Skip to content

JGoyd/MapleDrop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
bags
bags
 
 
README.md
README.md
 
 

Repository files navigation

MapleDrop

Unsigned telemetry filter delivery on iOS via carrier-fronted Apple CDN

A reproducible architecture analysis of pancake.apple.com bag distribution to rtcreportingd, and the post-back of filtered telemetry to metrics.icloud.com/rtc/v1.

Summary

Apple iOS retrieves telemetry filter rules from pancake.apple.com. The host is served from address space registered to T-Mobile USA, Inc. (ARIN network TMO2, prefix 2607:7700::/32; and TMOV6-1, prefix 2607:fb90::/28), fronted by an Apple-operated CDN node identified in HTTP Via headers as tmobileusa-usdal1a-fe-003.ec.edge.apple.

The fetched content is plist-encoded "bags" containing filter rules. The rules are applied by rtcreportingd to telemetry events from at least five client pipelines (com.apple.imagent, com.apple.aaa, com.apple.aaa.dnu, com.apple.C2ReportMetrics, com.apple.groupkit) before posting to https://metrics.icloud.com/rtc/v1.

The bag responses carry no content-level signature header. The dynamic "repo" leaf rotates daily. Every filter pipeline removes a common set of process-provenance fields (_clientName, _clientVersion, _sender, _sessionID, _queue, _reportVers) before upload, while preserving content fields including hostnames, URIs, byte counts, sync state, and authentication state.

This document describes the channel, the filter rules, and a reproducible verification path. It does not allege compromise or substitution. It documents an architecture and identifies properties of that architecture that warrant Apple's clarification.

Scope

This is an analysis of an Apple-operated service, not a vulnerability in any specific device. The service consists of:

  • A configuration delivery host (pancake.apple.com)
  • A class of plist-encoded "bag" payloads served from that host
  • A telemetry post-back host (metrics.icloud.com/rtc/v1)
  • The CDN frontend infrastructure that serves the bags

Captures referenced in this document were made against this service from clients running iOS builds 23E246, 23D8133, and 23D771330a. Build identity is incidental — the finding concerns the service architecture, not the client.

The channel

Host: pancake.apple.com

Fetcher: rtcreportingd (User-Agent: rtcreportingd/166.2 CFNetwork/3860.500.112 Darwin/25.4.0)

Post-back endpoint: https://metrics.icloud.com/rtc/v1

Bag URL pattern:

/cmremoteconfig/2/default
/bags/maple/{sha256}/{leaf}

Constant SHA256 path component observed:

355f5e74848522db142812706d3559c35daf9f66536507b4f5bf7ad3e1f68575

Leaves observed: repo, ca, nimbus, coremedia, tu, wings, mexp

Infrastructure

Address Network (ARIN/RIPE) Organization ASN Country
2607:fb90:c12f:180::1 2607:fb90::/28 (TMOV6-1) T-Mobile USA, Inc. (AS21928) US
2607:fb90:c115:180::2 2607:fb90::/28 (TMOV6-1) T-Mobile USA, Inc. (AS21928) US
2607:fb90:c110:180::1 2607:fb90::/28 (TMOV6-1) T-Mobile USA, Inc. (AS21928) US
17.253.21.135 17.0.0.0/8 (APPLE-WWNET) Apple Inc. AS714 US
17.253.21.148 17.0.0.0/8 (APPLE-WWNET) Apple Inc. AS714 US
2620:149:a10:f000::149 2620:149::/32 (APPLE-WWNET) Apple Inc. AS714 US

The S3 origin behind the CDN is identified in response headers as Server: AmazonS3 with x-amz-id-2 and x-amz-request-id AWS S3 markers.

A representative Via header from a pancake.apple.com response:

Via: http/1.1 usdal2-edge-fx-004.ts.apple.com (acdn/302.16436),
     http/1.1 tmobileusa-usdal1a-fe-003.ec.edge.apple (acdn/260.16276)

ts.apple.com and ec.edge.apple are Apple-operated CDN domains. The tmobileusa-usdal1a segment indicates an Apple CDN frontend deployed inside T-Mobile USA's Dallas-area network footprint.

