The WhatsApp IOS Security Breach

Apple, iphone, security

Thu 2019-05-23 06:14:40 -0400

The WhatsApp security breach did not break the IOS sandbox but only allowed the attacker access to whatever WhatsApp had access to.

As reported earlier in the New York Times, there was a security breach of WhatsApp on both Android and IOS that allowed the attacker to gain access to the app with a simple voice over IP call.

The user didn’t even have to answer the call. The internet and podcasters have been abuzz for the past week or two over how this was a breach of IOS security but that never made sense to me. How could gaining access to the app break the sandbox? Well, MacRumours modified their story with this note at the bottom, “Update: Reader comments suggested that some of the wording in this article was confusing or misleading, so we have updated it to make sure the details of the vulnerability are clear. Specifically, this issue impacted WhatsApp, not the iOS operating system.”

The attackers were able to take over WhatsApp but nothing beyond it. That did give them access to whatever the user had granted WhatsApp access to, e.g., the camera, photos, the microphone, maybe their contacts list. All of those would have been normal for a person to person app like WhatsApp.

I did learn one other thing that may have given some additional access. IOS has app groups which let a software developer group multiple apps in a shared sandbox so they can share information with each other. Apparently Facebook has done this by combining Facebook and WhatsApp. Thus, the breached WhatsApp might also have had access to all of the user’s Facebook data as well as whatever phone resources the had also granted Facebook access to. I wonder if Instagram is also included in the shared sandbox?

So among the usual choices of IOS, Android, MacOS, Linux, and Windows, I still consider IOS the most secure operating system today and apparently the sandbox is still intact.

References

WhatsApp Vulnerability Left iPhones Vulnerable to Israeli Spyware [Updated], MacRumours, Monday May 13, 2019 5:22 PM PDT by Juli Clover.

Published