Apple has finally moved its iOS security update mechanism to HTTPS with today’s release of iOS 10.
Previously, updates were sent to devices over HTTP and attackers already present on a network could potentially intercept and manipulate updates.
September 13, 2016 , 9:14 am
September 7, 2016 , 12:55 pm
September 2, 2016 , 10:00 am
“An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates,” Apple said in its advisory, adding that a man-in-the-middle attacker could block devices from receiving updates.
The change was one of seven vulnerabilities patched in iOS 10, a major update for the mobile operating system. In the early hours of the update, users were also reporting issues with the installation that was putting devices in recovery mode, according to MacRumors. Apple later conceded there was an issue with the update process, and that a small number of users were affected before it was fixed.
Apple patched a potentially serious issue in the native iOS Mail application where an attacker on the network could steal email credentials.
“An issue existed when handling untrusted certificates,” Apple said. “This was addressed by terminating untrusted connections.”
Apple also patched a privacy issue in its new Messages framework for iOS 10 and earlier for iPhones and iPads where messages could be read on a device that is not signed in. Apple said the issue was in the use of Handoff for Messages, and was resolved through better state management. Handoff ensures syncing and continuity between iOS devices.
Apple also resolved an issue where malicious applications could be used to determine who a device owner is texting.
“An access control issue existed in SMS draft directories,” Apple said. “This issue was addressed by preventing apps from stat’ing the affected directories.”
Apple also patched a vulnerability in the iOS keyboard where the keyboard was caching sensitive information and revealing it in auto-correct suggestions.
A bug in GeoServices was also addressed that could allow apps to read location information because of a permissions issue in PlaceData.