- A researcher has discovered that he can access the address book on iOS 13 without providing a passcode.
- While this sounds a grave privacy issue, Apple doesn’t share the same belief and maintains the flaw in Golden Master.
- The researcher was never awarded anything because the report concerned the software that is in beta stage.
Researcher Jose Rodriguez was casually testing the beta version of iOS 13 in June when he discovered that he could access the information on the device’s address book without ever entering the passcode. As he demonstrates in the following video, the exploit needs special conditions in order to work, a combination of taps and voice commands, the setting of “reply with message” to be enabled, and of course, physical access on the device. Although all this sounds like many things combined, it really isn’t that uncommon, as iOS has the “reply with message” enabled by default.
Although eyeing into one’s address book isn’t considered a critical vulnerability, it certainly is a privacy invasion that could have very easily been avoided. As iOS 13 has entered “Golden Master” two days ago, testers confirm that the issue is still there, so we’re one step away from having this pushed out to millions of devices. How come Apple ignored the report of this privacy bug since June? Probably, they don’t think of it as a critical flaw and reportedly never treated it as one.
J. Rodriguez explains that when he first contacted Apple, he promised the tech company a way to bypass the passcode and access user data. In exchange, he asked for a $1 Apple Store gift card that he wanted to keep as a trophy. Apple agreed, and when the detailed report was submitted to them, their stance changed. They told the researcher that since the report concerned a product that’s in a beta stage of development, they were not allowed to give him any gifts. The same problem was reproduced and reported by other researchers in the period that followed, and Apple has apparently disregarded them all on similar grounds.
iOS 13 is planned for universal roll out on September 19, while the first bug-fixing version 13.1 is planned for the end of the month. This means that Apple still has time to address the privacy flaw, and make it impossible for someone to fiddle with your address book info, no matter the conditions. If you’re overly worried about this, you may simply keep your device running the latest version of the v12 branch that is still signed by Apple. If however you buy one of the iPhone 11 lineups of devices, then you lose that choice as they come with iOS 13 pre-loaded.