NC State University Researchers Find iOS Sandbox Profiles Are Full Of Security Flaws
When it comes to smartphone vulnerabilities, we’re used to hearing about Google’s Android operating system getting raked over the coals. After all, Android has 85+ percent global market share according to Gartner and is an easy target. iOS has had its fair share of security issues as well, but not to the extent that we’ve seen on Android.
However, we just recently reported on three critical vulnerabilities that Apple patched in iOS 9.3.5, which allowed iPhones to be remotely hacked. And now we’re hearing of a new vulnerability that affects iPhones and iPads running the latest versions of iOS. According to researchers working at NC State University, they have found critical flaws in the sandbox functionality built within iOS.
A sandbox profile is administered by iOS for individual third-party apps, and dictates what and how personal data can be accessed on a person’s iPhone or iPad. The researchers were able to extract the binary code from a sandbox profile, decompile it, and then run automated tests on the code to sniff out any and all vulnerabilities that would leave iOS ripe for exploitation.
Fortunately for the researchers, they were able to use the knowledge gained from the code to create a proof of concept that allows them to bypass privacy settings for sensitive data like contacts, permits apps to communicate with each in ways that are skirt Apple controls, and even gobble up an iOS device’s free space with reckless abandon.
“Our goal was to identify any potential problems before they became real-world problems,” write’s NC State associate professor of computer science William Enck. Being that these findings are coming from a reputable institution (Go Wolfpack!), the researchers have already gotten in contact with Apple to share their findings.
The NC State researcher’s findings — which were buoyed by the work of Mihai Chiroiu and Răzvan Deaconescu of University Politehnica of Bucharest, and Lucas Davi and Ahmad-Reza Sadeghi of Technische Universität Darmstadt — will be presented at the ACM Conference on Computer and Communications Security in late October.