Apple mitigates but doesn’t fully fix critical iOS Airdrop vulnerability
Apple has mitigated a critical iOS vulnerability that allows attackers within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.
Mark Dowd, the security researcher who discovered the bug and privately reported it to Apple, told Ars that the vulnerability has been mitigated in iOS 9, which Apple released Wednesday. But he went on to say that the underlying bug still hasn’t been fixed. As he demonstrated in the following video, the bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.
Dowd used an enterprise certificate Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones. As a result, the apps his technique installs don’t generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed. He said another method for bypassing iOS code-signing restrictions would be to combine his Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS.