Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: cclauss
cclauss Author
User level: Level 1
4 points

Heartbleed and iOS

My up-to-date iPhone and iPad both have OpenSSL 1.0.1b 26 Apr 2012 installed as part of iOS 7.1***. According to http://heartbleed.com this OpenSSL version is vulnerable to the heartbleed bug.


Could these devices be attacked from other devices on my network using the heartbleed bug?


Is there a way for me to upgrade to OpenSSL 1.0.1g to remove this vulnerability?


***To prove this to yourself on an iOS device, grab a copy of Pythonista and type: import ssl ; print(ssl.OPENSSL_VERSION)

You will get back: 'OpenSSL 1.0.1b 26 Apr 2012'

iPad (4th gen) Wi-Fi, iOS 7.1

Posted on Apr 9, 2014 11:08 PM

Reply
21 replies
User profile for user: PacBlue
PacBlue
User level: Level 1
29 points

Apr 10, 2014 4:18 PM in response to cclauss

Apple now claims iOS was not affected:


http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affecte d-by-heartbleed-security-flaw/


Not sure what it means that the OpenSSL version makes it appear that it was. However, my question is, are there any apps on iOS that use the OpenSSL software to establish a service that would be vulnerable? This is a server problem, not a client problem, so how and when is iOS used as a server?

Reply
User profile for user: PacBlue
PacBlue
User level: Level 1
29 points

Apr 10, 2014 4:54 PM in response to Philly_Phan

Philly_Phan: I'm not sure what the relevance is of your question. Obviously, if you jailbreak your device, you could set it up as a server and could make yourself vulnerable (if you use and configure a vulnerable version of OpenSSL). Non-authorized apps you run might do this for you (whether you know it or not). However, my own question is about legitimate apps on non-jailbroken devices.

Reply
User profile for user: robdrage
robdrage
User level: Level 4
2,830 points

Apr 10, 2014 5:06 PM in response to robdrage

From: http://www.intego.com/mac-security-blog/heartbleed-openssl-bug-faq-for-mac-iphon e-and-ipad-users/




Can Apple roll out the patch for the bug?


Unfortunately this isn’t a bug in Apple’s software or hardware. The bug exists in open source software that some web servers and networked appliances use to establish secure SSL connections. In other words, there is no patch for your computer or smartphone or tablet computer, as the problem exists on the websites themselves.

Reply
User profile for user: PacBlue
PacBlue
User level: Level 1
29 points

Apr 10, 2014 8:55 PM in response to robdrage

robdrage wrote:


There is no ios server, since iOS is only an os for mobile devices not hosting systems.

This is not entirely true. I have an app called "TinyScan" (available on the AppStore) which lets me "scan" documents with my iPhone camera. In order to transfer the resulting scanned documents to a computer, it has the option to set up a "Wi-Fi Drive" which is really just a web server (on the iPhone) with the documents. You can then access it using a standard web browser from any computer on the same WiFi network. Thus the iPhone is acting as host. In this particular case, the server is not using https (it's using http) and thus is not affected by the bug. (Also it uses an internal IP address on your WiFi network, so it is not exposed to the full Internet.) However, if this app maker can add such a feature and use it to transfer files, then other apps and services can do the same thing on your iOS device.

Reply
User profile for user: cclauss
cclauss Author
User level: Level 1
4 points

Apr 10, 2014 11:02 PM in response to PacBlue

Agreed. There are lots of PDF reader apps, file manager apps, and video apps that allow you to temporarily turn your iOS device into a http and/or FTP server so that you can upload/download files. Turning your iOS device into a server can be done in very few lines of Python or Objective C even if your device is not jail broken.


I would like to understand where this notion comes from that only the server can be attacked. I do not see that anywhere on http://heartbleed.com? My reading of that description is that BOTH the client and the server are vulnerable if EITHER of them has a vulnerable OpenSSL library. Am I misreading http://heartbleed.com?

Reply
User profile for user: PacBlue
PacBlue
User level: Level 1
29 points

Apr 11, 2014 9:37 AM in response to cclauss

cclauss wrote:


My reading of that description is that BOTH the client and the server are vulnerable if EITHER of them has a vulnerable OpenSSL library. Am I misreading http://heartbleed.com?

You appear to be correct. See the following two posts. However, it is much more difficult to exploit on the client side, as you would have to connect to a malicious server (or impersonated server... which theoretically is possible if an attacker has leaked the security certificates from a site you normally trust). The servers are exposed to the public and anyone can connect and send heartbeat requests to leak information from them. They also contain information on many different people, not just one (at a time). That's why there is so much emphasis on the servers.


http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be- vulnerable-to-heartbleed


http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerabil ity-affect-clients-as-severely

Reply

Heartbleed and iOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up