Update Your iOS Devices Now

iOS 7.0.6 Update Screen

Navigate to Settings > General > Software Update.


 
On Friday, February 21st, Apple released security updates affecting the iPhone 3GS through the 5s, the iPad 2 and later, the 4th and 5th generation iPod touch and the 2nd generation Apple TV.  The specific version updates available for various devices are as follows:

  • iOS 7.0.6 – iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
  • iOS 6.1.6 – iPhone 3GS, iPod touch (4th generation)
  • Apple TV 6.0.2 – Apple TV 2nd generation and later

To characterize the patched vulnerability using Apple’s words, “An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.”  ZDNet and others report that iOS was not doing SSL/TLS hostname checking prior to Friday’s update.  This is a very serious flaw.

For those that aren’t aware, SSL/TLS hostname checking is one part of an imperfect system meant to keep our encrypted communications secure.  Whenever you visit a secure web site using the HTTPS prefix, your computer is supposed to compare the site name you entered with the digital certificate that the site uses in order to initiate an encrypted session.  If the two don’t match, you’re presented with a fairly ominous warning.  While it’s still possible for a skilled person or an organization to create a man-in-the-middle attack to eavesdrop on your encrypted traffic, at least they’d need to dupe or coerce a Certificate Authority into giving them a digital certificate containing the name of the site they wished to impersonate.

But without SSL/TLS hostname checking, literally anyone in a “privileged network position” on a network segment between your iOS device and the rest of the Internet can pretend to be Bank of America, Amazon, Google or anyone else.  While it’s not alleged that the Safari web browser contained this vulnerability, everything else that your iPhone does could be susceptible to it.  For instance, your iPhone’s native Mail app wouldn’t distinguish the difference between Google’s legitimate Gmail servers and a server that anyone built using a common Linux distro and the openssl req command.  Such an oversight causes security professionals everywhere to collectively gasp.

Before the rest of us panic, however, it’s important to realize that any widespread exploitation of this vulnerability would likely have already been discovered.  Very few network segments are limited to only iOS and Mac clients.  While unpatched iOS devices might be willing to blindly connect to imposter servers, we hope that the Android, Linux and Windows clients would be throwing up flags indicating the deception.  People would be talking about it.

All of this is to say that while you’re probably fine for now, there’s no time like the present to update your iOS devices.  It’s as easy as navigating to Settings > General > Software Update, and clicking on ‘Download and Install.’  Reports indicate that Mac OS 10.9.1 is vulnerable as well, so you’ll want to keep an eye out for a Mac OS update in the days ahead.

Old Exchange Flaw Persists in iOS 7

Exchange ActiveSync Connections From One iPhone 5 Running iOS 7.

Exchange ActiveSync Connections From One iPhone 5 Running iOS 7.


 
Starting last December, and continuing in March of this year, we talked about a series of symptoms that often arrive hand in hand, sporadically, on Apple devices running various revisions of iOS 4, 5 and 6, up through 6.1.3.  Those symptoms include devices running warm to the touch or even hot, a battery that may drain significantly faster than normal, and spikes in cellular data use of up to ten times the user’s normal pattern.  While this trio of symptoms may well have more than one culprit, the many instances that I’ve personally witnessed have since been reduced to a single common cause.  One with a quick solution.

If you’d like to read the years-long chain of events in order, including documented interactions with Apple along the way, you’re welcome to follow these links to part 1 and part 2 of the story.  Today’s entry is the third – but not the final – installment.  In the interest of time, we’ll try to get right to the point.

For All Of Us
If your iPhone, iPad or iPod touch ever begins running warmer than normal, or the battery drains twice as fast, or you get sticker shock on your next cellular bill, you’ll obviously want to quickly determine the cause.  Fortunately, with iOS 7, this is easier than ever before.  Begin by navigating to Settings > Cellular.  Scroll down, and you’ll see data usage for native and 3rd-party apps directly under each application’s names.  But don’t stop there.  Also navigate into > System Services, and observe your usage here too.  If your device connects to your company’s Microsoft Exchange e-mail environment, don’t be surprised to see a high number next to Exchange Accounts.  And if you do, read on.
 

Cellular use stats are a good way to identify any application working overtime.

Cellular use stats are a good way to identify any application working overtime.


 
For Microsoft Exchange Users
As we alluded to earlier (after giving it away in the title, lead graphic and caption), virtually every instance of heat + battery drain + runaway data use that I’ve personally witnessed has been the result of a sudden-onset problem syncing a Microsoft Exchange calendar.  When an iOS device encounters an error syncing an Exchange calendar, it simply retries.  In fact, it retries every couple of seconds or so, nonstop, 24 hours a day, forever if you let it.  Unfortunately this is nothing new.

This past weekend, an executive’s iPhone 5 (on Verizon) and his iPad 2 (Wi-Fi only), both running iOS 7, began exhibiting runaway connections to my employer’s Microsoft Exchange ActiveSync server.  The user upgraded his iPhone 5 to iOS 7.0.2 over the weekend, but the problem persisted.  In one 24-hour period, his iPhone checked in with our server 45,009 times, while his iPad connected 55,547 times.  Normally we’d expect to see a single device connect a few hundred times per day rather than tens of thousands.  After notifying the executive this morning, and asking him to perform the following fix, his problem went away for the time being.

If you think this may be happening to you, but aren’t sure, you might consider contacting your company’s IT Department or Microsoft Exchange Administrator.  We’ll talk about what he or she can do in the next section.  Having said that, the potential fix is easy, non-destructive, and you can try it out to see if it solves your problem.  As illustrated below, you’ll simply navigate to your Exchange account settings, turn your Calendars off, and then turn them back on.  While one step, “Delete from My iPhone”, sounds ominous, you’ll get your calendar entries back when you re-sync with the server.  Further instructions follow in the next caption box.  Please read and re-read them.  And use them at your own risk.
 

