## https://sploitus.com/exploit?id=93154E3F-E334-52A6-B73E-885D850746AF
# HostName
## Overview
HostName is a sample application demonstrating how a third-party app can access a user's device name without the `com.apple.developer.device-information.user-assigned-device-name` entitlement.
## Details
In iOS 16, Apple added the `com.apple.developer.device-information.user-assigned-device-name` entitlement to prevent third-party applications from fingerprinting a user by device name. However, the `ProcessInfo.processInfo.hostName` API broke in the process, which allowed a third-party developer to get the network hostname of the device without an entitlement. While the hostname is not a percent 1:1 copy of the device name, it's close. For example, my device is named `Astronaut Sloth`, which gives me a hostname of `Astronaut-Sloth`.
When a third-party developer accesses the `ProcessInfo.processInfo.hostName` API, the user gets presented with a "Allow <X> to communicate with Local Network Devices" prompt. In iOS 15, the `ProcessInfo.processInfo.hostName` API would return `localhost` if the user denied this API. However, in iOS 16 this also broke - a device name was always returned regardless of user input.
## Timeline
- Discovered & reported this entitlement leak/bypass in August 2022 during the iOS 16 beta period.
- Apple patched the issue with iOS 17.0 in September 2023.
- Apple verified that the issue was fixed with iOS 17.0 in September 2023. This issue was not eligible for a bug bounty.
- The public disclosure was added to the [iOS 17.0 Security Notes](https://support.apple.com/en-us/HT213938) in September 2023.
## Final Thoughts
- I can't blame Apple for not wanting to pay a bug bounty for a one-line device-name bypass, but I'll admit it was a little frustrating to hear that an API leaking entitlement-gated information didn't qualify for a bug bounty. If anyone from Apple stumbles upon this, I would take a moment to update the [bug bounty categories](https://security.apple.com/bounty/categories/) page to include more information about similar issues that fall in the "it's a sensitive data bypass, but the data is not that sensitive." I still plan to finish up the other user fingerprinting issues I've found, but this experience has taken a bit of the wind out of my sails.