Featured Research

from universities, journals, and other organizations

Operating system weakness: Security weaknesses in iOS 7 rectified

Date:
October 2, 2013
Source:
The Agency for Science, Technology and Research (A*STAR)
Summary:
Computer scientists have discovered three security weaknesses in iOS 7, which Apple Inc. has now recognized and rectified.

Researchers from the Infocomm Security Department at A*STAR's Institute for Infocomm Research (I2R) and Singapore Management University's (SMU) School of Information Systems have identified three proof-of-concept attacks which can be performed by third-party applications to threaten the security of the iOS platform. The attacks, which include pass-code cracking, interference with or control of telephony functionality and sending tweets without the user's awareness and permission, have been rectified by Apple Inc in its latest operating system, iOS 7.

Apple's iOS operating system is one of the most popular mobile operating systems in terms of the number of users. As of January 2013, 500 million iOS devices have been sold worldwide, and Apple's iTunes App Store has over 800,000 iOS third-party applications with downloads exceeding 40 billion.

Third-party applications are pervasively installed on these iOS devices as they provide various functions that significantly extend the usability of the mobile devices. However, these third-party applications pose potential threats by compromising the personal and business data stored on the devices.

Between June to October 2012, I2R and SMU researchers embarked on a task to unveil a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices. The research team constructed multiple proof-of-concept attacks such as cracking the device PIN, blocking incoming calls and posting unauthorised tweets. To overcome these security breaches, the team proposed several mitigation methods to enhance the vetting process and the iOS application sandbox. Apple Inc. was notified of these security vulnerabilities and rectified them for the launch of iOS 7, acknowledging I2R's and SMU's contributions. Please see Appendix A for full information on the three security fixes developed by the I2R and SMU research team in iOS 7.

Security issues:

1. Data Protection

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Apps could bypass passcode-attempt restrictions Description: A privilege separation issue existed in Data Protection. An app within the third-party sandbox could repeatedly attempt to determine the user's passcode regardless of the user's "Erase Data" setting. This issue was addressed by requiring additional entitlement checks.

Researchers involved: Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University

2. Telephony

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Malicious apps could interfere with or control telephony functionality Description: An access control issue existed in the telephony subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling telephony functionality. This issue was addressed by enforcing access controls on interfaces exposed by the telephony daemon.

Researchers involved: Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee from the Georgia Institute of Technology

3. Twitter

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Sandboxed apps could send tweets without user interaction or permission Description: An access control issue existed in the Twitter subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling Twitter functionality. This issue was addressed by enforcing access controls on interfaces exposed by the Twitter daemon.


Story Source:

The above story is based on materials provided by The Agency for Science, Technology and Research (A*STAR). Note: Materials may be edited for content and length.


Cite This Page:

The Agency for Science, Technology and Research (A*STAR). "Operating system weakness: Security weaknesses in iOS 7 rectified." ScienceDaily. ScienceDaily, 2 October 2013. <www.sciencedaily.com/releases/2013/10/131002102309.htm>.
The Agency for Science, Technology and Research (A*STAR). (2013, October 2). Operating system weakness: Security weaknesses in iOS 7 rectified. ScienceDaily. Retrieved April 24, 2014 from www.sciencedaily.com/releases/2013/10/131002102309.htm
The Agency for Science, Technology and Research (A*STAR). "Operating system weakness: Security weaknesses in iOS 7 rectified." ScienceDaily. www.sciencedaily.com/releases/2013/10/131002102309.htm (accessed April 24, 2014).

Share This



More Computers & Math News

Thursday, April 24, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Monkeys Are Better At Math Than We Thought, Study Shows

Monkeys Are Better At Math Than We Thought, Study Shows

Newsy (Apr. 23, 2014) A Harvard University study suggests monkeys can use symbols to perform basic math calculations. Video provided by Newsy
Powered by NewsLook.com
High Court to Hear Dispute of TV Over Internet

High Court to Hear Dispute of TV Over Internet

AP (Apr. 22, 2014) The future of Aereo, an online service that provides over-the-air TV channels, hinges on a battle with broadcasters that goes before the U.S. Supreme Court on Tuesday. (April 22) Video provided by AP
Powered by NewsLook.com
Aereo Takes on Broadcast TV Titans in Supreme Court Today

Aereo Takes on Broadcast TV Titans in Supreme Court Today

TheStreet (Apr. 22, 2014) Aereo heads to the Supreme Court today to fight for its right to stream broadcast TV over the Internet -- against broadcasters who say the start-up infringes upon copyright law. TheStreet Deputy Managing Editor Leon Lazaroff explains the importance of the case in the TV industry and details what the outcome of it could mean for broadcasters and for cloud storage services -- as Aereo allows its subscribers to not just watch live TV shows but also store content to a DVR in the cloud. Video provided by TheStreet
Powered by NewsLook.com
Lytro Introduces 'Illum,' A Professional Light-Field Camera

Lytro Introduces 'Illum,' A Professional Light-Field Camera

Newsy (Apr. 22, 2014) The light-field photography engineers at Lytro unveiled their next innovation: a professional DSLR-like camera called "Illum." Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins