If we didn't already know this, Apple's previous positioning as the privacy company was just branding with zero actual conviction behind it. Now, just as ICE contracts with Paragon for zero-click spyware that bypasses encrypted apps, Apple erases the key forensic artifact for detecting state-sponsored mobile surveillance. Along with Cook's cash-and-gold-for-tariff-exemptions scheme, they're racing to the bottom with the rest of big tech.
I just wanna say how ridiculous it is that forensics on iphones is done via backup archives. If apple at least included a full system memory dump along with the backup that'd be better. If only the allowed system-extensions like on macos that run in EL1+ for security monitoring.
It seems like the author's don't believe this was a deliberate attempt by Apple to hide Spyware:
> Consider holding off on updating to iOS 26 until Apple addresses this issue, ideally by releasing a bug fix that prevents the overwriting of the shutdown.log on boot.
I’d assume that erasing the shutdown log is also a security measure from Apple, attackers could use it to better understand crash conditions or device behavior.
That said, if we take Apple’s stance on privacy seriously, users should also have deep inspection capabilities on their own devices. After all, they’re supposed to own them.
> If you care about your iOS device security.. reboot every day.. writes a list of running processes to this shutdown.log file.. If you have processes that shouldn't be running, they will get written to this shutdown.log file.. allows you to go back in time and check for IOCs.
This is dumb - now that this is known, attackers will make sure that they edit the shutdown.log file to be perfectly byte for byte identical to an uninfected device.
I guess at scale every minor fix is a spacebar heater for someone else. I assume Apple is probably going to bring this back to pacify the iVerify people but long term they are going to keep making these changes and mercenary spyware is going to learn how to hide itself better. I really think it’s time to start thinking about strategies that go beyond forensic artifacts…
I’ve been told repeatedly by high ranking members of the apple support forum to never look at logs. Only schizos and idiots look at the logs they said. Even experienced apple developers don’t look at the logs I was told. This makes me question everything about apple support, especially the “geniuses” that work at the Apple Store.
My experience with the Apple support forum is that everyone that bothers to write an answer will tell you that you're using the product wrong, you're wrong for trying to use a product the way you want, or that your problem is actually a feature that you're misunderstanding.
It's as useless as Microsoft's forum except it's run by people who want to defend the company's honour more than they want to tell you to do a clean install of your OS.
Of course, neither is an official support channel. They're just users offering support to other users. Many of them don't seem to have all that technical a background, they've just used products they're suggesting solutions for for a long time and have gathered some useful tricks, which may end up causing some cargo culty suggestions.
- The update now clears the shutdown log each boot.
> This led to the conclusion that a cleared shutdown.log could serve as a good heuristic for identifying suspicious devices.
> With iOS 26 Apple introduced a change—either an intentional design decision or an unforeseen bug—that causes the shutdown.log to be overwritten on every device reboot instead of appended with a new entry every time, preserving each as its own snapshot. This means that any user who updates to iOS 26 and subsequently restarts their device will inadvertently erase all evidence of older Pegasus and Predator detections that might have been present in their shutdown.log.
A good article provides a list of terms and abbreviations used before starting. If there is no such thing, the article is not worth the time spent on it.
17 comments
[ 2.5 ms ] story [ 32.4 ms ] thread(They actually do use the expanded form in the article, just without some parentheses afterwards on the first usage of the phrase.)
Maybe everyone but me knows the abbreviation, but in case it helps _someone_ out there!
> Consider holding off on updating to iOS 26 until Apple addresses this issue, ideally by releasing a bug fix that prevents the overwriting of the shutdown.log on boot.
That said, if we take Apple’s stance on privacy seriously, users should also have deep inspection capabilities on their own devices. After all, they’re supposed to own them.
> If you care about your iOS device security.. reboot every day.. writes a list of running processes to this shutdown.log file.. If you have processes that shouldn't be running, they will get written to this shutdown.log file.. allows you to go back in time and check for IOCs.
So the log has no value
It's as useless as Microsoft's forum except it's run by people who want to defend the company's honour more than they want to tell you to do a clean install of your OS.
Of course, neither is an official support channel. They're just users offering support to other users. Many of them don't seem to have all that technical a background, they've just used products they're suggesting solutions for for a long time and have gathered some useful tricks, which may end up causing some cargo culty suggestions.
Wait what? Surely if you're concerned about nation-state spyware, upgrading to the latest version is safer than staying on a vulnerable version.
- The update now clears the shutdown log each boot.
> This led to the conclusion that a cleared shutdown.log could serve as a good heuristic for identifying suspicious devices.
> With iOS 26 Apple introduced a change—either an intentional design decision or an unforeseen bug—that causes the shutdown.log to be overwritten on every device reboot instead of appended with a new entry every time, preserving each as its own snapshot. This means that any user who updates to iOS 26 and subsequently restarts their device will inadvertently erase all evidence of older Pegasus and Predator detections that might have been present in their shutdown.log.