iOS 7 has only been officially available since last week, but in that time two separate lockscreen exploits have emerged that make it possible to access apps and make calls on a phone even if you don’t have the passcode. How is it that these flaws can emerge in a platform that was widely tested for months before release, and what lessons can we learn from them?
Last week, a lockscreen exploit emerged that gave access to some apps and photos. Apple said that would be fixed in the quickly-released 7.0.1 update, but then a second exploit emerged that enabled phone calls to be made from any locked device. While exploiting these hacks relies on physical access to a device, that wouldn’t be much comfort if someone ran up expensive international calls on your account.
We shouldn’t be surprised by these bugs. Any modern phone OS is a complex piece of software. Bugs are inevitable. Apple’s large market share also means that it’s a clear target; everyone is going to be checking its software for potential flaws. The fact that so many users update quickly to new versions is something of a double-edged sword in this respect; it means flaws (as well as fixes) are quickly distributed.
While developers have had access to beta versions of iOS 7 since mid-year, the main purpose of that is to ensure that third-party apps will work with the new software. It’s understandable that there will be less focus on how the main functionality works. Equally, once the final code is widely available, it makes sense that new flaws will be discovered.
It’s sometimes claimed that Apple can produce more reliable software because it controls both the hardware and software platform. While that does eliminate some potential bug sources and makes testing easier, it doesn’t automatically render software immune from problems. (If you want further confirmation of that, Apple was forced to pull its most recent Apple TV update after it bricked some devices.)
The price of success in the software world is that you become a visible target for attacks. Just as Windows was the obvious PC platform to target in the 2000s, the iPhone is a potentially rich source of pickings this decade. Good security practices (starting with not leaving your phone lying around for others to grab) will help avoid most of them.
This mini-outbreak of lockscreen bugs also reminds us that the beta testing process, while useful, won’t always uncover everything. That doesn’t mean we should panic or brand individual vendors as “unsafe”. We simply have to stay vigilant.