Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicised techniques by Apple employees, the company has acknowledged.
The same techniques to circumvent backup encryption could be used by law enforcement or others with access to "trusted" computers to which the devices have been connected, according to a security expert who prompted Apple's admission.
In a conference presentation last week, researcher Jonathan Zdziarski showed how the services take a surprising amount of data for what Apple says are diagnostic services to help engineers.
Users are not notified that the services are running and cannot disable them, Zdziarski said. There is no way for iPhone users to know what computers have previously been granted trusted status via the backup process or block future connections.
"There's no way to 'unpair' except to wipe your phone," he said in a video demonstration he posted showing what he could extract from an unlocked phone through a trusted computer.
As word spread about Zdziarski's initial presentation at the Hackers on Planet Earth conference, some cited it as evidence of Apple collaboration with the US National Security Agency.
Apple denied creating "back doors" for intelligence agencies.
"We designed iOS so its diagnostic functions do not compromise user privacy and security, but still provide needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data," Apple said.
But Apple also posted its first descriptions of the tools on its own website, and Zdziarski and others who spoke with the company said they expected it to make at least some changes to the programs in the future.
Zdziarski said he did not believe the services were aimed at spies. But he said they extracted more information than needed.
Security analyst Rich Mogull said Zdziarski's work was overhyped but technically accurate.
"They are collecting more than they should be, and the only way to get it is to compromise security," said Mogull, chief executive officer of Securosis.
Mogull also agreed with Zdziarski that since the tools exist, law enforcement will use them in cases where the desktop computers of targeted individuals can be accessed.
"They'll take advantage of every legal tool that they have and maybe more," Mogull said.