Apple runs a Bug Bounty Program where it offers to pay those who detect and report security flaws and other vulnerabilities to it. However, it doesn’t always seem to act on what it is told.
A Russian developer, Denis Tokarev, who says they reported four vulnerabilities in iOS to Apple between March and May 2021 claims that only one of them was closed with iOS 14.7. He also claims that Apple never mentioned his findings in the security notes that accompanied the update and also failed to do so in the security notes accompanying subsequent updates, despite promising to do so. Read: Apple releases important security updates to stop spyware.
According to the person who discovered the gaps, there are three that remain open. Feeling frustrated by Apple’s failure to respond, he has now published examples of the code on Github, and Twitter users have confirmed the existence of the vulnerabilities.
🚨“Any app installed from the App Store may access the following data without any prompt from the user:” pic.twitter.com/hXpfqlgnDa— Kosta Eleftheriou (@keleftheriou) September 24, 2021
The gaps that have not yet been closed relate to Apple's Game Center. Apparently, one of the background processes in iOS does not check whether an app has permission to perform all Game Center functions. This can cause any installed app to query user information from Game Center. The system can then access the following data: Apple ID and name; list of contacts from Mail, SMS, iMessage, and other messenger apps; list of favourites from Contacts app and their phone number, complete databases from Contacts app and pictures of contacts.
Another gap, also active on iOS 15, can allow any installed app to start a query as to whether another app is installed on the affected device and receive a response to it.
The third gap that has not yet been closed is said to allow an app with location permission to obtain Wi-Fi information such as SSID.
The fourth gap was closed with iOS 14.7. Prior to iOS 14.7 the flaw meant every installed app was able to obtain all the information from analyticsd, i.e. from the iOS evaluation of crashes, etc.
Apple collects different health data such as heart rate, monthly cycles, gender and age of users. This data is only evaluated if permitted by users - you go to Settings > Privacy > Analysis & Improvements > Health & Activity, Health Record, Handwashing and Wheelchair. For this purpose, these databases can contain information about the app crashes, screen time on the device, languages of the open pages in Safari, etc.
Since the vulnerabilities have been known for a few hours now, there is not yet any protection against them. One can only advise not to install unknown apps in the time until Apple closes the vulnerabilities.
For more information about security on the iPhone read: iPhone security tips: How to protect your phone from hackers.
This article originally appeared on Macwelt. Translation by Karen Haslam.