Apple runs a very tight ship and, like it or not, iOS is considered one of the most secure platforms in the mainstream consumer market. That’s not to say it has no security holes and some that get through the cracks have been around for years. One such hole would let an attacker “search” for something in the Contacts app to execute arbitrary code and researchers are pointing to Apple’s oversight as the reason this bug has existed for four years.
To be fair, the bug isn’t in Apple’s code per se. It’s actually in SQLite, one of the standard “lite” databases used across the industry, especially in mobile platforms like Android and iOS. The bug let remote attackers run arbitrary code or DoS an app by simply issuing an SQL query like a search.
The bug was reported back in 2015 against both Mac OS X and iOS but has remained unfixed on the iOS side. According to the security researchers at Check Point, it was simply because Apple didn’t deem it critical enough because it required that an untrusted app get access to iOS’ SQLite database. And on iOS, no app is really untrusted.
The problem is that there are other vulnerabilities and hacks that could make even a trusted app behave erratically. In the researchers’ case, they modified Apple’s own iOS Contacts app so that entering commands when searching for contacts could crash the app or do other unintended things, like stealing passwords.
The caveat here is that hackers would need to have access to an unlocked iPhone or iPad to modify the Contacts app and set off the chain of events. It’s not a safety net though because bugs and vulnerabilities rarely execute in isolation. All it takes is a different, sometimes unrelated bug to modify the Contacts app from afar.