Inside the tale of the iOS app vulnerability that Apple knows about but hasn’t patched yet. Are you sitting comfortably?
Once upon a time there was a gallant researcher who found a vulnerability with iOS devices, reported it to Apple who fixed it, found they hadn’t fixed it properly so reported it again and, some six months later, is still waiting for that fix to appear. Welcome to the strange case of the Su-A-Cyder sandjack attack. To get to grips with sandjacking you first need to understand sandboxing, specifically the Apple iOS sandbox. It is here where every iOS application must run, and must do so to prevent other processes from accessing it or any data that is associated with it. As you can imagine, Apple has put rather a lot of effort into protecting the sandbox from those who would compromise it and the data it can contain. Although that’s not to say those who like to break things haven’t been skimping on their efforts to do the opposite of course.
