Security Flaw in iOS 9.3.1 Allows Access to iPhone Photos and Contacts

[ChrisCW11]

Sorry but this is an epic fail just after the whole FBI lawsuit. Apple wanted to be the champion of people's privacy and then come out with an update that has a bug that allows photos and contacts, two things I am sure the FBI would enjoy having access to on a criminal's phone. This after the iCloud breach debacle last year.

Sorry, but Apple just does NOT understand quality control and needs to serious revamp it's whole development process. There should be a team of people whose job is 100% exclusive to doing nothing but trying to exploit iPhone security.

 

[H2SO4]

every other town / region has its own words in Germany. people can tell when i use Siri cuz no one would actually talk / write among friends like that as in "proper german" lol OR siri simply doesnt understand what i am trying to say. I cant use it for music either cuz it never gets english words / artists right when i tell it to play english songs while being set to german

I still miss that place. Can Siri get you a Curry wurst mit pommes und einen Fanta?

 

[Pike R. Alpha]

This is what happens with large, complex software developments. There's only so much testing can be done before release otherwise the release would never come, after which any discovered holes are dealt with as they crop up.

The thing is, this is a regression. A bug that was fixed in an earlier release. Thus Apple forgot/skipped to do some regression testing. That is stupid.

 

[djcerla]

Sorry but this is an epic fail

do you really believe your own words? An "epic fail"?

 

[doelcm82]

Sorry but this is an epic fail just after the whole FBI lawsuit. Apple wanted to be the champion of people's privacy and then come out with an update that has a bug that allows photos and contacts, two things I am sure the FBI would enjoy having access to on a criminal's phone. This after the iCloud breach debacle last year.

Sorry, but Apple just does NOT understand quality control and needs to serious revamp it's whole development process. There should be a team of people whose job is 100% exclusive to doing nothing but trying to exploit iPhone security.

Apology accepted.

 

[IPPlanMan]

I've said it many times before:

Apple needs to completely freeze all development on new features for iOS for at least a year and assign its entire iOS team to do a top down review/quality check of the entire iOS codebase.

This is getting out of control, and it's being driven by a "requirement" to have a new iOS version every single year. That's dumb, and that's what's causing this.

I don't want to see a single new feature in iOS until that top to bottom review is done. Only bug fixes and security updates should come for the foreseeable future. That's it.

 

[WrQth]

This could explain the source of the bug, but it is the GUI of SIRI which appears, nothing else. Does this be the case also if you use voice recognition for dialing only? (I never used voice command to call someone)

And: I NEVER EVER used Siri - so "recognition" should be impossible because Siri NEVER EVER has learned my voice - at least I did NEVER intend /allow Siri to "learn" or "recognize" my voice!

And: It is nevertheless bizarre that a blocked iPhone can be used by anyone to call someone from my contactlist… this should be impossible..

Siri doesn't need to learn to recognize the words you say though it gets better the more you use it. For me the GUI is very similar but not the same, it clearly says Voice Control at the top of the screen when Siri is disabled and I hold the home button long enough when at the lock screen.

 

[Glassed Silver]

Unfortunately I think we're in the minority when it comes to Apple taking more time for the major updates. More time in between updates equals bad for most of the media and people in general. Then the "Apple is doomed" talks get amplified. Haha.

Really?
Most of the non-techies are actually happy to be left in peace.
Kinda one of the key reasons why everyone and their dog hates Tuesdays so much... *cough* "Windows Update is ready to install 2697697698 new updates" / "Do you want to restart now?" "Do you want to restart now?" "Now you really want to restart... Count down..." <no interaction> "Here, let me close your unsaved documents you had open during your launch break and shut down the computer"

People (on average) hate frequent updates.

Glassed Silver:mac

 

[3rdiguy]

Whats weird for me is now that I've downloaded 9.3.1 my Mail app started crashing on my iPhone. Didn't have that issue before and this sucks.

