Apple announced on Wednesday the availability of iOS 8, the eighth major release of iOS. The latest version of the mobile operating system comes with fixes for more than 50 security vulnerabilities.
iOS 8 contains security fixes for 802.1X, accounts, accessibility, the address book, app installation, assets, Bluetooth, the Core Graphics framework, data detectors, the lock screen, iMessage, IOAcceleratorFamily, IOHIDFamily, IOKit, the kernel, mail, profiles, Safari, Webkit, WiFi and other features.
The vulnerabilities can be exploited for arbitrary code execution, denial-of-service (DoS), data theft, privilege escalation, and other types of attacks. Most of the flaws were reported this year, but some had been discovered in previous years.
In a note at the bottom of its security advisory for iOS 8, Apple revealed that it has made some changes to diagnostic capabilities. A closer look reveals that the update actually addresses security concerns brought to light earlier this year by Jonathan Zdziarski, an expert in iOS security and forensics.
The researcher reported in July that several undocumented forensics services running on iOS devices could be leveraged as attack points and surveillance mechanisms. Apple denied at the time creating backdoors as part of a collaboration with government agencies.
“We have designed iOS so that its diagnostics functions do not compromise user privacy and security, but still provides needed information to enterprise IT departments, developers and Apple for troubleshooting technical issues,” Apple said at the time. “A user must have unlocked their device and agreed to trust another computer before that computer is able to access the limited diagnostics data. The user must agree to share this information, and data is never transferred without their consent.”
With the release of iOS 8, the company made some further security improvements to these services. However, it hasn’t provided any details on the fixes and it hasn’t credited Zdziarski for bringing the issues to its attention.
In an open letter to CEO Tim Cook and Apple’s Security Team, the researcher says he is disappointed that the company “swept” many of the issues he described in his research papers “under the rug.” Apple has only given him credit for an address book issue.
“Apple’s code fixes can be clearly observed right in the iOS 8 firmware, and yet there is not a single mention of them in the release notes, nor any acknowledgments for the researcher. If there is any ethical practice to be expected in information security – or science of any kind for that matter – it is to properly acknowledge those who’s research you’ve consumed,” Zdziarski wrote in his letter. “In many settings, failure to do so is considered plagiarism. My name somehow made it into the iOS 8 notes for some obscure address book encryption issue that I don’t recall even reporting… yet there has been no mention of the more serious issues being fixed, or ever existing.”
The researcher has published a blog post detailing the surveillance and forensics vulnerabilities addressed by Apple with the release of iOS 8.
“Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay. And we continue to make improvements. Two-step verification, which we encourage all our customers to use, in addition to protecting your Apple ID account information, now also protects all of the data you store and keep up to date with iCloud,” Cook said.
In addition, he once again reassured customers that Apple has never worked with any government agency from any country to create backdoors in products or services.
“We have also never allowed access to our servers. And we never will,” Cook noted.