On your device, select Settings > Mail, Contacts, Calendars > (your Exchange account). Turn off ‘Calendars’ and then ‘Delete from My iPhone.’ Wait thirty seconds, and turn Calendars back on.

On your device, select Settings > Mail, Contacts, Calendars > (your Exchange account). Turn off ‘Calendars’ and then ‘Delete from My iPhone.’ Wait thirty seconds, and turn Calendars back on.


 
For Microsoft Exchange Administrators
Keep an eye on the IIS log files on your Exchange ActiveSync server on a regular basis.  By doing so, you may be able to identify a runaway iOS device before the users even know what’s going on.  In larger environments, you’ll likely use automation and alerting tools to bring runaway devices to your attention very quickly.

For Apple
The fact that this runaway connection problem has persisted now across four generations of iOS is a bit ridiculous.  I’ve seen no Android devices exhibiting similar behavior in our environment, leading me to believe that it’s technically possible to engineer something that doesn’t do it.  Common sense suggests setting some sort of timeout; a maximum number of retries before abandoning a particular calendar entry update.  Last Spring I hoped that Apple would fix this situation with the next incremental release.  We now know that they’ve failed to address it in their next major release, iOS 7.  And that leaves all of us to live with the problem, monitor it, and execute this fix whenever necessary.

iOS 7 Mail App Flaw

Pulsating Attachment Problem in iOS 7 Mail App ©Apple Inc.

Pulsating Attachment Problem in iOS 7 Mail App ©Apple Inc.


 
It seems that relatively few people are aware of commonly-available standards and tools for end-to-end e-mail encryption, though more may be interested in this topic in the post-Snowden era in which we now find ourselves.  One of these standards – S/MIME – is natively supported in most e-mail clients, including Microsoft Outlook, Mozilla Thunderbird, Novell Evolution, Apple’s Mac Mail, and the iOS Mail App (in iOS 5 and later).  A small handful of colleagues, business partners and I use S/MIME signing – and encryption where applicable – in our day-to-day e-mail communications.  The fact that iOS has supported S/MIME for awhile makes it fairly seamless to use this technology, whether at our desks or on the go.  That is, until we all upgraded to iOS 7.

Having upgraded our iDevices to iOS 7 on or very shortly after the September 18th launch, we quickly noticed something strange with regard to encrypted e-mail.  We could read the body text of encrypted messages just as before.  Unlike with iOS 6, however, any attachments on these encrypted messages appeared to pulsate rapidly as seen above.  Trying to click on a pulsating attachment either results in nothing, or in the Mail app closing out abruptly.  Though the pulsing is fast enough to make it difficult to discern with the human eye, the attachment icon bearing the file type and name is sometimes interspersed with the word Downloading, the file name and a size that doesn’t seem to increment.  We’ve been unable to open any attachment exhibiting the pulsating behavior.

On Friday, we assumed that this affected all S/MIME attachments received on devices using iOS 7’s native Mail app.  I contacted Apple Support on case number 507281855, and also sent a message to a customer relations e-mail address that I’ve corresponded with in the past.  As we looked into the issue further over the weekend, it appears that e-mail messages created using Microsoft Outlook are most likely to exhibit the pulsating attachment behavior.  For instance, any test encrypted message that I’ve sent from fully-patched installations of Outlook in Office 2003 or 2010 arrive with the pulsating attachment problem on any iPhones and iPads running iOS 7.  When I created similar tests using Mozilla Thunderbird on Linux, two of three recipients received the attachment normally and were able to view it.  Further, any e-mail containing the content attached visibly in-line rather than as a file attachment seems to display fine as well.

So what do we know?  Every S/MIME encrypted message bearing a file attachment and created using Microsoft Outlook from a fully-patched installation of Office 2003 or 2010 exhibits the pulsating attachment problem when viewed on any iOS 7 device.  Encrypted messages with attachments created using Mozilla Thunderbird were readable by some – but not all – recipients using iOS 7 devices.  Encrypted messages sent using Mac Mail on Mac OS typically insert the attachments inline, where the content is viewable without issue.  Long story short, Apple’s Mail App has taken a step backward in iOS 7 where support for encrypted e-mail is concerned.  We can only hope that this is resolved in the next iOS update.

Update:

  • In the first week following this post, it was viewed 374 times from 209 cities in 32 countries.  Readers came from such roles as government (City of Los Angeles, Department of Homeland Security, NASA, and the U.S. Department of Energy), education (Bucknell University, Marquette University, Penn State, UC San Diego and University of California, Irvine) and Apple Inc. offices (Brisbane, Australia; Elk Grove, California; and Zurich).
  • A companion post over at the Apple Support Communities got 615 Views and counting.
  • Apple released iOS 7.0.2 to deal with security issues on the lock screen.  It did not address this problem.

Update 2:

  • Apple released iOS 7.0.3 on October 22nd.  It did not address this problem.

Update 3:

  • Apple released iOS 7.0.4 on November 14th, but did not fix this problem.  Following the upgrade on my iPad, I am not presented PDF attachments at all on S/MIME encrypted messages created via Outlook and sent via Exchange Server or Google-hosted IMAP accounts.  It’s as if they’re not there.  A Microsoft Word .DOC attachment still pulsates rapidly as in the original illustration.  My iPhone, however, shows both file types pulsating.

Update 4: