Apple Contacts app leave iPhones and iPads vulnerable to hacking

Yolanda Curtis
August 13, 2019

In the researchers' case, they modified Apple's own iOS Contacts app so that entering commands when searching for contacts could crash the app or do other unintended things, like stealing passwords. More specifically, it targets its reliance on the SQLite database format that's used pretty much everywhere from Windows 10 and macOS to Safari, Firefox and Android.

To boost the research and development on the security of iPhones, Apple Inc. has announced a bounty of $1 million to the hackers who can hack into their devices. "Luckily for us, SQLite databases are not signed", the report quoted the Check Point researchers as saying. "However, SQLite usage is so versatile that we can actually still trigger it in many scenarios". Allegedly, it'll be announced later this week, at the Black Hat security conference in Las Vegas, that Apple will be giving these "security researchers" special iPhones that will make it easier for them to find faults in the smartphone.

Since the Contacts app is a "trusted source" on iOS, once the researchers replaced a specific component of the Contacts app, the malicious code could be activated and carry out the hacker's commands with iOS being none the wiser.

As an example, the researchers demonstrated a simple attack that simply crashed the Contacts app. And on iOS, no app is really untrusted.

Researchers at Google's Project Zero program have also discovered serious vulnerabilities in Apple's iOS software. The company has long touted security as a major selling point over rivals, but the holes keep coming and when this one comes off the back of four years of inaction, it's not a good look. One of the bugs allowed hackers to gain access to your iPhone or iPad by sending you a text message. It's the biggest bug bounty program by Apple. Principal security researcher at Jamf - who's found more than a few issues within the macOS - has said that "if you're a large, well-resourced company such as Apple, who claims to place a premium on security, having a bug-bounty program is a no brainer".

Apple is not in the first attempt of this kind, but previous campaigns had much smaller rewards, which did not exceed 200,000 for reporting the worst problems.

Other reports by iNewsToday