Apple is rolling out a major update to iOS and iPadOS that addresses serious security flaws and brings several interesting features under the hood.
The release of the new iPadOS and iOS 13.5 officially went live on May 20, 2020, and the update is currently underway globally. In addition to the usual bug fixes, stability tweaks, and performance improvements, it has a tangible focus on users’ health through the Exposure Notification API. The details regarding this groundbreaking functionality as well as the significant feature enhancements will be provided further down. Meanwhile, let’s zoom into the security facet of this release that might be somewhat eclipsed by the user experience perks striking the eye from the get-go.
Here’s some really good news: both iOS and iPadOS 13.5 are no longer susceptible to the infamous memory corruption bug in the native Mail app unearthed by cybersecurity firm ZecOps in late April. This loophole allows a hacker to take over the proprietary messaging service built into Apple’s mobile devices. The logic of the exploitation is to send a specially crafted email to the victim and thereby trigger a buffer overflow in Mail. This way, the crook can overwrite some of the app’s code with malicious data that enables them to retrieve, modify, and remove any messages.
Until recently, this trick could be pulled off on iOS 6 and later, which means millions of devices released since 2012 were potentially at risk. Moreover, smartphones and tablets with iOS 13 on board were easier to exploit than older versions because the raid didn’t require any user interaction at all. The app would simply need to be running in the background and the would-be prey didn’t even have to open the sketchy message. In security terms, this is called a zero-click attack (or rather zero-tap in this case). The only comforting part about this weakness is that the attack surface is restricted to the Mail app and the offender would need to execute an extra payload to extend it.
With the release of iOS and iPadOS 13.5, this isn’t an issue anymore. Apple has patched the imperfections that allowed the interaction-less raid to take place. Another vulnerability fixed in the latest version used to be a critical source for remote code execution on iDevices. All in all, users can heave a sigh of relief in this regard. The release also brings a new feature and a few improvements to existing ones. Here’s a brief summary of some of these fine-tunings:
- Exposure Notification – a unique instrument that allows users diagnosed with COVID-19 to confidentially broadcast their health status to people nearby. Essentially, this is an API for building apps and it should be particularly useful for public health authorities.
- Emergency Services – there is now an option to automatically share the details of your medical ID when you are making an emergency call. This feature applies to the U.S. only.
- Easier device unlocking – this one comes into play if you are wearing a mask. Rather than engage Face ID, your iPhone or iPad will automatically display the passcode field in that scenario.
- FaceTime – Apple engineers have added an option to prevent the tile of whoever is currently speaking from becoming larger.
It’s worth pointing out that this is probably the final release of iOS and iPadOS 13 iteration and Apple will further concentrate on version 14 of their mobile operating systems. This year’s WWDC event, which will start on June 22 and will be held in fully online mode due to the pandemic circumstances, should dot the i’s and cross the t’s in this context.