back to article Ins0mnia bug means malicious iOS apps WILL NEVER DIE

A newly discovered vulnerability allows an iOS application to continue to run for an unlimited amount of time, even if an application gets terminated by a user. The flaw – dubbed Ins0mnia – potentially allows any iOS application to bypass Apple background restrictions, security researchers at FireEye warn. FireEye notified …

  1. PassiveSmoking

    As this shows, no OS is immune from bugs and security flaws that might get abused.

    And it also shows that Apple's approach is superior to Android's, as they've managed to get a fix out to all devices capable of running the current version, and even without the fix it's still quite difficult to get a malicious app out to users unless they've jail broken the device.

    Meanwhile in Android land, fast swathes of devices are running insecure versions of the OS and will never be updated because even if they're capable of supporting a current version of Android it's impossible for Google to force OTA patches out due to all the crapware and skins and other nonsense that OEMs put on top of android in an attempt to make their android device somehow different or better than every other android device. Meanwhile the phone retailers would rather you buy a new device rather than be able to patch your current one to a more up to date and secure version of android.

    1. graeme leggett Silver badge

      limited support

      "out to all devices capable of running the current version"

      And if your device doesn't support the current version?

      Although Apple has greater control over the hardware /software I was under the impression that in the past it was a swift to leave older kit unsupported as quickly as any disposable android device seller.

      Perhaps actual data shows a different story.

      1. Anonymous Coward
        Anonymous Coward

        Re: limited support

        Malware that asks for permission? How lovely :-p Seriously though, how many users kill the app from the app switcher to turn off background location updates, my guess is none.

        1. Ed

          Re: limited support

          I see a remarkable number of people compulsively quitting apps using the app switcher every time they leave one.

        2. Anonymous Coward
          Anonymous Coward

          Re: limited support

          Malware that asks for permission? How lovely :-p

          On iOS it has no choice. An App will quite happily install without permissions, but it will not be granted access to what Apple considers protected resources such as calendar, camera, microphone and a host of others without getting explicit permission from the user to do so.

          On Android, that is one question which is easily agreed to because otherwise the App doesn't install (so users are used to just click through it), on iOS it sometimes gets a bit tedious because each resource has to be agreed to in turn but I prefer that - also because I can withdraw specific permissions later. I can stop apps from geolocating, and I can stop applications from getting to my address book, even retrospectively, without them stopping to work (I don't use WhatsApp, because that doesn't even start up unless it has permission to stick its grubby paws in my contacts - not a chance).

          Seriously though, how many users kill the app from the app switcher to turn off background location updates, my guess is none.

          I do, but I would be the first to agree with you that that is unusual. Most people never come near the settings unless something doesn't work.

          I'm a bit surprised that there aren't any Android cleanup programs yet from a trustworthy source (OK, I guess that the first challenge :) ). I would have thought that is as wide open a market as anti-virus is for PCs running Windows, even if it is just controlling resource access rather than doing a full malware scan. I may have missed those, though, don't use Android much.

      2. Anonymous Coward
        Anonymous Coward

        Re: limited support

        "I was under the impression that in the past it was a swift to leave older kit unsupported as quickly as any disposable android device seller"

        Genuinely don't know where you picked that up from, but it appears to be another internet meme. They currently support iOS 8 and devices up the iPhone 4S, though they have been known to patch older OSs.

        1. graeme leggett Silver badge

          Re: limited support

          So 4 years back - doesn't sound too bad.

          I think my experience was coloured by iphone 3G which only got support to 2011 (roughly 3 years from launch)

        2. Cynical Shopper

          Re: limited support

          "They currently support iOS 8 and devices up the iPhone 4S."

          Yep - they "support" them until they're unusable: iOS 7 killed my iPhone 4. Patched iOS 6 would've been more sensible, but then I wouldn't have needed to get a new phone!

      3. Mike Moyle

        Re: limited support

        IOS 8.4.1 is listed as supporting devices back to iPhone 4S (Oct. 2011) and iPad 2 (March 2011). Not sure how that compares with Android devices overall, but seems better than some (admittedly, not top-of-the-line) Andy-phones I've owned. As another poster commented, however, that may say less about Android's inherent ability to run on older hardware and more about the cellos' desire to get users to extend their contracts to get a new, allegedly more capable, phone.

      4. Chris 3

        Re: limited support

        I would *hope* that Apple would check and pull any apps from the Store that use this exploit.

        1. Anonymous Coward
          Anonymous Coward

          Re: limited support

          I would *hope* that Apple would check and pull any apps from the Store that use this exploit.

          Assuming any made it through the checking process to start with, of course. At least this is a security problem that has already been patched.

      5. Anonymous Coward
        Anonymous Coward

        @graeme leggett

        The iPhone 4 is restricted to iOS 7, but it was introduced five years ago. Even then, if Apple feels it is a serious hole they may add the fix to an earlier version, as they did with the "goto fail" bug with an out of band patch for iOS 6 in March 2014, nearly SIX years after the 3gs that was affected was released. I don't think this particular bug rises to that level.

