Apple iPhone models are not as secure as the company claims they are. Researchers have found that contacts saved on iPhones are vulnerable to an SQLite hack attack. The attack could infect the devices with malware, according to security firm Check Point. The revelation comes amidst Apple boasting about how secure its systems are against rivals. SQLite is the most widely used database engine in the world. It is available in every operating system (OS), be it desktop or mobile.
The database engine can be found on Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android. Security firm Check Point has demonstrated a technique being used to manipulate Apple’s iOS contacts app. Apple Insider reports that searching the Contacts app under these circumstances triggers the device to run malicious codes. The vulnerability has been identified in the industry-standard SQLite database. The company’s hack exploiting SQLite database was demonstrated at Def Con conference in Las Vegas.
The report highlights that the hack involved replacing one part of Apple’s Contacts app. It also relied on a known bug that has reportedly not been fixed for four years after it was first discovered. According to the researchers, the bug was considered vulnerable only when a program allowed arbitrary SQL from an untrusted source. The bug was considered unimportant because it was believed that it could only be triggered by an unknown application accessing the database.
The closed nature of Apple’s iOS means that there are no unknown apps in the system. Check Point researchers note that they managed to make a trusted app and send the code to trigger this bug and thus exploit it. A specific component of the Contacts app was replaced by the researchers. They found that while apps and any executable code has to go through Apple‘s startup checks, an SQLite database is considered not executable.
“Persistency [keeping the code on the device after a restart] is hard to achieve on iOS,” they said, “as all executable files must be signed as part of Apple’s Secure Boot. Luckily for us, SQLite databases are not signed.” Apple has not commented on Check Point’s report just yet.
(Written with IANS inputs)