Jonathan Zdziarski spilled gas on the initial round of iOS surveillance reports with his research paper and talk at the HOPE/X conference, where he outlined a number of risks of remote surveillance. Now the security researcher is back with new a blog post, saying that with iOS 8 Apple has addressed some of the vulnerabilities highlighted in the initial report.
The next-generation iOS will land on September 17 and addresses File Relay, the service responsible for causing the biggest potential privacy threat. According to Zdziarski, this service appears to be protected in the iOS 8 GM.
In addition to file relay, Apple no longer permits wireless clients to access the user’s media folder, or other types of data. These are just a few of the addressed vulnerabilities.
What’s not fixed, though, is the ability to obtain a handle on application sandboxes using a wired (USB) connection, despite the iDevice being locked. This vulnerability grants access to your iDevice through different forensic tools, such as the one from Elcomsoft.
It appears that the threat of persistent wireless surveillance – my biggest concern – has been addressed in iOS 8. While I’m not yet sure how they now control access to these deeper functions, at the very least it doesn’t look like they are so widely open to abuse as they were in iOS 7. Props to Apple for tackling a very complex and subtle problem that was difficult to explain.
The full report is worth reading, and concerned readers should keep its content in mind when storing data on their iPhone.