The other day Gizmodo discovered a very large security flaw in Apple’s iPhone software. When an iPhone is enabled with a passcode lock, purportedley none of the information within it can be accesed without first entering the code. This however can be circumvented very easily. If you have your iPhone ‘locked,’ it can be circumvented very easily with very little trickery aside. On the ‘lock’ screen, you can still make an emergency call. When you tap that, you can then double-tap the home button to bring up your favorites (assuming you have that set).
The issue is that your favorites are basically the keys to the kingdom. You can tap the blue arrow next to a favorite to gain access to a contact’s information. From there, you can further tap email, a url, or sms to gain access to email, Safari and your bookmarks, or all of your SMSes, respectively.
Rene notes in an email that this is reminiscent of the old PalmOS bug wherein you could still search the device while it was locked. This, though, this is definitely worse.
Thankfully, Apple has the best ROM update system in the entire smartphone industry — able to push out updates to every iPhone via iTunes with minimal carrier delays. Let’s hope we see 2.0.3 very soon. Meanwhile Giz recommends you set that double-tap behavior to either ‘Home’ or ‘iPod’ to temporarily fix the issue.
Of course, this only applies to people who actually use the lock function on their iPhones, the rest of us just live dangerously.
Update: Macrumors reports that Apple is aware of the issue and has a fix on the way:
[...]this security flaw was already reported to Apple earlier this month and has been acknowledged as an issue. A fix will presumably be included in a future firmware update
August 28, 2008
Apple News