How Safari and iMessage have made iPhones less secure

Written by

The headline seemed sensationalistic, started reading filled with skepticism. That said, I did find the article well written and full of interesting detail.

A few examples:

Apple requires that all iOS web browsers—Chrome, Firefox, Brave, or any other—be built on the same WebKit engine that Safari uses. “Basically it’s just like running Safari with a different user interface,” Henze says. Apple demands browsers use WebKit, Henze says, because the complexity of running websites’ JavaScript requires browsers to use a technique called just-in-time (or JIT) compilation as a time-saving trick. While programs that run on an iOS device generally need to be cryptographically signed by Apple or an approved developer, a browser’s JIT speed optimization doesn’t include that safeguard.

As a result, Apple has insisted that only its own WebKit engine be allowed to handle that unsigned code. “They trust their own stuff more,” Henze says. “And if they make an exception for Chrome, they have to make an exception for everyone.”

The point being made here is that Apple bottlenecks all browser activity through WebKit. To me, this seems a solid approach, as long as WebKit is bulletproof.

The problem with making WebKit mandatory, according to security researchers, is that Apple’s browser engine is in some respects less secure than Chrome’s.

There’s the rub. If that’s truly the case. Seems to me, no matter the choice Apple makes here, there will be security holes. The key is how quickly Apple responds to identified flaws. My (possibly uninformed) sense is that Apple closes loopholes before they become widely known, or quickly issues a patch if exploits do become public.

As to Messages:

Hackable flaws in iMessage are far rarer than those WebKit. But they’re also far more powerful, given that they can be used as the first step in a hacking technique that takes over a target phone with no user interaction. So it was all the more surprising last month to see Natalie Silvanovich, a researcher with Google’s Project Zero team, expose an entire collection of previously unknown flaws in iMessage that could be used to enable remote, zero-click takeovers of iPhones.

Read Apple’s reply to the Project Zero accusations.

More disturbing than the existence of those individual bugs was that they all stemmed from the same security issue: iMessage exposes to attackers its “unserializer,” a component that essentially unpacks different types of data sent to the device via iMessage.

All very interesting. I’m betting that Apple is working hard to identify and fix attack vectors in WebKit and better sandbox Messages. I think it’s a safe bet that none of this information is new to Apple.