top of page
< Back

iOS Unified Logs - Calls and more

Each method of making a call leaves unique unified logs. This article presents several examples to determine how a call was generated.

iOS Unified Logs - Calls and more

Lionel Notari

Week  4


iOS Unified Logs - Origin of a Call


A call can be initiated from various applications or through different methods. The most common approach is likely to open the "Phone" application and click on the contact you want to call.


However, it is also possible to ask Siri to call a contact or a number, to "highlight" a phone number in the Safari app (or any other app), and call it directly.


Finally, you can use your car's infotainment system when the phone is connected via Bluetooth. Each method generates different unified logs, which can be valuable to investigate. Here are a few examples:

#

Event

Origin

1

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBApplicationProcess: 0x698d2b000; app<com.apple.mobilephone>:1119(vBC4)>.

Phone

2

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBProcess: 0x69813d080; osservice<com.apple.bluetoothd>:96(v122)>.

Bluetooth

3

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBProcess: 0xc8e905890; osservice<com.apple.assistantd>:37(v1B9)>.

Siri

4

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBApplicationProcess: 0xc92ae7330; app<com.apple.PeopleViewService(0A2313B5-6BE7-47CF-9D48-3B09767A3C42)>:1577(v11A8)>.

Contact Widget from Homescreen

5

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBApplicationProcess: 0xc8eb2b1c0; app<com.apple.MobileSMS(0A2313B5-6BE7-47CF-9D48-3B09767A3C42)>:336(v3B1)>.

Messages

6

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBApplicationProcess: 0xc90dc69e0; app<com.apple.mobilenotes(123724D3-4BD3-4667-A74C-766C08FE254B)>:1601(v11EB)>.

Notes

7

SpringBoard: Received trusted open application request for "com.apple.InCallService" from <FBApplicationProcess: 0xc928e3a50; app<com.apple.mobilesafari(0A2313B5-6BE7-47CF-9D48-3B09767A3C42)>:1608(v11FE)>

Safari



A few important information


  • The above list is not exhaustive. It is necessary to identify which process initiated the "inCallService" and then link it to its respective application.

  • In the case of a call made by manipulating the iPhone, other Unified Logs can be investigated to reconstruct the entire action: unlocking the device, clicking on the icon of an application, clicking on a contact's name, etc. For more information, I recommend this article.: iOS Unified Logs - Making a call

  • In the case of a call made using the car's infotainment system, no logs of iPhone interactions will be recorded!

  • Finally, in the case of Siri, I recommend this article: iOS Unified Logs - Talking to Siri, in which we discussed the Unified Logs related to it.


-> Once the origin of the call has been identified through the investigation of the logs mentioned above, I strongly recommend examining the logs recorded a few seconds before the call. This can help reveal whether the phone was manipulated or not. These logs can confirm or refute a version of events.

bottom of page