Although iOS is the most secure platform in the mainstream consumer market, it does not mean that it does not have security vulnerabilities, and some vulnerabilities have existed for years. Recently, a vulnerability that Apple hasn’t fixed in four years has been exploited by security researchers at security conference Def Con 2019 to hack the Apple Contacts app and produce malicious results.
In fact, this vulnerability is not caused by Apple’s code, but a security flaw in a free open-source database software that Apple was using. This free open-source database software is SQLite. SQLite is the most commonly used database engine in the world. Major operating systems including Windows, Android, Chrome, macOS, iOS, Firefox, and Safari are popular users of SQLite. This bug allows attackers to remotely control and run arbitrary code or DoS applications by issuing simple SQL queries.
There were reports about this bug in Mac OS X and iOS in 2015, but Apple still hasn’t fixed it. According to Check Point security researchers, Apple doesn’t think the problem is serious enough to force them to abandon the SQLite database security on iOS because it is supposed to be triggered only by unknown applications accessing the database, and there are no such unknown applications in closed systems like iOS.
But the problem is that hackers can make normally trusted software go awry with other vulnerabilities. In the case cited by the researchers, hackers modified Apple’s iOS Contacts app, then could crash the app or force it to perform other unexpected operations, such as stealing passwords, as users typed in commands such as searching for Contacts.
So, we can see that Apple devices which are committed to users’ privacy and security are also vulnerable to hacking. Why don’t you pay more attention to your personal security on the Internet? Let’s start with a VPN to surf the Internet. Try