Apple Fixes Security Flaw in iOS 9.3
At today's Let us loop you in event at the Apple headquarters in California, Apple released an updated version of their mobile device, called the iPhone SE. It returns to the 4" size of previous versions of the iPhone but with a similar processor to the iPhone 6, including Touch ID, NFC (for Apple Pay) and Live Photos, a feature which records a brief segment of video before and after the photo is taken, for a truly Harry Potter experience. Along with the newly released iPhone SE came a smaller version of the iPad Pro, at the same size as existing iPads but with the same processor and technology.
The event started off with CEO TIm Cook addressing the ongoing issue with the FBI, saying that:
We built the iPhone for you, our customers. And we know it is a deeply personal device. We did not expect to be in this position at odds with our own government. But we believe strongly that we have a responsibility to help you protect your data and protect your privacy. We owe it to our customers and we owe it to our country. This is an issue that impacts all of us.
The event continued with the reveal of iOS 9.3, which has been in development for months and has seen beta testers use it already. New features include a "night shift", which dims the screen's backlight as well as reducing the blue component of the display to reduce the level and colour of light that are potentially detrimental to sleep.
The version of iOS is also said to fix a recently-uncovered iMessage bug by researchers at John Hopkins, according to the Washington Post. Attachments to iMessages (such as photos and videos) are stored as separate blobs, and are encrypted before sending the data to Apple's servers with a particular key. By emulating an iMessage server and interacting with the responses, the attackers were able to brute-force each individual digit of the key used, potentially using a timing attack to determine how long each response takes. Changes in validation against the iMessage servers have reduced the probability of iMessages or attachments being intercepted, and iOS 9.3's security updates states that "A cryptographic issue was addressed by rejecting duplicate messages on the client." Notably there are several fixes for the HTTP stack as well as the kernel, some of which have the potential for remote code execution, and so updating to the latest iOS version is recommended after testing and backing up.
Apple and the FBI are in court tomorrow with further updates of the government order covered previously on InfoQ. Further updates will be added as they become available.