 

[djcerla]

I've said it many times before:

Apple needs to completely freeze all development on new features for iOS for at least a year and assign its entire iOS team to do a top down review/quality check of the entire iOS codebase.

This is getting out of control, and it's being driven by a "requirement" to have a new iOS version every single year. That's dumb, and that's what's causing this.

this vulnerability applies to a ridicolously subset of iOS users. So let's stop development altogether to hunt for bugs?

As opposite, I'd argue iOS is much more secure and less buggy NOW than before, remember "slide to jailbreak"?

 

[IPPlanMan]

this vulnerability applies to a ridicolously subset of iOS users. So let's stop development altogether to hunt for bugs?

As opposite, I'd argue iOS is much more secure and less buggy NOW than before, remember "slide to jailbreak"?

Yes. Stop all development to look for bugs. 100% right. It doesn't matter if it applies to a subset of users.

iOS doesn't need new features. iOS needs solid reliability and airtight security. Apple has forgotten that matters anymore.

 

[Benjamin Frost]

Glad I have Siri turned off.

Voice control is inherently insecure.

 

[vmachiel]

Well have fun looking at my dog I guess...

 

[deckard666]

I wish my life was interesting enough to be genuinely upset by pretty much any hacks these forums seem to bleat on about. Perhaps I am the only one on here not a world leader, spy or billionaire

 

[aristobrat]

I've said it many times before:

Apple needs to completely freeze all development on new features for iOS for at least a year and assign its entire iOS team to do a top down review/quality check of the entire iOS codebase.

This is getting out of control, and it's being driven by a "requirement" to have a new iOS version every single year. That's dumb, and that's what's causing this.

I don't want to see a single new feature in iOS until that top to bottom review is done. Only bug fixes and security updates should come for the foreseeable future. That's it.

So you're saying that if Apple reviewed iOS from top-to-bottom (and didn't do yearly iOS updates), all future code that they write would be 100% perfect on the first release (and bugs like this would never happen again)?

 

[djcerla]

So you're saying that if Apple reviewed iOS from top-to-bottom (and didn't do yearly iOS updates), all future code that they write would be 100% perfect on the first release (and bugs like this would never happen again)?

Yes. Stop all development to look for bugs. 100% right. It doesn't matter if it applies to a subset of users.

iOS doesn't need new features. iOS needs solid reliability and airtight security. Apple has forgotten that matters anymore.

You're wrong. iOS is more secure and less buggy now than it used to be. And it's a much more complex system now.

Rewriting all the code would be a nightmare and would introduce thousands of bugs, this time serious ones.

 

[IPPlanMan]

So you're saying that if Apple reviewed iOS from top-to-bottom (and didn't do yearly iOS updates), all future code that they write would be 100% perfect on the first release (and bugs like this would never happen again)?

Never is a long time. But Apple can do much better than it's doing now. Apple is far from 100% perfect, and you'd agree with that I'm sure.

Yearly iOS updates are stretching the resources of the iOS team to the limit and quality/reliability/security suffer as a result.

Apple needs to completely freeze all development on new features for iOS for at least a year and assign its entire iOS team to do a top down review/quality check of the entire iOS codebase.

That's what needs to happen here.
[doublepost=1459871282][/doublepost]

You're wrong. iOS is more secure and less buggy now than it used to be. And it's a much more complex system now.

Rewriting all the code would be a nightmare and would introduce thousands of bugs, this time serious ones.

I'm wrong? Who said anything about "rewriting all the code"?

I'm saying to have the iOS team do a complete top/down review of the entire iOS code base. Fix all known issues. Catch as many unknown ones as you can without the pressure of an annual development cycle for a new iOS release.

 

[citysnaps]

do you really believe your own words? An "epic fail"?

People who say things like that are likely still in high school. What can you do?

 

[wacky4alanis]

Doesn't the guy in the video unlock his iPhone before using Siri??

