UPDATE #2
- I've narrowed this down to the WiFi logs are definitely sent via the
lockdown process – not iPhone sync. - This occurs despite the "Connect via network" box in XCode being unchecked.
UPDATE
I believe the traffic is related to tcp\62078 – iphone-sync & lockdown. As many of us know, one way this port is used is for an iOS device to sync to iTunes over WiFi however, I have never turned this on. In addition, when I check this setting with the iPhone connected via USB, that feature is unchecked.
Otherwise, lockdown may be getting accessed somehow but I have yet to figure out how.
Exploit perhaps???
Original Post
As many probably know, it is possible to access\download iPhone logs to a Mac desktop by using XCode and connecting the device to the desktop via USB. However, my iPhone is now sending this same data via Wifi and I am unable to (A) figure out why and (B) control it or get it to stop.
I have sniffed the connection at least a dozen times, scoured the Net, checked the plethora of Apple Discussion pages, etc…all to no avail. In addition, I have triple-verified that the "Connect via Network" checkbox in XCode is unchecked.
Has anyone (1) seen this and then (2) figured out how to control this and\or get it to stop?
Thanks in advance for any feedback or assistance you may provide.
Best Answer
I believe I have found the culprit...iMazing...or rather, iMazing's communicate-to-iOS-device-via-Wifi feature.
At some point over the last year or so, I had installed iMazing which, for those who are unaware, is an iOS device management and backup utility. And as mentioned above, one of their features is communication with iOS devices via WiFi. When this is enabled, it uses the same lockdown\usbmuxd application that XCode and others use.
SIDEBAR: "usbmuxd" is a daemon that allows communication to\from iOS devices via USB\WiFi and is the underlying transport control-plane for the "lockdown" service.
Anyway, after installing iMazing, I then at some point enabled the WiFi connection feature but later forgot I had done so. However, when the feature is enabled in iMazing, it doesn't show as such in XCode nor does it always show as enabled in iMazing. Therefore, it will not always be readily apparent that iMazing is the reason why the usbmuxd channel is open.
In any event, I was able to get the iMazing instance of usbmuxd closed and then everything began working as expected.
Last, a little insight as to why this wasn't readily apparent when digging into the OS. The primary reason is because when looking at all of the elements that relate to usbmuxd & lockdown, there was literally no clue that a 3rd party application had opened up the usbmux channel to the device. When looking at the IP connections to the device, everything looked exactly as it does when the connection is spawned by XCode's "Connect via network" feature. But again, when checking that feature, it showed as disabled.
In the case of iMazing, the only OS level clue that it had opened the usbmuxd channel was an entry in the app's Devices.plist. The entry in question is labeled "WiFiConnectionOn" and has a binary value of "YES \ NO".