After reports of deleted photos reappearing years later after installing iOS 17.5, Apple released iOS 17.5.1 last week to address the issue. But what caused it in the first place? Thanks to some clever reverse engineering by researchers, we have a look at the rare bug responsible.
9to5Mac Security Bite is brought to you exclusively by Mosyle, Apple’s only unified platform. Everything we do is to make Apple devices ready to go and safe for the enterprise. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust and exclusive privilege management with the most powerful and advanced Apple MDM on the market. The result is a fully automated, unified Apple platform that is now trusted by over 45,000 organizations to make millions of Apple devices ready to go effortlessly and affordably. Request your EXTENDED TRIAL today and find out why Mosyle is everything you need to work with Apple.
How does deleting BTS photos work
When a user navigates to delete an image from the photo library, the device moves it to the Recently Deleted album and actually deletes it 30 days later. Of course, the user can permanently delete any of these photos before the 30-day deadline.
Behind the scenes the file is not necessarily deleted. Because the iPhone uses a NAND storage system, the device instead marks the corresponding memory location as available for new data to be written. So the old data is not physically removed immediately; it remains intact until overwritten.
The benefits of using NAND include fast read/write speeds, better energy efficiency, and the ability to recover deleted files. It’s a pretty good non-volatile storage system – unless, well, there’s a bug.
The bug
Using an old iPhone 13, Synacktiv researchers reverse-engineered last week’s iOS 17.5.1 update, identifying changes in shared DYLD caches by comparing IPSW files.
According to Synacktiv, the more significant changes between iOS 17.5 and iOS 17.5.1 happened in PLModelMigrationActionRegistration_17000 function within PhotoLibraryServices. This function registers migration handlers that convert data from an older format to the latest version.
Image: Synacktiv
Image: Synacktiv
Most importantly, Apple removed a code segment in the function responsible for scanning and reimporting photos from the file system. As a result, the system initiates a process of re-indexing older files stored on the local file system, inadvertently adding them back to user galleries.
“Based on this code, we can tell that the photos that have resurfaced are still in the file system and that they were just found by the migration routine added in iOS 17.5.” “The reason why these files were there in the first place is unknown,” Synacktiv says.
This is consistent with the iOS 17.5.1 release notes, in which Apple said the bug was caused by “database corruption.”
Apple also said 9to5Mac last week that photos that were not completely deleted from devices were not synced to iCloud Photos. The error was device local. The company emphasized that this problem is rare and affects a small number of users.
More in this series
FTC: We use automatic affiliate links that earn revenue. More ▼.
