Science News
from research organizations

Operating system weakness: Security weaknesses in iOS 7 rectified

Date:
October 2, 2013
Source:
The Agency for Science, Technology and Research (A*STAR)
Summary:
Computer scientists have discovered three security weaknesses in iOS 7, which Apple Inc. has now recognized and rectified.
Share:
       
FULL STORY

Researchers from the Infocomm Security Department at A*STAR's Institute for Infocomm Research (I2R) and Singapore Management University's (SMU) School of Information Systems have identified three proof-of-concept attacks which can be performed by third-party applications to threaten the security of the iOS platform. The attacks, which include pass-code cracking, interference with or control of telephony functionality and sending tweets without the user's awareness and permission, have been rectified by Apple Inc in its latest operating system, iOS 7.

Apple's iOS operating system is one of the most popular mobile operating systems in terms of the number of users. As of January 2013, 500 million iOS devices have been sold worldwide, and Apple's iTunes App Store has over 800,000 iOS third-party applications with downloads exceeding 40 billion.

Third-party applications are pervasively installed on these iOS devices as they provide various functions that significantly extend the usability of the mobile devices. However, these third-party applications pose potential threats by compromising the personal and business data stored on the devices.

Between June to October 2012, I2R and SMU researchers embarked on a task to unveil a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices. The research team constructed multiple proof-of-concept attacks such as cracking the device PIN, blocking incoming calls and posting unauthorised tweets. To overcome these security breaches, the team proposed several mitigation methods to enhance the vetting process and the iOS application sandbox. Apple Inc. was notified of these security vulnerabilities and rectified them for the launch of iOS 7, acknowledging I2R's and SMU's contributions. Please see Appendix A for full information on the three security fixes developed by the I2R and SMU research team in iOS 7.

Security issues:

1. Data Protection

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Apps could bypass passcode-attempt restrictions Description: A privilege separation issue existed in Data Protection. An app within the third-party sandbox could repeatedly attempt to determine the user's passcode regardless of the user's "Erase Data" setting. This issue was addressed by requiring additional entitlement checks.

Researchers involved: Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University

2. Telephony

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Malicious apps could interfere with or control telephony functionality Description: An access control issue existed in the telephony subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling telephony functionality. This issue was addressed by enforcing access controls on interfaces exposed by the telephony daemon.

Researchers involved: Jin Han of the Institute for Infocomm Research working with Qiang Yan and Su Mon Kywe of Singapore Management University; Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee from the Georgia Institute of Technology

3. Twitter

Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Sandboxed apps could send tweets without user interaction or permission Description: An access control issue existed in the Twitter subsystem. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling Twitter functionality. This issue was addressed by enforcing access controls on interfaces exposed by the Twitter daemon.


Story Source:

The above post is reprinted from materials provided by The Agency for Science, Technology and Research (A*STAR). Note: Materials may be edited for content and length.


Cite This Page:

The Agency for Science, Technology and Research (A*STAR). "Operating system weakness: Security weaknesses in iOS 7 rectified." ScienceDaily. ScienceDaily, 2 October 2013. <www.sciencedaily.com/releases/2013/10/131002102309.htm>.
The Agency for Science, Technology and Research (A*STAR). (2013, October 2). Operating system weakness: Security weaknesses in iOS 7 rectified. ScienceDaily. Retrieved July 4, 2015 from www.sciencedaily.com/releases/2013/10/131002102309.htm
The Agency for Science, Technology and Research (A*STAR). "Operating system weakness: Security weaknesses in iOS 7 rectified." ScienceDaily. www.sciencedaily.com/releases/2013/10/131002102309.htm (accessed July 4, 2015).

Share This Page: