Arab Press

بالشعب و للشعب
Friday, Aug 22, 2025

Apple Fixes One of the iPhone's Most Pressing Security Risks

Apple Fixes One of the iPhone's Most Pressing Security Risks

By hardening iMessage in iOS 14, the company has effectively cut off what had been an increasingly popular line of attack.
Apple's iOS operating system is generally considered secure, certainly enough for most users most of the time. But in recent years hackers have successfully found a number of flaws that provide entry points into iPhones and iPads. Many of these have been what are called zero-click or interactionless attacks that can infect a device without the victim so much as clicking a link or downloading a malware-laced file.

Time and again these weaponized vulnerabilities turned out to be in Apple's chat app, iMessage. But now it appears that Apple has had enough. New research shows that the company took iMessage's defenses to a whole other level with the release of iOS 14 in September.

At the end of December, for example, researchers from the University of Toronto’s Citizen Lab published findings on a hacking campaign from the summer in which attackers successfully targeted dozens of Al Jazeera journalists with a zero-click iMessages attack to install NSO Group's notorious Pegasus spyware. Citizen Lab said at the time that it didn't believe iOS 14 was vulnerable to the hacking used in the campaign; all the victims were running iOS 13, which was current at the time.

Samuel Groß has long investigated zero-click iPhone attacks alongside a number of his colleagues at Google's Project Zero bug-hunting team. The week, he detailed three improvements that Apple added to iMessage to harden the system and make it much more difficult for attackers to send malicious messages crafted to wreak strategic havoc.

“These changes are probably very close to the best that could’ve been done given the need for backward compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote on Thursday. “It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.”

In response to Citizen Lab's research, Apple said in December that “iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks.”

iMessage is an obvious target for zero-click attacks for two reasons. First, it's a communication system, meaning part of its function is to exchange data with other devices. iMessage is literally built for interactionless activity; you don't need to tap anything to receive a text or photo from a contact. And iMessage's full suite of features—integrations with other apps, payment functionality, even small things like stickers and memoji—make it fertile ground for hackers as well. All those interconnections and options are convenient for users but add “attack surface,” or potential for weakness.

“iMessage is a built-in service on every iPhone, so it’s a huge target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. “It also has a ton of bells and whistles, and every single one of those features is a new opportunity for hackers to find bugs that let them take control of your phone. So what this research shows is that Apple knows this and has been quietly hardening the system.”

Groß outlines three new protections Apple developed to deal with its iMessage security issues at a structural level, rather than through Band-Aid patches. The first improvement, dubbed BlastDoor, is a “sandbox,” essentially a quarantine zone where iMessage can inspect incoming communications for potentially malicious attributes before releasing them into the main iOS environment.

The second new mechanism monitors for attacks that manipulate a shared cache of system libraries. The cache changes addresses within the system at random to make it harder to access maliciously. iOS only changes the address of the shared cache after a reboot, though, which has given zero-click attackers an opportunity to discover its location; it's like taking shots in the dark until you hit something. The new protection is set up to detect malicious activity and trigger a refresh without the user having to restart their iPhone.

The final addition makes it more difficult for hackers to “brute force,” or retry attacks multiple times—a common technique in zero-click hacks if an assault doesn't quite work the first time. This protection is relevant to reducing those shots in the dark to find the shared cache, but also to attacks more broadly, like attempts to send multiple malicious texts (which are typically invisible to the user) to retry an attack until it works.

Independent researchers agree with Groß's assessment that the version of iMessage in iOS 14 is much better defended against these types of attacks.

“The mitigations are very welcome and appear to be intelligently done,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “I would have hoped to see something like this sooner as iMessage is a big target for remote attacks, but it at least looks like they put a decent amount of care into this.”

Now that they're here, the improvements should make a big difference in curbing the rising tide of interactionless attacks against iMessage. But researchers warn that it's only a matter of time before attackers find a new spin on their stalwart techniques.
Newsletter

Related Articles

Arab Press
0:00
0:00
Close
Dogfights in the Skies: Airbus on Track to Overtake Boeing and Claim Aviation Supremacy
Tim Cook Promises an AI Revolution at Apple: "One of the Most Significant Technologies of Our Generation"
Are AI Data Centres the Infrastructure of the Future or the Next Crisis?
Miles Worth Billions: How Airlines Generate Huge Profits
Zelenskyy Returns to White House Flanked by European Allies as Trump Pressures Land-Swap Deal with Putin
Beijing is moving into gold and other assets, diversifying away from the dollar
Trump Backs Putin’s Land-for-Peace Proposal Amid Kyiv’s Rejection
Zelenskyy to Visit Washington after Trump–Putin Summit Yields No Agreement
Iranian Protection Offers Chinese Vehicle Shipments a Cost Advantage over Japanese and Korean Makers
United States Sells Luxury Yacht Amadea, Valued at Approximately $325 Million, in First Sale of a Seized Russian Yacht Since the Invasion of Ukraine
Saudi Arabia accelerates renewables to curb domestic oil use
Cristiano Ronaldo and Georgina Rodríguez announce engagement
Asia-Pacific dominates world’s busiest flight routes, with South Korea’s Jeju–Seoul corridor leading global rankings
Private Welsh island with 19th-century fort listed for sale at over £3 million
Sam Altman challenges Elon Musk with plans for Neuralink rival
Australia to Recognize the State of Palestine at UN Assembly
The Collapse of the Programmer Dream: AI Experts Now the Real High-Earners
Armenia and Azerbaijan to Sign US-Brokered Framework Agreement for Nakhchivan Corridor
British Labour Government Utilizes Counter-Terrorism Tools for Social Media Monitoring Against Legitimate Critics
WhatsApp Deletes 6.8 Million Scam Accounts Amid Rising Global Fraud
Texas Residents Face Water Restrictions While AI Data Centers Consume Millions of Gallons
India Rejects U.S. Tariff Threat, Defends Russian Oil Purchases
United States Establishes Strategic Bitcoin Reserve and Digital Asset Stockpile
Thousands of Private ChatGPT Conversations Accidentally Indexed by Google
China Tightens Mineral Controls, Curtailing Critical Inputs for Western Defence Contractors
JPMorgan and Coinbase Unveil Partnership to Let Chase Cardholders Buy Crypto Directly
British Tourist Dies Following Hair Transplant in Turkey, Police Investigate
WhatsApp Users Targeted in New Scam Involving Account Takeovers
Trump Deploys Nuclear Submarines After Threats from Former Russian President Medvedev
Germany’s Economic Breakdown and the Return of Militarization: From Industrial Collapse to a New Offensive Strategy
Germany Enters Fiscal Crisis as Cabinet Approves €174 Billion in New Debt
IMF Upgrades Global Growth Forecast as Weaker Dollar Supports Outlook
Politics is a good business: Barack Obama’s Reported Net Worth Growth, 1990–2025
UN's Top Court Declares Environmental Protection a Legal Obligation Under International Law
"Crazy Thing": OpenAI's Sam Altman Warns Of AI Voice Fraud Crisis In Banking
Japanese Prime Minister Vows to Stay After Coalition Loses Upper House Majority
President Trump Diagnosed with Chronic Venous Insufficiency After Leg Swelling
Man Dies After Being Pulled Into MRI Machine Due to Metal Chain in New York Clinic
FIFA Pressured to Rethink World Cup Calendar Due to Climate Change
Iranian President Reportedly Injured During Israeli Strike on Secret Facility
Kurdistan Workers Party Takes Symbolic Step Towards Peace in Northern Iraq
BRICS Expands Membership with Indonesia and Ten New Partner Countries
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
AI Raises Alarms Over Long-Term Job Security
Russia Formally Recognizes Taliban Government in Afghanistan
Saudi Arabia Maintains Ties with Iran Despite Israel Conflict
Mediators Edge Closer to Israel-Hamas Ceasefire Agreement
Germany Seeks Taliban Deal to Deport Afghan Migrants
Emirates Airline Expands Market Share with New $20 Million Campaign
Robots Compete in Football Tournament in China Amid Injuries
×