Apple has never shied away from boasting about how secure its systems are, but researchers have found that contacts saved on iPhones are vulnerable to an SQLite hack attack which could infect the devices with malware.
SQLite – the most widespread database engine in the world – is available in every operating system (OS), desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite.
Security firm Check Point has demonstrated a technique being used to manipulate Apple’s iOS Contacts app. Searching the Contacts app under these circumstances triggers the device to run malicious codes, Apple Insider reported on Saturday.
The vulnerability has been identified in the industry-standard SQLite database.
Documented in a 4,000-word report, the company’s hack involved replacing one part of Apple’s Contacts app and while apps and any executable code has to go through Apple’s startup checks, an SQLite database is not executable.
“Persistence (keeping the code on the device after a restart) is hard to achieve on iOS as all executable files must be signed as part of Apple’s Secure Boot. Luckily for us, SQLite databases are not signed,” the report quoted the Check Point researchers as saying.
As of now, Apple has not commented on Check Point’s report.