Security researchers from three universities have found seven types of vulnerabilities that affect the iOS mobile operating system. These issues are related to the sandbox feature and include exploits that could be used to plan a variety of attacks against iPhone or iPad users.
The iOS Sandbox Has Become a Security Minefield
The iOS Sandbox feature of Apple’s iOS mobile operating system (used for the iPhone and iPad devices) has been found to contain a lot of security issues that can be exploited against victim devices. The discoveries were made by researchers from three independent universities. This function allows users and administrators to constrain any malicious or third-party applications that are installed on the mobile devices.
The found flaws can allow third-party developers to perform multiple unauthorized actions on the host systems. Examples include the exploitation of privacy settings, looking up location search history, system file metadata access and others. The problems are very severe as some of the issues allow the apps to block access to specific system resources. The tested code runs on the later version of the operating system including 9.0.2.
The discoveries were made in a proof-of-concept test that aims to validate some of the claims about the heightened security in Apple’s closed source system. The researchers created a process named “SandScout” that extracted the profile of the sandbox and reversed engineered it into a readable form. By doing this, they were able to create a platform that can perform automated queries on the coding and scan for possible abuse scenarios.
The security implications so far are devastating to the target device. Not only third-party applications can bypass the security measures, but they can perform other malicious actions such as consume disk storage space, obtain profile information and media library files, etc.
Full information will be published in an upcoming paper titled “SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles”. The publication will be at the ACM Conference on Computer and Communications Security conference in Vienna this October. Until the paper is published the team doesn’t want to reveal many details as they are working with Apple on amending the issues.
