A forensic analysis of iOS 18.6 reveals a silent data exfiltration sequence initiated entirely by Apple system daemons — no app involved, no permission prompt, no UI indicator.
In a ~3-second window, nsurlsessiond and symptomsd transferred ~5MB of data over the network. This activity is not tied to any userland app, does not trigger any TCC prompt, and cannot be viewed or controlled in iOS privacy settings.
Sequence of events:
tccd preflights access to Reminders (TCC-protected) with no app context
abm-helper, CommCenterRootHelper, and cfprefsd coordinate via Mach/XPC
sosd attempts to write to a sensitive communications safety plist
nsurlsessiond purges its cache
symptomsd logs 5MB+ of RX/TX traffic — with no app running
Sequence of events:
tccd preflights access to Reminders (TCC-protected) with no app context
abm-helper, CommCenterRootHelper, and cfprefsd coordinate via Mach/XPC
sosd attempts to write to a sensitive communications safety plist
nsurlsessiond purges its cache
symptomsd logs 5MB+ of RX/TX traffic — with no app running
There is:
No telemetry toggle
No EDR/MDM visibility
No disclosure from Apple
This breaks the app-based sandbox and represents:
A system-native stealth exfil pipeline
Cross-daemon privilege chaining
A real privacy and compliance blind spot