14 DAY TRIAL // Independent security researcher David Longenecker has uncovered a privacy-related flaw in Apple's security, which could be exploited to allow criminals to create illicit backups of iOS devices, if having physical access to the phone or tablet.
Longenecker stumbled upon this potential design flaw while investigating an iOS app designed to hide documents and pictures under a normal-looking calculator.
Trying to uncover its secrets, he at one point connected the iOS device to his computer and tried to access the hidden files.
By doing this, he observed that, if the computer was running iTunes, on Windows or Mac, a popup would appear on his phone's screen, asking him if he wanted to "Trust This Computer?"
Nothing new here, since Apple has been doing this for years, allowing iPhones and iPads to be synced with desktops or laptops, mainly to facilitate the creation of backups of the entire phone or tablet's data using iTunes' built-in backup utility.
One tap and your whole data is exposed to prying eyes
The problem, as Mr. Longenecker puts it, is that this action only needs one tap on the "Trust" button.
If someone ever had physical access to an iOS device, they could easily connect an iPhone or iPad to their computer, approve the sync link between the two, and create a backup of the device, which they can later scrutinize for sensitive information.
Since iTunes-based backup operations include almost the entire device's files except passwords and private health data, attackers would have no obstacle to face when approving the sync.
What is recommended in this case is for Apple to implement a more secure way of approving iTunes-iOS connections, using a password set by the phone's owner.
So until there's a safer way to approve the sync between your device and another computer, be wary of whom you lend your phone, and don't forget to activate your phone's screen lock function.
