If legal, consider risk to NSA. Official product ran inside company to add requested feature, hundred of people aware of it. Seems both expensive to order such feature and almost guaranteed to be exposed by some of the employees.

Alternative method is to presume all software is insecure, hire 1 expert whose day job is to search for vulnerabilities in IOS. Much cheaper, insignificant risk.

Which method would you use?

I'd also look at having people work in the factory in china designing test or at (/own) the QA/test equipment manufacturer as when they connect the product jtag to test you can give a little extra. Both smaller groups of people and nobody knows what they do anyway but they do get legit access to the product perhaps with low level details handed on a plate.

If this is as widespread as claimed, and if we'll gain knowledge how to see if you are affected, there are potentially repercussions on geopolitical scale, as I'm sure many on these lists would go public and share information if they'd find being targeted.

Would they leave them out there gathering data for as long as possible or remove the evidence as soon as people start looking (then put some back later once the fuss has died down)? brandon