For the second time in less than two weeks, Apple is defending itself against claims that call into question the security of iOS.
The company has denied a security researcher’s claims that iOS has a “backdoor” that enables third parties to potentially gain access to users’ personal data.
The researcher, Jonathan Zdziarski, detailed the alleged security flaws in a presentation at the Hope X security conference and in a journal paper. The problem, he explains, arises from the way Apple encrypts — or fails to encrypt — data from the iPhone’s native apps, leaving personal data vulnerable to third parties.
“Once the device is first unlocked after reboot, most of the data-protection encrypted data can be accessed until the device is shut down,” he wrote in his Hope X presentation. “Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked.”
The data at risk, according to Zdziarski, is some of the most personal information stored on your phone. It includes Twitter, iCloud, and email accounts; contacts information, including deleted contacts; and data caches, including screenshots of pages you’ve viewed, keyboard typing history, and location information.
Although actually extracting this data requires a fairly advanced level of expertise, this information can potentially be obtained by anyone who has access to a computer, iPhone dock or any other device that has previously been paired to the iOS device.
He stops short of accusing Apple of putting these backdoors in place to intentionally aid the NSA or other organizations, but the researcher does say he believes the NSA could have exploited the vulnerabilities. As he explains on his blog:
I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn’t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.
Apple did not respond to Mashable’s request to comment but told iMore in a statement that iOS is not designed to compromise users’ security.
We have designed iOS so that its diagnostic functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues. A user must have unlocked their device and agreed to trust another computer before that computer is able to access this limited diagnostic data. The user must agree to share this information, and data is never transferred without their consent.
As we have said before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services.
On his part, Zdziarski has already responded to Apple’s comments, saying the statement actually confirms there is, in fact, a backdoor. “It looks like Apple might have inadvertently admitted that, in the classic sense of the word, they do indeed have back doors in iOS, however claim that the purpose is for ‘diagnostics’ and ‘enterprise,'” he wrote in his blog.
The issue, he says, is that these services that send out users’ data are always on and consumers have no way of turning them off or otherwise opting out — even if the “Send Diagnostics to Apple” setting is disabled.
“I don’t buy for a minute that these services are intended solely for diagnostics,” he writes. “The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.”
The latest security concerns come less than two weeks after Apple published a lengthy statement defending the security of iOS, following a report on China’s state-run television station that quoted security researchers who claimed the iPhone was a potential risk to the country’s national security.
Posted by : Gizmeon