NC State University Researchers Find iOS Sandbox Profiles Are Full Of Security Flaws

by Brandon Hill — Thursday, August 25, 2016, 05:12 PM EDT

When it comes to smartphone vulnerabilities, we’re used to hearing about Google’s Android operating system getting raked over the coals. After all, Android has 85+ percent global market share according to Gartner and is an easy target. iOS has had its fair share of security issues as well, but not to the extent that we’ve seen on Android.

However, we just recently reported on three critical vulnerabilities that Apple patched in iOS 9.3.5, which allowed iPhones to be remotely hacked. And now we’re hearing of a new vulnerability that affects iPhones and iPads running the latest versions of iOS. According to researchers working at NC State University, they have found critical flaws in the sandbox functionality built within iOS.

A sandbox profile is administered by iOS for individual third-party apps, and dictates what and how personal data can be accessed on a person’s iPhone or iPad. The researchers were able to extract the binary code from a sandbox profile, decompile it, and then run automated tests on the code to sniff out any and all vulnerabilities that would leave iOS ripe for exploitation.

Fortunately for the researchers, they were able to use the knowledge gained from the code to create a proof of concept that allows them to bypass privacy settings for sensitive data like contacts, permits apps to communicate with each in ways that are skirt Apple controls, and even gobble up an iOS device’s free space with reckless abandon.

“Our goal was to identify any potential problems before they became real-world problems,” write’s NC State associate professor of computer science William Enck. Being that these findings are coming from a reputable institution (Go Wolfpack!), the researchers have already gotten in contact with Apple to share their findings.

The NC State researcher’s findings — which were buoyed by the work of Mihai Chiroiu and Răzvan Deaconescu of University Politehnica of Bucharest, and Lucas Davi and Ahmad-Reza Sadeghi of Technische Universität Darmstadt — will be presented at the ACM Conference on Computer and Communications Security in late October.

Tags: Apple, iPhone, (NASDAQ:AAPL), nc state, ncsu

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now