Has anyone seen an iOS device fail to boot due to an integrity violation?
Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit, which itself can only identify a small subset of real-world attacks. For evidence, look no further than the endless stream of zero-day CVEs in Apple Security Updates for iOS. Recovery from iOS malware often requires DFU (Device Firmware Update) mode reinstallation from a separate device running macOS.
Non-persistent iOS malware can be flushed by a device hot-key reboot which prevents malware from simulating the appearance of a reboot.
My point was that people usually have no idea they've been compromised therefore won't reboot their device so the malware becomes virtually persistent.
> Whatever it's verifying is insufficient to stop persistent iOS malware, hence the existence of the MVT toolkit
One of these assertions absolutely does not support the other; the newest persistent malware detected on iOS by MVT is from 2023 and targeted iOS 14. In iOS 15, Apple introduced System volumes and SSV. The OS lives on a separate APFS volume snapshot which is verified using a hash tree (think like dm-verity, although the implementation is at a slightly different level). Even Operation Triangulation couldn't achieve reboot persistence for their implant (which Kapersky call TriangleDB); rebooting would require re-exploitation.
This also affects your argument about "forensic" imaging (also - if you're asking the device for the image, it's always a logical extraction; if you don't trust the device, why do you trust the backup data you asked it for?): post-iOS-15, unless boot security was compromised, in which case you have bigger problems, you'll get the same bytes back for system files anyway.
> why do you trust the backup data you asked it for?
Devices could load minimal recovery/forensic images from a trusted external source (Apple Configurator USB in DFU mode?) or trusted ROM (Secure Enclave?), rather than loading a potentially-compromised OS.
> the newest persistent malware detected on iOS by MVT is from 2023
Thanks for the details on dm-verity-alike protection. There's been no shortage of zero-days patched by Apple since 2023. If there's a zero-day vulnerability in an iOS binary which parses persistent user data from the non-OS partition, the vulnerability can be re-exploited after reboot.
Now that you mention APFS snapshots, it would be wonderful if Apple could enable a (hotkey-selected) advanced boot option to (a) boot iOS without parsing any data from the user partition, (b) transfer control to Apple Configurator for user data snapshot export or rollback.
Do you know how iOS is isolated from non-Apple radio baseband firmware?
Most modern malware is not disk resident, as it has a higher probability of persisting by re-infection with an undocumented zero-day.
For example, people that play games that bind the GPS location services will find interruptions magically stop for awhile after a cold power-off, and power-on restart. Or the battery performance suddenly stops quickly losing power in standby, as recording/image capture was burning power and data budgets.
Ultimately, a smartphone is impossible to fully secure, as the complexity has a million holes in it regardless of the brand. And Gemini is a whole can of worms I'd rather not discuss without my lawyer present. =3
