Apple is in a seamless battle to keep the iOS platform secure, and it has made a mistake that has blown open the entire platform. This weekend it was revealed that Apple has been sloppy, and a previous vulnerability that was patched over has been broken in the move to iOS 12.4, so it is possible for an iPhone running the very latest version of iOS to run unsigned code.
That could be an intentional choice by customers wanting to access alternate app stores, or access features not usually exposed (a classic jailbreak) however it’s more seemingly to be used maliciously, for example using a bug in another application that allows code to be run remotely on any updated iPhone.
It can be said that it is a big mistake by Apple. Also, there are some limitations to notice. To start with the vulnerability doesn’t have an effect on hardware operating on the A12 system on a chip – the iPhone X will be impacted, however not the iPhone XR, XS, or XS Max. Sadly Apple has never released sales figures for the newer handsets, so how many customers are protected by hardware evolution is not known.
You also need to have iOS 12.4 installed. That is one moment in time where Apple’s capacity to shift its user base to the latest model of the cellular operating system is just not helpful (though it is going to be helpful when the presumptively named iOS 12.4.1 patch is rolled out). Unfortunately, Apple has pulled iOS 12.2 and 12.3 from its servers and revoked their signatures, so there isn’t a choice but to replace to 12.4.
And for individuals who jailbreak their devices for their own use, there might be ongoing issues if they use Apple’s on-line services – which will no doubt be double-checking the gadgets that connect with them.
Given Apple was made aware of this bug over 100 days ago by Google’s Project Zero team, there’s most likely a good chance that elements not friendly to Apple’s ethos of consumer security will be aware of the problem and potentially utilizing it quietly in the background. In the meantime, if you’re on iOS 12.3 don’t upgrade to 12.4, to stay protected over the following days.
Apple’s PR team has been approached for comment. Presumably, the development staff is working to roll out iOS 12.4.1 which can reapply the patch, now that the horse has bolted.