Adding to security headaches for Apple and iOS users, researchers at N.C. State have discovered security vulnerabilities in the operating system for iPhones and iPads.

These holes differ from problems reported internationally about Apple security problems on Thursday.

“I was not previously aware of the flaw [as reported by The Associated Press]. Based on a quick read of the article, it seems quite different than the flaws we discovered,” NCSU Professor William Enck told WRAL TechWire.

Enck and a team of researchers from Romania as well as Germany discovered the Apple iOS operating vulnerabilities and have reported them to Apple.

The team found weaknesses that could enable:

  • Methods of bypassing the iOS’s privacy settings for contacts;
  • Methods of learning a user’s location search history;
  • Methods of inferring sensitive information (such as when photos were taken) by accessing metadata of system files;
  • Methods of obtaining the user’s name and media library;
  • Methods of consuming disk storage space that cannot be recovered by uninstalling the malicious app;
  • Methods of preventing access to system resources, such as the address book; and
  • Methods that allow apps to share information with each other without permission.

“We are already discussing these vulnerabilities with Apple,” Enck told NCSU’s news service. “They’re working on fixing the security flaws, and on policing any apps that might try to take advantage of them.”

The NCSU findings emerged shortly after news broke about

Two reports issued Thursday, one by Lookout, a San Francisco mobile security company, and another by Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, outlined how a recently discovered eavesdropping program could completely compromise an Apple device at the tap of a finger.

If an iPhone user had touched the link, he would have given his hackers free reign to eavesdrop on calls, harvest messages, activate his camera and drain the phone’s trove of personal data.

Apple. issued a fix for the vulnerabilities Thursday, just ahead of the reports’ release, working at a blistering pace for which the Cupertino, California-based company was widely praised.

NCSU project

The NCSU team focused on the iOS’s “sandbox,” which serves as the interface between applications and the iOS. The iOS sandbox uses a set “profile” for every third-party app. This profile controls the information that the app has access to and governs which actions the app can execute.

“There’s been a lot of research done on Android’s operating systems, so we wanted to take a closer look at Apple’s iOS,” said Enck, who is an associate professor of computer science and co-author of a paper describing the work. “Our goal was to identify any potential problems before they became real-world problems.”

To see whether the sandbox profile contained any vulnerabilities that could be exploited by third-party apps, the researchers first extracted the compiled binary code of the sandbox profile. They then decompiled the code, so that it could be read by humans. Next, they used the decompiled code to make a model of the profile, and ran series of automated tests in that model to identify potential vulnerabilities.

Lead author of the NCSU paper is Luke Deshotels, a Ph.D. student at NC State. The paper’s co-authors include Mihai Chiroiu and Răzvan Deaconescu of University Politehnica of Bucharest, and Lucas Davi and Ahmad-Reza Sadeghi of Technische Universität Darmstadt.

U.S. Army Research Office and National Science Foundation grant funds were used as part of the project’s funding.

​(NCSU News Service’s Matt Shipman contributed to this report.)