An NC State-led group of researchers discovered vulnerabilities in the iPhone and iPad operating system that could expose users’ personal information. The group has notified Apple, and some of the issues will be fixed in iOS 10, Apple’s upcoming mobile operating system.

The group found that third-party apps could potentially read system files of other apps that’s information should be private.

Luke Deshotels, a doctorate student studying computer science, led the team.

“Every application is locked into its own little area, and it’s not supposed to be able to cause any harm to things outside of that, that’s what stops an app from reading system files from some other app,” Deshotels said. “What we realized is sure we can’t get into the other apps, but we can read a bunch of shared system files.”

This means that a third party app could potentially be allowed to read the address book of another app, meaning it could get access to people’s personal information, and it could hurt their security.

The team created its own app to carry out an attack on the system, confirming the reality of the issue.

“When we were looking through the findings of our [app], it had a bunch of files that I had to confirm sensitive data,” Deshotels said.  “One of those files I opened up and started reading, and I saw an address that looked very familiar, when I googled it I saw that it was one of my friend’s street addresses.”

Any application could have read that data, and that private information could have potentially been leaked, according to Deshotels.

William Enck, co-author of the report about the iOS systems vulnerabilities and Deshotels’ adviser, said that the research team didn’t know anybody who used this to exploit maliciously.

While most of these vulnerabilities will be fixed in iOS 10, some may take more time and effort to fix. 

“Some of the vulnerabilities were easy fixes, maybe some lines in policy had to be changed to fix the problem,” Enck said.  “Some of them were deeper. They had to change the way that the code was distributed in different system processes, and that’s a more time-consuming process because they have to think very carefully about how to re-architect the security mechanisms.”

Repairs to the operating system could damage the functionality of the iOS system, causing many applications to stop working. Because of this, the fixes will take more time and won’t be done for a while.

Deshotels explained more about a specific attack that can be carried out because of this vulnerability, which involves writing a huge amount of data into a system file.

“If you do that, the phone will run out of storage space, and you won’t be able to do anything,” Deshotels said. “You can’t take another photo or download another app because you don’t have any disk space left. The only way to fix that is to erase all user content in settings, but if you do that you lose all your data.”

Deshotels recommends that users backup their data on a regular basis to ensure that they can retrieve any information they might lose if something like this does happen.

The report will be presented in October at the Association for Computing Machinery Conference on Computer and Communications Security in Vienna, Austria.