 

[GoodWatch]

Really?
Most of the non-techies are actually happy to be left in peace.
Kinda one of the key reasons why everyone and their dog hates Tuesdays so much... *cough* "Windows Update is ready to install 2697697698 new updates" / "Do you want to restart now?" "Do you want to restart now?" "Now you really want to restart... Count down..." <no interaction> "Here, let me close your unsaved documents you had open during your launch break and shut down the computer"

People (on average) hate frequent updates.

Glassed Silver:mac

Wow! This thread is 100% about an alleged flaw in iOS and still someone manages to slide-in Windows from the side. It's like going back to the good ol' times

 

[6836838]

Glad I have Siri turned off.

Voice control is inherently insecure.

You're confused.

 

[aristobrat]

Never is a long time. But Apple can do much better than it's doing now. Apple is far from 100% perfect, and you'd agree with that I'm sure.

Yearly iOS updates are stretching the resources of the iOS team to the limit and quality/reliability/security suffer as a result.

Apple needs to completely freeze all development on new features for iOS for at least a year and assign its entire iOS team to do a top down review/quality check of the entire iOS codebase.

That's what needs to happen here.

This bug didn't seem to exist before 9.3.1, so I'm still unsure of how them having "thoroughly checked" (top down) iOS 9.3.0 (or earlier) would have prevented this.

And to continue the devils advocacy here, the iOS team has always been producing yearly updates, so I don't see where there is any 'stretch'.

I think the stretch concept could be applied to first few yearly Mac OS releases (as that team previously had more than a year to finalize their work before, and were forced to change it).

I don't think there's any way for Apple (or any company) to do a code review that magically enables them to write bug-proof software in the future. Otherwise some company would be out there doing it (and bragging about it).
[doublepost=1459871862][/doublepost]

I'm saying to have the iOS team do a complete top/down review of the entire iOS code base. Fix all known issues.

This wasn't a known issue before, was it? <confused>

Also, let's not pretend the 9.3.1 wasn't unusual in how quickly it was pushed out (i.e. no public beta, etc) to address the "can't click links" issue.

 

[IPPlanMan]

This bug didn't seem to exist before 9.3.1, so I'm still unsure of how them having "thoroughly checked" (top down) iOS 9.3.0 (or earlier) would have prevented this.

And to continue the devils advocacy here, the iOS team has always been producing yearly updates, so I don't see where there is any 'stretch'.

I think the stretch concept could be applied to first few yearly Mac OS releases (as that team previously had more than a year to finalize their work before, and were forced to change it).

I don't think there's any way for Apple (or any company) to do a code review that magically enables them to write bug-proof software in the future. Otherwise some company would be out there doing it (and bragging about it).
[doublepost=1459871862][/doublepost]
This wasn't a known issue before, was it? <confused>

Also, let's not pretend the 9.3.1 wasn't unusual in how quickly it was pushed out (i.e. no public beta, etc) to address the "can't click links" issue.

Just because Apple has done yearly updates doesn't mean they have to keep doing them.

What I'm suggesting will increase the quality/security/reliability of iOS, not decrease it.

I don't expect bug-proof. I expect better than this, and I'm sure you can agree with that.

 

[dan110]

I so want to break up with Siri forever.

 

[garylapointe]

It'd be a much smaller security flaw if it wasn't published here...

It's be a tiny more secure if they just gave you the fix "Users worried about the vulnerability can protect themselves by ensuring Siri's access to Twitter and Photos is disabled. On your device, go to Settings -> Privacy -> Twitter and if Siri is listed, turn off its access. Likewise, in Privacy -> Photos, turn any listing of Siri access to the Off position. Revoking Siri's access to your Contacts requires the more drastic action of disabling Siri lock screen activation. To do so, go to Settings -> Touch ID & Passcode and turn off the Siri switch."

Some people might be able to figure it out from that info BUT

I have a 6s Plus with 9.3.1 and I can't reproduce it at all. Every time i do it I get asked for my passcode. If it truly is a flaw in the OS it would show up in all devices running it would it not?

It's not the easy even when you know the steps...

Gary