developers have fixed that issue now. It is rather surprising spyware developers ever allowed this to occur in the first place. All of our recently detected infections have not been due to indicators left in the shutdown.log file, a sign that spyware developers have indeed fixed this issue, but we do continue to check it just in case. Am I Secure? is the only solution that checks multiple files in sysdiagnose for Indicators of Compromise (IoC) and the only one implemented in an app that does not require a separate laptop nor require users to have analysis skills to interpret the data.

Update: the "Vision" spyware did show up in shutdown.log, so still a thing.