Bag content

Each bag is a plist with the structure:

<plist version="1.0">
<dict>
    <key>bag</key>
    <string>BASE64_ENCODED_INNER_PLIST</string>
</dict>
</plist>

The inner plist contains:

  • refresh_cycle (integer seconds, observed 86400)
  • release and seed dicts naming pipeline targets (splunk, gonzo)
  • shared_values dict containing named filter rule sets
  • version (semver + git short SHA, e.g. 1.0.0-1132-g5884f46)

The release.splunk.clients array enumerates Apple processes subject to the filter pipeline:

com.apple.C2ReportMetrics    sampling_threshold 0.001  override_dnu=1
com.apple.imagent            sampling_threshold 0.1
com.apple.aaa                sampling_threshold 1      override_dnu=1
com.apple.aaa.dnu            sampling_threshold 1
com.apple.groupkit           sampling_threshold 0.1

post_url (all five): https://metrics.icloud.com/rtc/v1

Static vs. dynamic bags observed (Last-Modified headers):

Leaf Last-Modified
cmremoteconfig 2025-10-14 21:00:59 GMT
ca 2025-10-14 21:01:30 GMT
tu 2025-10-14 21:01:36 GMT
nimbus 2026-01-12 16:40:52 GMT
coremedia 2026-02-12 22:28:31 GMT
wings 2026-02-16 17:47:07 GMT
mexp 2026-02-16 17:47:07 GMT
repo 2026-04-06 16:28:05 GMT (rebuilt the day of capture)

No Content-Signature, X-Apple-Signature, or other content-level integrity header was observed on any of the responses. Cache-Control is max-age=21600, public.

Filter rules

Each ==SHARED_FILTERS_* rule set contains allow, remove, and insertStringValueForKeys actions applied to telemetry events of specified category values before upload.

The complete intersection of remove actions across all five client filters:

Removed field C2 imagent aaa aaa.dnu groupkit
_clientName
_clientVersion
_sender
_sessionID
_reportVers
_queue
_clientTS / _startTS
eventTime
clientId
_eventNumber
SerialNum
_productFamily
_productModel
_osName / _osVersion

Five fields (_clientName, _clientVersion, _sender, _sessionID, _reportVers) are removed from every pipeline. These fields identify the binary, version, sender, session, and telemetry framework version that generated each event.

Allowed fields per pipeline include:

  • aaa (118 fields, 100% sampling, override_dnu=1): full Octagon trust state, CloudKit Keychain Sync state, secure backup escrow state ("Walrus" fields), TLK fetch counts, recovery contact counts, EDP state, security posture, country, and a content processName field set by the caller.

  • C2ReportMetrics (52 fields in category 1, 0.1% sampling): full network event metadata including hostname, remote address+port, request URI, bytes sent/received, TLS protocol version, interface and radio type, Apple ID context, plus 14 connection lifecycle timestamps.

  • imagent (49+34+40 fields in categories 1/2/3, 10% sampling): CloudKit Manatee zone telemetry — message, chat, attachment counts (synced and restored), all 14 sync date fields, sync errors, error codes, deviceID, payload, PCS status, total database and local record counts.

  • groupkit (10 fields in category 700, 10% sampling): duration, success, errorCode, groupSize, cryptoErrorCode, eventType, key registration action.

  • aaa.dnu: same content allowlist as aaa, but additionally strips SerialNum, _clientTS, _jsonTime, _startTS, clientId, eventTime, postTime, _eventNumber, _jsonTime. 100% sampling.

Each pipeline also has an insertStringValueForKeys action setting _auroraSchemaID to a project-specific schema ID:

aaa, aaa.dnu        →  com.apple.aurora.apptelemetry.aaa.Dataaccess
C2 cat 1            →  com.apple.aurora.apptelemetry.cdd.Network
C2 cat 2162         →  com.apple.aurora.apptelemetry.cdd.Operation
groupkit            →  com.apple.aurora.apptelemetry.groupkit.Groupevent
imagent cat 1       →  com.apple.acs.datalake.acp_vg6yg459p4.Dailysyncstate
imagent cat 2       →  com.apple.acs.datalake.acp_vg6yg459p4.Syncstate
imagent cat 3       →  com.apple.acs.datalake.acp_vg6yg459p4.Synccompletion

Validation: rules in production

An rtcreportingd internal message buffer captured on 2026-03-29 14:07 UTC on the same iPhone 12 (iPhone13,2) contains 11 telemetry events queued for upload, all carrying _auroraSchemaID = com.apple.aurora.apptelemetry.aaa.Dataaccess.

Cross-checked against the ==SHARED_FILTERS_AAA rule from the nimbus bag:

  • All six fields specified for removal (_clientName, _clientVersion, _sender, _sessionID, _queue, _reportVers) are absent from every event.
  • The _auroraSchemaID field specified for insertion is present on every event with the exact value declared in the bag.
  • The wrapper envelope contains _sampleRate: 1, matching the sampling_threshold: 1 declaration for com.apple.aaa in the bag's release.splunk.clients array.
  • The flush header is [splunk -> flushMessages], matching the splunk pipeline name declared in the bag.

