Apple devices are usually safer than other devices in terms of overall security but that doesn’t mean they are perfect. This week at the Def Con hacking conference, Check Point revealed that they have found a vulnerability inside the Contacts app that affects all the iPhones. The surprising aspect is that Apple knew about it for at least 4 years but didn’t fix the bug.
The security firm noted that the app uses SQLite database engine which can be exploited easily to run malicious scripts. According to a report published by the security firm, researchers bypassed Apple’s trusted secure boot mechanism and gained administrative rights. Usually, when an iPhone is booted, iOS runs secure boot that forces all the executable files to be signed but SQLite is not signed which means anyone can sneak in a malicious code without triggering Apple’s secure boot.
Check Point also noted that the hacker would need physical access to an unlocked iPhone to alter the Contacts app’s code so as long as you’re not leaving you’re iPhone unattended or it has a password, you’re safe. That said, Check Point has already forwarded the details to Apple so the company can finally patch the bug.