Apr 28, 2025 19:00:00

One line of code can break your iPhone

It has been discovered that there is a vulnerability in the developer API '

Darwin Notification API ' related to iOS 'notifications,' and that exploiting just one line of code could allow a device to be forced to reboot.

How a Single Line Of Code Could Brick Your iPhone | Rambo Codes
https://rambo.codes/posts/2025-04-24-how-a-single-line-of-code-could-brick-your-iphone

Darwin Notification API is an API for exchanging data between specific processes. According to developer Guilherme Rambo, the amount of data transferred through Darwin Notification API is very limited, so this in itself does not pose a risk of leaking confidential data. However, since it does not require special permissions to send or receive, is available as a public API, and has no mechanism for verifying the sender, it may be misused.

Rambo investigated the Darwin Notification API as a possible denial of service (DoS) attack, and found that he was able to send notifications that looked like notifications triggered by a computer connected to the device.

Rambo created a test app that demonstrated how it was possible to fake notifications such as 'liquid detected' and 'DisplayPort connected,' block gestures, and force a reboot.


The forced reboot is achieved by displaying a 'Restoring' notification on the device. If you fake it and display the 'Restoring' notification, the device is not actually restored, so the process times out and you have to reboot the device. The code to display the 'Restoring' notification was made up of just one line of code:

[code]notify_post('com.apple.MobileSync.BackupAgent.RestoreStarted')[/code]

Although iOS apps have very limited background processing opportunities and many APIs with side effects are prevented from working when the app is not in the foreground, some types of third-party app extensions may run before an iOS device is first unlocked.

If an app contains a widget, the system runs the widget after launching the app. Taking advantage of this specification, Rambo added a widget to the test app and implemented the above code in the widget. When the test app is launched in this state, it displays 'Restoring' and displays a notification that the system will be restarted, and then prompts you to restart the device. As soon as it restarts, the extension is launched by the system, and it gets stuck in a loop of asking you to restart again.

Rambo reported the vulnerability to Apple, and it was fixed in about six months. He received a $17,500 reward from Apple's Security Reward Program. The issue was assigned CVE-2025-24091, and the notification system was changed to require permission for sensitive notifications.