The buffer file additionally records 11 events including com.apple.security.ckks.launchStart (duration 184,796 ms), com.apple.security.oTBecomeReadyOperation, and a complete AuthKit authentication chain from itunesstored and akd (flowID 342A4EB3-4A69-4A9B-9C82-E69BBC6AA5BB, securityLevel 4, localSecretType "Passcode").

This is consistent with the filter rules from the bag being applied to production telemetry on the device.

Verification

Reproduce on any iOS device with HTTPS interception (e.g., Proxyman with the device-trusted root cert installed):

  1. Install the Proxyman root cert on the iOS device.
  2. Configure Wi-Fi to route through Proxyman.
  3. Filter on host pancake.apple.com.
  4. Wait for or trigger an rtcreportingd activity (any RTC session, or wait up to 24h for the periodic refresh).
  5. Capture the response body for any /bags/maple/{sha256}/{leaf} request.
  6. Decode:
import base64, plistlib
raw = open('captured_response.bin','rb').read()
outer = plistlib.loads(raw)
inner = plistlib.loads(base64.b64decode(outer['bag']))
print(inner.keys())
print(inner.get('shared_values'))

Inspect the release.splunk.clients array and the ==SHARED_FILTERS_* rules under shared_values. Compare against the field tables above.

WHOIS and address attribution can be confirmed via:

https://rdap.arin.net/registry/ip/2607:fb90:c12f:180::1
https://rdap.arin.net/registry/ip/2607:7700::
https://rdap.arin.net/registry/ip/2620:149::

CDN identity can be confirmed by reading the Via: header on any pancake.apple.com response.

Architectural concerns

The following are properties of the channel as observed. None constitute a vulnerability claim. Each warrants Apple's clarification.

  1. No content-level signature. Bag responses carry only TLS-level integrity. No Content-Signature, X-Apple-Signature, or equivalent header is present. Whoever can serve content for pancake.apple.com controls the filter rules applied to telemetry on the receiving device.

  2. Carrier address space. The host is served from T-Mobile USA, Inc. address space (2607:fb90::/28, 2607:7700::/32), via an Apple-operated CDN node deployed inside T-Mobile's network footprint (tmobileusa-usdal1a-fe-003.ec.edge.apple). The legal and operational basis for hosting telemetry-control infrastructure inside a US carrier's network is not documented in any Apple developer or privacy material.

  3. Single privileged daemon. A single iOS daemon, rtcreportingd, serves as both the fetcher of bags from pancake.apple.com and the poster of filtered telemetry to metrics.icloud.com/rtc/v1. The daemon fetches configuration for subsystems unrelated to RTC reporting, including coremedia, nimbus, wings, mexp, tu, and ca.

  4. Daily rotation of dynamic content. The repo leaf was last modified the day of observation; six other leaves are static (Oct 2025–Feb 2026). The dynamic leaf controls file-provider file-sync (fpfs) telemetry.

  5. Provenance stripping. All five filter pipelines remove the same five framework provenance fields (_clientName, _clientVersion, _sender, _sessionID, _reportVers) before upload, while allowing a content processName field that can be set by the caller. The framework provenance fields are the fields a recipient pipeline would use to verify which on-device binary generated each event.

  6. Sampling rates. The C2ReportMetrics pipeline, which carries network event metadata including hostnames, IPs, ports, URIs, and byte counts, is sampled at 0.001 (1 in 1000). At this sampling rate, low-frequency network endpoints contacted by the device are statistically unlikely to appear in any uploaded sample.

Recommendations

  1. Apple should sign bag content with a publicly verifiable Apple key.
  2. Apple should publish canonical SHA256 hashes for each bag leaf so that independent researchers can verify their device's bag content.
  3. Apple should document the operational basis for serving pancake.apple.com from T-Mobile USA address space.
  4. Apple should document the rationale for rtcreportingd fetching configuration for subsystems unrelated to RTC reporting.
  5. Apple should document the threat model that motivates removing framework provenance fields (_clientName, _sender, _sessionID) from telemetry uploaded to Apple's own pipelines.
  6. Apple should document the legal basis under which T-Mobile USA hosts Apple-operated CDN edge nodes that serve telemetry-control infrastructure for iOS devices.

Timeline

2026-03-22 → 2026-04-06   Wire-side capture (Proxyman)
2026-03-29                rtcreportingd internal buffer captured
2026-04-06                Bag content decoded; filter rules tabulated

References

License

This document is released into the public domain. The decoded bag contents, captured response headers, and the rtcreportingd buffer excerpt are artifacts of an Apple production service and are not subject to copyright claim by the author.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1