Beautiful Virgin Islands

Monday, Sep 01, 2025

Apple Fixes One of the iPhone's Most Pressing Security Risks

Apple Fixes One of the iPhone's Most Pressing Security Risks

By hardening iMessage in iOS 14, the company has effectively cut off what had been an increasingly popular line of attack.
Apple's iOS operating system is generally considered secure, certainly enough for most users most of the time. But in recent years hackers have successfully found a number of flaws that provide entry points into iPhones and iPads. Many of these have been what are called zero-click or interactionless attacks that can infect a device without the victim so much as clicking a link or downloading a malware-laced file.

Time and again these weaponized vulnerabilities turned out to be in Apple's chat app, iMessage. But now it appears that Apple has had enough. New research shows that the company took iMessage's defenses to a whole other level with the release of iOS 14 in September.

At the end of December, for example, researchers from the University of Toronto’s Citizen Lab published findings on a hacking campaign from the summer in which attackers successfully targeted dozens of Al Jazeera journalists with a zero-click iMessages attack to install NSO Group's notorious Pegasus spyware. Citizen Lab said at the time that it didn't believe iOS 14 was vulnerable to the hacking used in the campaign; all the victims were running iOS 13, which was current at the time.

Samuel Groß has long investigated zero-click iPhone attacks alongside a number of his colleagues at Google's Project Zero bug-hunting team. The week, he detailed three improvements that Apple added to iMessage to harden the system and make it much more difficult for attackers to send malicious messages crafted to wreak strategic havoc.

“These changes are probably very close to the best that could’ve been done given the need for backward compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote on Thursday. “It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.”

In response to Citizen Lab's research, Apple said in December that “iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks.”

iMessage is an obvious target for zero-click attacks for two reasons. First, it's a communication system, meaning part of its function is to exchange data with other devices. iMessage is literally built for interactionless activity; you don't need to tap anything to receive a text or photo from a contact. And iMessage's full suite of features—integrations with other apps, payment functionality, even small things like stickers and memoji—make it fertile ground for hackers as well. All those interconnections and options are convenient for users but add “attack surface,” or potential for weakness.

“iMessage is a built-in service on every iPhone, so it’s a huge target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. “It also has a ton of bells and whistles, and every single one of those features is a new opportunity for hackers to find bugs that let them take control of your phone. So what this research shows is that Apple knows this and has been quietly hardening the system.”

Groß outlines three new protections Apple developed to deal with its iMessage security issues at a structural level, rather than through Band-Aid patches. The first improvement, dubbed BlastDoor, is a “sandbox,” essentially a quarantine zone where iMessage can inspect incoming communications for potentially malicious attributes before releasing them into the main iOS environment.

The second new mechanism monitors for attacks that manipulate a shared cache of system libraries. The cache changes addresses within the system at random to make it harder to access maliciously. iOS only changes the address of the shared cache after a reboot, though, which has given zero-click attackers an opportunity to discover its location; it's like taking shots in the dark until you hit something. The new protection is set up to detect malicious activity and trigger a refresh without the user having to restart their iPhone.

The final addition makes it more difficult for hackers to “brute force,” or retry attacks multiple times—a common technique in zero-click hacks if an assault doesn't quite work the first time. This protection is relevant to reducing those shots in the dark to find the shared cache, but also to attacks more broadly, like attempts to send multiple malicious texts (which are typically invisible to the user) to retry an attack until it works.

Independent researchers agree with Groß's assessment that the version of iMessage in iOS 14 is much better defended against these types of attacks.

“The mitigations are very welcome and appear to be intelligently done,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “I would have hoped to see something like this sooner as iMessage is a big target for remote attacks, but it at least looks like they put a decent amount of care into this.”

