Apps that bypass restrictions on passcode attempts, interfere with or control telephony function, or send tweets without user interaction or permission – these were some of the potential security breaches that have been curtailed in Apple’s latest operating system iOS 7, thanks to the work of researchers from A*STAR’s Institute for Infocomm Research (I ² R) and Singapore Management University’s (SMU) School of Information Systems.

Apple’s iOS operating system is one of the most popular mobile operating systems in terms of the number of users. As of January 2013, 500 million iOS devices have been sold worldwide, and Apple’s iTunes App Store has over 800,000 iOS third-party applications with downloads exceeding 40 billion.

The use of these third-party applications on iOS devices is widespread as they provide various functions that significantly extend the usability of the mobile devices. However, they also pose potential threats by compromising the personal and business data stored on the devices.

Researchers at I ² R and SMU were among the first to identify three proof-of-concept attacks which could be performed by third-party applications to threaten the security of the iOS platform. Between June and October 2012, they embarked on a task to unveil a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices.

The team constructed multiple proof-of-concept attacks such as cracking the device PIN, blocking incoming calls and posting unauthorised tweets. To overcome these security  breaches,  the  team  proposed  mitigation  methods  in the following areas to  enhance  the  vetting process  and  the  iOS  application  sandbox.

• Data protection: A privilege separation issue existed in data protection, which could potentially allow apps to bypass passcode attempt restrictions. An app within the third-party sandbox (an isolated environment for testing the program) could repeatedly attempt to determine the user’s passcode regardless of the user’s “Erase Data” setting. This issue was addressed by requiring additional entitlement checks.
• Telephony: An access control issue existed in the telephony subsystem, potentially allowing malicious apps to interfere with or control the telephony functions. Sandboxed apps could bypass supported application programming interfaces (APIs) and make requests directly to a system daemon (a program that runs as a background process), interfering with or controlling telephony functionality. This issue was addressed by enforcing access controls on interfaces exposed by the telephony daemon.
• Twitter: An access control issue existed in the Twitter subsystem, potentially allowing sandboxed apps to send tweets without user interaction or permission. Bypassing supported APIs, sandboxed apps could make requests directly to a system daemon interfering with or controlling Twitter functionality. This issue was addressed by enforcing access controls on interfaces exposed by the Twitter daemon.

Apple was notified of these security vulnerabilities and rectified them for the launch of iOS 7. It also acknowledged I ² R’s and SMU’s contributions to strengthening the security of the iOS platform.