iOS 10 Security Updates Move to HTTPS

Type threatpost
Reporter Michael Mimoso
Modified 2016-09-13T19:21:43


Apple has finally moved its iOS security update mechanism to HTTPS with today’s release of iOS 10.

Previously, updates were sent to devices over HTTP and attackers already present on a network could potentially intercept and manipulate updates.

Related Posts

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Data-Stealing Mac OS X Backdoor Uncovered

September 7, 2016 , 12:55 pm

Apple Patches Trident Vulnerabilities in OS X, Safari

September 2, 2016 , 10:00 am

“An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates,” Apple said in its advisory, adding that a man-in-the-middle attacker could block devices from receiving updates.

The change was one of seven vulnerabilities patched in iOS 10, a major update for the mobile operating system. In the early hours of the update, users were also reporting issues with the installation that was putting devices in recovery mode, according to MacRumors. Apple later conceded there was an issue with the update process, and that a small number of users were affected before it was fixed.

Apple patched a potentially serious issue in the native iOS Mail application where an attacker on the network could steal email credentials.

“An issue existed when handling untrusted certificates,” Apple said. “This was addressed by terminating untrusted connections.”

Apple also patched a privacy issue in its new Messages framework for iOS 10 and earlier for iPhones and iPads where messages could be read on a device that is not signed in. Apple said the issue was in the use of Handoff for Messages, and was resolved through better state management. Handoff ensures syncing and continuity between iOS devices.

Apple also resolved an issue where malicious applications could be used to determine who a device owner is texting.

“An access control issue existed in SMS draft directories,” Apple said. “This issue was addressed by preventing apps from stat’ing the affected directories.”

Apple also patched a vulnerability in the iOS keyboard where the keyboard was caching sensitive information and revealing it in auto-correct suggestions.

A bug in GeoServices was also addressed that could allow apps to read location information because of a permissions issue in PlaceData.