On Friday, the researcher went public with their findings, which contained one vulnerability fixed in iOS 14.7 and three unpatched vulnerabilities. The fixed bugs involved Analyticsd and allowed apps to access logs containing medical information, device usage information, application crashes, and information on device accessories. The unpatched vulnerabilities included the gamed service not properly checking game-center permission and allowing access to the Core Duet database that contains all contacts from Mail, SMS, iMessages, and some attachments; Apple ID email, full name, and authentication tokens allowing access to access at least one apple.com endpoint; and read access to speed dial database and address book. A vulnerability in Nehelper allowed for an app to check whether any other app was installed, and another Nehelper bug allowed for unauthorised access to Wi-Fi information. The researcher said when Apple fixed the Analyticsd issue, they were not credited, with Apple saying in July that credit was forthcoming. By September, the researcher was still waiting. For each vulnerability, the researcher published proof-of-concept code on GitHub. On Saturday, the researcher received a response from Apple, which said it had seen the blog post and apologised for the delay. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance,” Apple said. ZDNet asked Apple for comment on Friday, but we are still awaiting a response. Over the weekend, a blind developer complained that Apple had labelled as spam an update to make an accessible version of Hangman run on iOS 15. “My app is made for the blind and that all the other hangman games I have seen on the app store are half playable and … this is a bugfix update and already existing users who have paid for the app are unable to play using iOS 15,” Oriol Gómez sentís wrote. “To my horror, they replied saying that yes, ‘we understand that your app has voiceover’, hello? My app has voiceover? But unfortunately the rejection is still in place.” By the early hours of Monday morning, the developer said Apple had approved the update, but the app remained in violation of App Store guidelines.
Related Coverage
Apple releases patches for Catalina and iOS 12.5.5 vulnerabilitiesEU wants USB-C to become standard charging port for all smartphones to limit e-wasteDon’t like the iPhone’s new Safari in iOS 15? Here’s how to fix itApple bans Epic Games from App Store until all litigation is finalisedFacebook sees Q3 turbulence over Apple privacy changes