iOS may have been built with security at its core, but it does have vulnerabilities that Apple need to patch. The latest, revealed to the public at the Black Hat Asia conference by Chilik Tamir, a security researcher at Mountain View, CA-based mobile security firm Mi3 Security, allows attackers to access sensitive information without raising any suspicion, Security Week reports (via Security Intelligence).
While it’s a bit cumbersome – it requires physical access to the targeted iPhone – it still remains a serious security hole Apple needs to close. Tamir says it all starts with a legit copy of Xcode 7 that tool developers use to create their apps.
Xcode 7 also allows developers to quickly obtain the Apple certificates needed to build iOS apps, simply by providing their name and email address. At this stage these apps are harmless; they can’t be uploaded to the App Store, because they wouldn’t pass the review process.
Tamir, however, found a way to move these apps onto iOS devices by bypassing Apple’s security measures: After he gets physical access to the device, he or any cybercriminal can connect the handset to a computer and replace a legitimate app with a malicious one. He calls this type of attack “Su-A-Cyder”.
While a remote attack is excluded, he did point to a few scenarios where it would work: think of a repair shop for example.
Apple has recognized the problem and removed the ability to replace matching-ID apps, but Tamir went further and developed a technique he calls sandjacking, which allows replication of the above process without Apple’s permission. At the recent Hack In The Box (HITB) conference, he demonstrated that it was possible to create a device backup, delete the legitimate app, replace it with the malicious version, and then run the restoration process.
Apple was notified of this matter last December, and it has yet to roll out a fix. Until it does, you may want to consider to whom you hand over your iPhone for “repair”.
Image credit: Chilik Tamir