Now that they're here, the improvements should make a big difference in curbing the rising tide of interactionless attacks against iMessage. But researchers warn that it's only a matter of time before attackers find a new spin on their stalwart techniques.
Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
Chinese and Indian Leaders Pursue Amity Amid Global Shifts
European Union Plans for Ukraine Deployment
ECB Warns Against Inflation Complacency
Concerns Over North Cyprus Casino Development
Shipping Companies Look Beyond Chinese Finance
Rural Exodus Fueling European Wildfires
China Hosts Major Security Meeting
Chinese Police Successfully Recover Family's Savings from Livestream Purchases
Germany Marks a Decade Since Migrant Wave with Divisions, Success Stories, and Political Shifts
Liverpool Defeat Arsenal 1–0 with Szoboszlai Free-Kick to Stay Top of Premier League
Prince Harry and King Charles to Meet in First Reunion After 20 Months
Chinese Stock Market Rally Fueled by Domestic Investors
Israeli Airstrike in Yemen Kills Houthi Prime Minister
Ukrainian Nationalist Politician Andriy Parubiy Assassinated in Lviv
Corporate America Cuts Middle Management as Bosses Take On Triple the Workload
Parents Sue OpenAI After Teen’s Death, Alleging ChatGPT Encouraged Suicide
Amazon Faces Lawsuit Over 'Buy' Label on Digital Streaming Content
Federal Reserve Independence Questioned Amid Trump’s Push to Reshape Central Bank
British Politics Faces Tumultuous Autumn After Summer of Rebellions and Rising Farage Momentum
US Appeals Court Rules Against Most Trump-Era Tariffs
UK Sought Broad Access to Apple Users’ Data, Court Filing Reveals
UK Bank Shares Dive Over Potential Tax on Sector
Germany’s Auto Industry Sheds 51,500 Jobs in First Half of 2025 Amid Deepening Crisis
Bruce Willis Relocated Due to Advanced Dementia
French and Korean Nuclear Majors Clash As EU Launches Foreign Subsidy Probe
EU Stands Firm on Digital Rules as Trump Warns of Retaliation
Getting Ready for the 3rd Time in Its History, Germany Approves Voluntary Military Service for Teenagers
Argentine President Javier Milei Evacuated After Stones Thrown During Campaign Event
Denmark Confronts U.S. Diplomat Over Covert Trump-Linked Influence in Greenland
Starmer Should Back Away from ECHR, Says Jack Straw
Trump Demands RICO Charges Against George Soros and Son for Funding Violent Protests
Taylor Swift Announces Engagement to NFL Star Travis Kelce
France May Need IMF Bailout, Warns Finance Minister
Chinese AI Chipmaker Cambricon Posts Record Profit as Beijing Pushes Pivot from Nvidia
After the Shock of Defeat, Iranians Yearn for Change
Ukraine Finally Allows Young Men Aged Eighteen to Twenty-Two to Leave the Country
The Porn Remains, Privacy Disappears: How Britain Broke the Internet in Ten Days
YouTube Altered Content by Artificial Intelligence – Without Permission
Welcome to The Definition of Insanity: Germany Edition
Just a reminder, this is Michael Jackson's daughter, Paris.
Spotify’s Strange Move: The Feature Nobody Asked For – Returns
Manhunt in Australia: Armed Anti-Government Suspect Kills Police Officers Sent to Arrest Him
China Launches World’s Most Powerful Neutrino Detector
How Beijing-Linked Networks Shape Elections in New York City
Ukrainian Refugee Iryna Zarutska Fled War To US, Stabbed To Death
Elon Musk Sues Apple and OpenAI Over Alleged App Store Monopoly
2 Australian Police Shot Dead In Encounter In Rural Victoria State
Vietnam Evacuates Hundreds of Thousands as Typhoon Kajiki Strikes; China’s Sanya Shuts Down
UK Government Delays Decision on China’s Proposed London Embassy Amid Concerns Over Redacted Plans
A 150-Year Tradition to Be Abolished? Uproar Over the Popular Central Park Attraction
×