At a recent Def Con 2019 security conference, researchers revealed that the Contacts app that comes with Apple’s iOS system is vulnerable to database vulnerabilities. It is not the problem that Apple has caused during the development process, but the security vulnerability of open-source free database software used by Apple. This open-source free database software is SQLite, which was discovered several years ago but this vulnerability has not been fixed until now.
SQLite is the most widely used data engine in the world, and it can be used on both desktop and mobile platforms. For example, Windows 10, Google Chrome, Firefox, Android, etc. use this database, which shows that the software is widely used. Four years ago, the database engine was found to have a security vulnerability, but the assessment at the time was that the vulnerability was only an attack but not a critical vulnerability. So until now, this security vulnerability has not been fixed, this iOS system comes with the address book software attack process is also exploiting this vulnerability.
Vulnerabilities can be triggered by sending a specific code to a trusted application during a security company test and then directly replacing the address book that came with the system. In fact, Apple has a strict signature verification process in the iOS system development process, and components that are not signed during the startup process cannot be automatically executed.
“Wait, what? How come a four-year-old bug has never been fixed?” write the researchers in their document. “This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios.” “Persistency [keeping the code on the device after a restart] is hard to achieve on iOS,” they said, “as all executable files must be signed as part of Apple’s Secure Boot. Luckily for us, SQLite databases are not signed.”
The impact of this vulnerability is relatively large, but the device must be unlocked before it can launch an attack, so it is difficult for an attacker to want to silently attack. Of course, even there are potential security risks, so security company CheckPoint has reported the vulnerability to SQLite and Apple.