Security Bug In iOS 5.0.1 Allows Passcode Screen To Be Bypassed, Grants Access To Contacts List And Phone Calling [VIDEO]
One of the hot topics surrounding not only iOS, but mobile operating systems in general is data security and privacy. Over the last couple of weeks there has been a lot of discussion on the world wide web about mobile applications accessing data without permission or prior notice, as well as independent reports about users being able to launch FaceTime calls and gain access to certain contact information on an iOS device. Only last week, we were also able to view a report from the University of California which used the PiOS tool to show us that official App Store applications leaked more data than their Cydia based counterparts. When all of this information is put together, it hasn’t been a very good two weeks for the reputation surrounding iOS security.
Although the security talk has died down in the last few days, it looks certain to flare up again thanks to recent findings by Safwan Saba and the iPhone Islam team. They have uploaded a video to their official YouTube account which demonstrates a security flaw in iOS 5 and 5.0.1 (confirmed here) which allows the passcode lock to be bypassed, giving access to the device’s Contact list as well as the ability to make phone calls and send emails.
The security flaw is said to be present on all iPhone devices capable of running iOS 5 so that would be the 3GS, 4 and 4S but the included video shows the iPhone Islam team demonstrating on an unjailbroken iPhone 4. The issue is by no means a simple vulnerability to replicate but occurs when attempting to reply to a missed call notification from the lockscreen while the network is ‘searching’ for a signal. The iPhone Islam team replicate the search network requirement by removing the SIM card, waiting until searching shows up in the top left hand corner of the device and then swiping the missed call notification on the lockscreen to reply to the call.
It would obviously work a lot better in locations without any network coverage, but once they got the timing right, the device immediately gave access to the Phone application on the iPhone, presenting the user with access to all recent calls, favorites, voicemails and even the entire Contacts list. Accessing the Contacts list and viewing an individual contacts data also allows quick launch of the SMS and email applications.
This security vulnerability in iOS is obviously something which will prove to be embarrassing to Apple and only time will tell if the company will be able to rectify this in time for the launch of iOS 5.1.