Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apple Fixes “Backdoors” With Release of iOS 8

Apple announced on Wednesday the availability of iOS 8, the eighth major release of iOS. The latest version of the mobile operating system comes with fixes for more than 50 security vulnerabilities.

Apple announced on Wednesday the availability of iOS 8, the eighth major release of iOS. The latest version of the mobile operating system comes with fixes for more than 50 security vulnerabilities.

iOS 8 contains security fixes for 802.1X, accounts, accessibility, the address book, app installation, assets, Bluetooth, the Core Graphics framework, data detectors, the lock screen, iMessage, IOAcceleratorFamily, IOHIDFamily, IOKit, the kernel, mail, profiles, Safari, Webkit, WiFi and other features.

The vulnerabilities can be exploited for arbitrary code execution, denial-of-service (DoS), data theft, privilege escalation, and other types of attacks. Most of the flaws were reported this year, but some had been discovered in previous years.

In a note at the bottom of its security advisory for iOS 8, Apple revealed that it has made some changes to diagnostic capabilities. A closer look reveals that the update actually addresses security concerns brought to light earlier this year by Jonathan Zdziarski, an expert in iOS security and forensics.

The researcher reported in July that several undocumented forensics services running on iOS devices could be leveraged as attack points and surveillance mechanisms. Apple denied at the time creating backdoors as part of a collaboration with government agencies.

“We have designed iOS so that its diagnostics functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said at the time. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access the limited diagnostics data. The user must agree to share this information, and data is never transferred without their consent.”

Advertisement. Scroll to continue reading.

With the release of iOS 8, the company made some further security improvements to these services. However, it hasn’t provided any details on the fixes and it hasn’t credited Zdziarski for bringing the issues to its attention.

In an open letter to CEO Tim Cook and Apple’s Security Team, the researcher says he is disappointed that the company “swept” many of the issues he described in his research papers “under the rug.” Apple has only given him credit for an address book issue.

“Apple’s code fixes can be clearly observed right in the iOS 8 firmware, and yet there is not a single mention of them in the release notes, nor any acknowledgments for the researcher. If there is any ethical practice to be expected in information security – or science of any kind for that matter – it is to properly acknowledge those who’s research you’ve consumed,” Zdziarski wrote in his letter. “In many settings, failure to do so is considered plagiarism. My name somehow made it into the iOS 8 notes for some obscure address book encryption issue that I don’t recall even reporting… yet there has been no mention of the more serious issues being fixed, or ever existing.”

The researcher has published a blog post detailing the surveillance and forensics vulnerabilities addressed by Apple with the release of iOS 8.

Following the recent iCloud hacking scandal, in which the private photographs of several celebrities were exposed, Apple promised to implement additional security measures to protect its customers. With the release of iOS 8, the company also reviewed its customer privacy policy, and Cook published a message about Apple’s commitment to user privacy.

“Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay. And we continue to make improvements. Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information, now also protects all of the data you store and keep up to date with iCloud,” Cook said.

In addition, he once again reassured customers that Apple has never worked with any government agency from any country to create backdoors in products or services.

“We have also never allowed access to our servers. And we never will,” Cook noted.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...