Apple is in a continuing fight to keep the iOS platform secure, and it has made a mistake that has blown open the entire platform. This weekend it was revealed that Apple has been sloppy, and an old vulnerability that was patched over has been broken in the move to iOS 12.4, so it is possible for a iPhone running the very latest version of iOS to run unsigned code.
That could be an intentional choice by users wanting to access alternate app stores or access functions not normally exposed (a classic jailbreak) but it is more likely to be used maliciously, for example using a bug in another application that allows code to be run remotely on any up to date iPhone.
It cannot be stressed enough that this is a huge mistake by Apple. That said there are some limitations to note. First of all the vulnerability does not affect hardware running on the A12 system on chip – the iPhone X will be impacted, but not the iPhone XR, XS, or XS Max. unfortunately Apple has never released sales figures for the newer handsets so how many users are protected by hardware evolution is not known.
You also need to have iOS 12.4 installed. This is one moment in time where Apple’s ability to shift its user base to the latest version of the mobile operating system is not helpful (although it will be helpful when the presumptively named iOS 12.4.1 patch is rolled out). Unfortunately has Apple pulled iOS 12.2 and 12.3 from its servers and revoked their signatures, so there is no choice but to update to 12.4.
And for those who jailbreak their devices for their own use, there may well be ongoing issues if they use Apple’s online services – which will no doubt be double checking the devices that connect to them.
Advertising is displayed on a gigantic canvas for the iPhone X on the Louvre on February 02, 2018 in Paris, France (Photo by John van Hasselt/Corbis via Getty Images) GETTY
In the real world, let’s add together these puzzle pieces… you could download an app from the App Store which makes use of this exploit to ‘escape’ the iOS sandbox that an application is given by the operating system. Lorenzo Franceschi-Bicchierai reports:
“Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable—which means they are also vulnerable to what is effectively a 100+ day exploit,” said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago.
Given Apple was made aware of this bug over 100 days ago by Google’s Project Zero team, there’s probably a good chance that elements not friendly to Apple’s ethos of user security will be aware of the issue and potentially using it quietly in the background. In the meantime, if you are on iOS 12.3 do not upgrade to 12.4 to stay protected over the next few days.
Apple’s PR team has been approached for comment. Presumably the development team are working quickly to roll out iOS 12.4.1 which will reapply the patch, now that the horse has bolted.