The claim was made by a Russian company, Elcomsoft after iOS mobile app security testing. The vulnerability in iOS security is said to be found in the backup data mechanism of iOS 10, which can be easily exploited by password cracking tools and iOS mobile app security testing. It can let hackers crack PC or Mac backup passwords 2500 times faster than it could do so before.
In a company blog of Elcomsoft, researcher Oleg Afonin explained the attack and said:
“This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups.”
The researchers explained that when a backup from iOS 10 is saved via iTunes to a Mac or PC, password cracking tools can conduct brute-force attacks at a rate of 6,000,000/sec. Once the hackers are successful in their attempt to crack a password, they can decrypt the entire backup content along with the keychain.
Apple has declared that it is working on coming up with an iOS security update for this issue and has advised its users to meanwhile use strong passwords and encrypt data with FileVault.
Contrary to the belief that iOS is immune to malware threats, security experts say that iOS security has failed before as well with malwares successfully infecting iPhones throughout the world. Two out of top 10 worldwide mobile malwares in the first six months of 2016 were AceDeceiver and XcodeGhost, and these were iOS based malware.
Will an iOS security update be enough to fix the vulnerability?
Well, no. The security experts believe that a routine security update may not be enough to address the issue completely because of the complexity in the software systems. Elcomsoft believes that Apple may need to come up with an iTunes update and make changes to its backup format, along with the security update, to fix the issue. How long would it take Apple to deliver a patching solution for fixing the flaw is still not clear though.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For iOS mobile app security testing try out Codified Security.