        No one supports operating systems forever, the five years of support Apple seems to provide for iPhone is pretty darn good - way better than Google or Microsoft.

        1. Anonymous Coward
          Anonymous Coward

          Re: @graeme leggett

          "No one supports operating systems forever, the five years of support Apple seems to provide for iPhone is pretty darn good - way better than Google or Microsoft."

          Think that needs to be qualified as 'phone operating system' given eg windows server 2003 got 12 years.

          1. Anonymous Coward
            Anonymous Coward

            Re: @graeme leggett

            Yes, you're correct, and IBM supports mainframe operating systems even longer.

            Obviously I was talking about mobile OSes, and the shorter life for a mobile operating system makes sense since it isn't enterprise critical like a server and the typical replacement cycle of a phone is 2.5x faster than a server (2 years versus 5 years)

    2. Anonymous Coward
      Anonymous Coward

      "Meanwhile the phone retailers would rather you buy a new device rather than be able to patch your current one"

      Didn't you get the memo? Buying ever more crap that we don't need is what keeps the economy running.

      Economic growth! Profit!

      We'll just ignore the problem of manufacturing pollution and electronic waste in landfill, hopefully it'll go away ... in a few thousand years time.

      1. PassiveSmoking

        The iPhone 4s is 2 years old and still supported even though Apple don't sell it any more.

        The Galaxy Note 8 tablet is still manufactured by Samsung but mine is still stuck on Android 4.4 and hasn't received an OTA update in months.

        Who is the company that abandons products after only a few months on the market, again?

  2. Anonymous Coward
    Unhappy

    Does it matter?

    Except for my old Nokia phones (personal) and a Motorola StarTac (work), I've yet to have a cell phone outlive its contract.

    1. PassiveSmoking

      Re: Does it matter?

      You should probably stop trying to flush them down the toilet, then.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does it matter?

      Except for my old Nokia phones (personal) and a Motorola StarTac (work), I've yet to have a cell phone outlive its contract.

      Hmm, I have two Motorola v3i right here on my desk which still work quite happily. They did need a new battery, but so far I have yet to come across a better physical design (provided you have the later version with matte keyboard). Maybe you should just take a little bit more care of your hardware?

    3. James O'Shea

      Re: Does it matter?

      Hmm. I've had old flip-phones last more than five years. Also, my ancient Samsung Omnia would be able to work today (it turns on...) except that it was a Verizon device and there is no way that I am ever going to go anywhere near Verizon ever again. For one thing, it's still locked to Verizon as Veriscum refuses to unlock phones, even out of contract. (Or at least they refused back when I was a Veriscum victim, they may have changed lately. Doubt it, though. I hate Sprint, but they're not a bad as Verizon.)

      Anyone want an old WinPhone 6 Omnia, still in working order, still tied to Veriscum? Going cheap...

      1. Steve Davies 3 Silver badge

        Re: Does it matter?

        Aren't that a load of small shops in the USA running phone unlocking services? There is at least one in any half decent sized town here in the UK?

        Pay a few bucks and you have it unlocked.

        Have you even search on this wonderful thing called the Internet? A search for "Verizon Omnia 6 unlocking" seems to return a lot of information. Don't know how much is relevant though? Only you can tell?

        Anyway did't some legal ruling the US force the carriers into unlocking phones?

        http://www.cnet.com/news/new-regulation-requires-us-carriers-to-unlock-user-phones/

      2. Charles 9

        Re: Does it matter?

        "Hmm. I've had old flip-phones last more than five years. Also, my ancient Samsung Omnia would be able to work today (it turns on...) except that it was a Verizon device and there is no way that I am ever going to go anywhere near Verizon ever again. For one thing, it's still locked to Verizon as Veriscum refuses to unlock phones, even out of contract. (Or at least they refused back when I was a Veriscum victim, they may have changed lately. Doubt it, though. I hate Sprint, but they're not a bad as Verizon.)"

        There's a reason for that. Pre-LTE Verizon phones were CDMA which were not interchangeable between carriers (mostly due to design limitations; CDMA phones could only tune in on that carrier's frequencies).

        "Anyway did't some legal ruling the US force the carriers into unlocking phones?"

        That ruling can only apply to GSM and LTE phones (both of which use SIMs) which are designed around interchangeability. That basically means AT&T, T-Mobile, MetroPCS, (LTE) Verizon phones, and any MVNOs using them as a backhaul. Sprint doesn't count because its pre-LTE phones were CDMA and its LTE phones use TDM (all the others use FDM) which IINM isn't as well supported.

  3. F0rdPrefect
    FAIL

    They've got to be kidding!

    "A music app may have legitimate reason to ask permission to access GPS location and microphone while working on the foreground"

    For what earthly reason would I want a music app to have access to my GPS location at any time?

    And I'm struggling to think of a reason for the microphone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like