ReplayKit security in iOS and iPadOS
ReplayKit is a framework that allows developers to add recording and live broadcasting capabilities to their apps. In addition, it allows users to annotate their recordings and broadcasts using the device’s front-facing camera and microphone.
There are several layers of security built into recording a movie:
Permissions dialog: Before recording starts, ReplayKit presents a user consent alert requesting that the user acknowledge their intent to record the screen, the microphone, and the front-facing camera. This alert is presented once per app process, and it’s presented again if the app is left in the background for longer than 8 minutes.
Screen and audio capture: Screen and audio capture occurs out of the app’s process in the ReplayKit daemon replayd. This is designed to ensure the recorded content is never accessible to the app process.
In-app screen and audio capture: This allows an app to get video and sample buffers, which is guarded by the permissions dialogue.
Movie creation and storage: The movie file is written to a directory that’s only accessible to the ReplayKit subsystems and is never accessible to any apps. This helps prevent recordings being used by third parties without the user’s consent.
End-user preview and sharing: The user has the ability to preview and share the movie with a user interface vended by ReplayKit. The user interface is presented out-of-process through the iOS Extension infrastructure and has access to the generated movie file.
There are several layers of security built into broadcasting a movie:
Screen and audio capture: The screen and audio capture mechanism during broadcasting is identical to movie recording and occurs in
Broadcast extensions: For third-party services to participate in ReplayKit broadcasting, they’re required to create two new extensions that are configured with the com.apple.broadcast-services endpoint:
A user interface extension that allows the user to set up their broadcast
An upload extension that handles uploading video and audio data to the service’s back-end servers
The architecture helps ensure that hosting apps have no privileges to the broadcasted video and audio contents. Only ReplayKit and the third-party broadcast extensions have access.
Broadcast picker: With the broadcast picker, users initiate system broadcasts directly from their app using the same system-defined user interface that’s accessible using Control Center. The user interface is implemented using a private API and is an extension that lives within the ReplayKit framework. It is out-of-process from the hosting app.
Upload extension: The extension that third-party broadcast services implement to handle video and audio content during broadcasting uses raw unencoded sample buffers. During this mode of handling, video and audio data is serialized and passed to the third-party upload extension in real time through a direct XPC connection. Video data is encoded by extracting the IOSurface object from the video sample buffer, encoding it securely as an XPC object, sending it over through XPC to the third-party extension, and decoding it securely back into an IOSurface object.