About

  • iPhone J.D. is the oldest and largest website for lawyers using iPhones and iPads. iPhone J.D. is published by Jeff Richardson, an attorney in New Orleans, Louisiana. This site does not provide legal advice, and any opinions expressed on this site are solely those of the author and do not reflect the views of Jeff's law firm, Adams and Reese LLP. iPhone J.D. is not associated with Apple, Inc.

Contact Me

FTC Notice

  • Pursuant to 16 CFR Part 255, the Federal Trade Commission's Guides Concerning the Use of Endorsements and Testimonials in Advertising, please note: (1) iPhone software and hardware developers routinely send me free versions of their products to review. I sometimes keep and continue to use these products that I did not pay for after posting my review, which might be considered a form of compensation for my review, but I do not believe that I let that color my review. (2) When I post links to product pages on Amazon, my links include a referral code so that when products are purchased after clicking on the link, I often receive a very small percentage of the sale. As an Amazon Associate I earn from qualifying purchases. Again, I do not believe that I let that color my review of products. (3) Some of the ads that run on this website are selected by others. If one of these ads comes from the seller of a product reviewed on iPhone J.D., that is a coincidence, and I do not believe that it colors my review of that product. Other ads are from paid advertisers, and if I discuss a product from a company that is a current advertiser, I will note that. (4) Some of the ads that run on this website are from monthly sponsors of iPhone J.D. When I discuss products from these companies on iPhone J.D., I do so to pass along information provided to me by the sponsor. Often, I will also provide my own commentary on the product, and while my goal is to be honest, please keep in mind that I was compensated to promote the product. If you have any questions about this, just send me an e-mail or post a comment on a specific product review.

« Review: EvidPredicates -- cheatsheet on courtroom evidentiary foundations | Main | White iPhone 4 delayed again »

October 26, 2010

iPhone security flaw gives anyone access to Phone app

Phone2 I have long recommended that all iPhone owners enable the passcode lock feature.  That way, if someone gets unauthorized access to your iPhone, that person cannot use the iPhone without your secret code.  At least, that is how it is supposed to work.

Unfortunately, a few days ago, a poster on a MacRumors forum described a security flaw that allows anyone to get limited access to your phone even if the passcode lock is enabled.  When you swipe to unlock an iPhone and then see the "Enter Passcode" screen you can tap the Emergency Call button to make an emergency call.  (That way, anyone can use your phone to dial 911.)  But instead, enter any other number (or you can even enter ###), tap the green phone button, and then immediately — right as the phone starts to dial — press the lock button on the top of the iPhone.  You will then jump into the Phone app on the iPhone, which means that you can view the call history on the phone, use the phone to call anyone that you want, look at (and even modify) the Phone favorites, etc. 

And it doesn't stop there.  You can also select a contact, tap "Share Contact," and send an e-mail from the iPhone.  You can also tap on the blue arrow next to any recent call, tap "Share Contact," choose MMS, tap the phone icon, tap Choose Existing, and then see all of the photos stored on the iPhone.  And as Ross Miller of Engadget notes, you can also "hold down the menu button to access voice control and play some locally-stored tunes while you're at it."  Thus, this security flaw exposes your phone, your contacts, your photographs, and the ability to send an e-mail from your phone.  Lovely.

You can try this out on your own iPhone to see how it works, as long as you are running iOS 4.  Apparently the flaw doesn't exist in iOS 3.  When you are done, it can be a little tricky to get things back to normal, but one solution I found is to dial any phone number, and then hang up.  That will get you back to the "Enter Passcode" screen.

I always question whether I should mention security flaws here because the last thing that I want to do is help "bad guys" figure out how to cause mischief.  But this one has already gotten a lot of publicity over the last few days, so at this point I just want to make sure that iPhone owners know about it so that they can be extra careful with their iPhones until a fix comes out.  John Gruber of Daring Fireball notes that it appears to already be fixed in the latest beta version of iOS 4.2, which comes out in November, but for the next few days or weeks, this may be something that we have to live with.

[UPDATE:  Sure enough, iOS 4.2 will be the solution.  Brian Chen of Wired got Apple to respond on the record on this issue, and an Apple spokeman said:  "We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November."]

Comments

Subscribe

  • Get iPhone J.D. delivered to you via email.
    Name:*
    Your email address:*
    Consent*
    Yes, I consent to being emailed
    No, I do not want to be emailed
    Please enter all required fields Click to hide
    Correct invalid entries Click to hide
    No spam, ever. Promise. Powered by FeedBlitz

Awards

  • ABA Journal named iPhone J.D. the best Legal Technology blog in 2010, 2011 and 2013, and added iPhone J.D. to its Hall of Fame in 2014:

    The Expert Institute named iPhone J.D. the Top Legal Tech Blog in 2017:

Recent Posts