Bypassing Apple Intelligence Certificate Pinning to Expose Data Leakage

TLDR: Researchers at DEF CON 2025 demonstrated that Apple Intelligence and Siri transmit sensitive user data, including application metadata and location, to Apple servers despite claims of local processing. By using Frida to bypass certificate pinning, they intercepted the proprietary ACE protocol and exposed how these features leak information. This research provides a clear methodology for security professionals to audit AI-enabled mobile features and highlights the necessity of rigorous network-level monitoring.

Security researchers often treat "on-device" AI claims with healthy skepticism. When Apple announced that its new AI features would prioritize privacy by running models locally, the immediate question for the offensive community was not whether it was true, but how to prove it false. The research presented at DEF CON 2025 confirms that the reality of these implementations is far more complex than marketing materials suggest. By intercepting traffic between a macOS device and Apple servers, researchers uncovered a persistent leakage of application metadata and location data that occurs even during seemingly trivial user interactions.

The Methodology of Interception

Analyzing encrypted traffic from Apple Intelligence requires more than just a standard proxy setup. Apple employs certificate pinning to prevent exactly the kind of inspection that security researchers perform daily. To get around this, the researchers utilized Frida to hook the set_verify_mode function within the boringssl library. This effectively disables the certificate validation logic, allowing tools like mitmproxy to intercept and decrypt the traffic.

Once the pinning was bypassed, the researchers encountered the proprietary ACE protocol. This protocol is not documented, and it uses a combination of Zlib compression and custom binary formats. To make sense of the intercepted packets, they had to reverse-engineer the protocol structure. The process involved identifying the "magic" bytes that signal the start of a transmission, followed by decompressing the Zlib-encoded payload. The resulting data revealed that Siri and Apple Intelligence are not just processing local commands; they are actively communicating with Apple’s backend infrastructure to enrich user requests with context.

Data Leakage in Practice

The most concerning finding is the breadth of information sent to Apple servers. When a user asks a simple question, such as "What is the weather in Las Vegas?", the device transmits not just the query, but also precise location coordinates and a list of active applications. This behavior is not limited to Apple’s own apps. The researchers demonstrated that the system queries the status of third-party applications like Slack, Notion, and even virtual machine managers like Parallels.

The following snippet illustrates the type of metadata being leaked during a standard request:

# Example of intercepted metadata structure
{
    "app_info": {
        "bundle_id": "com.parallels.winapp.1441d6b1c10f910cdc400e40b5fce9",
        "name": "Weather",
        "intent": "WeatherIntent"
    }
}

This level of granularity is problematic. If an AI assistant is constantly polling the state of your running applications and location, it creates a massive surface area for privacy erosion. During the talk, the researchers showed that even when they attempted to disable these features, the underlying communication channels remained active. This suggests that the "privacy bubble" promised by Apple is not as impenetrable as the documentation implies.

Real-World Implications for Pentesters

For those conducting mobile application security assessments, this research is a wake-up call. You cannot assume that an application is truly "offline" just because it claims to be. When testing iOS or macOS applications that integrate with Siri or Apple Intelligence, you must perform deep packet inspection to verify what data is actually leaving the device.

If you are performing a red team engagement or a bug bounty, focus on the guzzoni.apple.com and *.smoot.apple.com endpoints. These are the primary gateways for Siri and Apple Intelligence traffic. By using the mitmproxy extension developed by the researchers, you can parse the ACE protocol and identify exactly what metadata is being exfiltrated. This is particularly relevant when testing enterprise environments where employees might be using sensitive internal tools that could be inadvertently indexed by these AI features.

Defensive Considerations

Defenders must implement more rigorous network-level monitoring to detect this type of data exfiltration. Relying on host-based controls is insufficient when the operating system itself is the source of the traffic. Organizations should consider blocking traffic to known Siri and Apple Intelligence telemetry endpoints at the firewall level if they have strict data residency or privacy requirements.

Furthermore, users should be encouraged to audit their "Siri & Search" settings. While disabling these features may reduce the utility of the AI assistant, it is currently the only way to stop the continuous stream of metadata being sent to Apple. Transparency from vendors is the only long-term solution. Until Apple provides a clear, verifiable way to ensure that specific data remains strictly on-device, researchers must continue to treat these AI features as potential vectors for data leakage. If you are auditing these systems, start by verifying the traffic patterns yourself rather than trusting the privacy policy.