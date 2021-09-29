Researcher Denis Tokarev identified several iOS security holes and informed Apple, but it remained unanswered for months. After the operating system’s security weaknesses were made public, Big Tech apologized to the researcher and said it is still investigating the reports.

Tokarev, who uses the pseudonym illusionofchaos, said he reported four vulnerabilities between March 10 and May 4 this year to the company. However, three of the sensitivities are still present on iOS 15.

One of the security holes was fixed in iOS 14.7 on July 21st, but Apple didn’t list it on their security content page. A day later, the researcher questioned his credit for the discovery and got the answer that the information would be included in the next update of the operating system.

However, new iOS versions were released on July 26 (14.7.1), September 13 (14.8) and September 20 (15.0), all without mentioning the vulnerability. Last Thursday (24), Torakev decided to make the weaknesses public. Exactly 24 hours later, Apple sent an apology message.

Insecurity in the App Store

iOS 15, released in September, contains security holes reported to Apple in March. (Source: illusionofchaos/Reproduction)Source: illusionofchaos/Reproduction

The researcher argues that the vulnerabilities make it possible for malware to bypass the initial code evaluation of apps that want to be included in the App Store. He argues that the app store isn’t as secure as it sounds.

To evaluate new apps, Torakev explains that he performs a static analysis of the command lines. However, the security filter can be easily bypassed by functions that allow loading dynamic libraries.

This would allow, for example, that “the government of a country where homosexuality is punishable by death and has an official app in the App Store used by the majority of citizens” to reach people based on their sexual orientation by checking that Grindr is installed on the device from malicious codes hidden in the official app, says the researcher.