A recently discovered flaw in version 6.1 of Apple's iOS software allows a malicious user to bypass the lock screen on a password-protected iPhone and use many of the device's features. Apple has promised a fix, according to TechCrunch, which called the error "a massive backdoor to some of the iPhone's core functions." While others downplayed the seriousness of the flaw itself, they noted that it is potentially indicative of deeper software security issues endemic to Apple's development process.
The iOS 6.1 flaw allows a person to circumvent the lock screen without a password by performing an emergency call, hanging up and pressing the power button. Once a user breaks into the phone, he or she can make calls, send emails, edit contacts, access voicemails and call history, see photos and use FaceTime, TechCrunch reported. Apple responded with a statement saying that it plans to issue an update.
Deeper coding issues?
Software engineering blogger Hopper, of Hemiposterical, downplayed the seriousness of the attack, noting that it may get used only a handful of times before it is fixed, but noted that its existence raises questions about the type of development process Apple is employing. A very similar flaw occurred in iOS 4.1 in 2010. Hopper noted that the bug's reappearance suggests that Apple – one of world's largest companies – is not testing its software security in a systematic way.
"One of the most basic principles of software testing is that you should never discover the same bug in production twice – after the first discovery you should create a test that reproduces the flaw, then make the fix, and verify that the fix actually addresses the test," Hopper wrote. "The test is then re-run on every single build you make in the future – if the flaw returns, the test will fail."
The existence of the flaw, which might have been prevented with more thorough testing or source code analysis, may be an indication that Apple is skimping on security while focusing on meeting release schedules, Hopper wrote. While the error, in this case, appears to have minor consequences, the repercussions of inadequate testing could be more significant in the future. In addition to testing, developers can prevent similar mishaps and criticism by using tools such as static analysis to catch recurring flaws before a program is released.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.