Of all the mobile devices featured in the alleged CIA documentation dump released by Wikileaks earlier this week, the iPhone is mentioned the most. Pages upon pages of research and exploits related to Apple’s smartphone are now in the hands of anyone with an internet connection. It might seem like a reason to panic, and plenty of people are already doing just that, but according to one of the most well-respected iPhone hackers on the planet, nothing in the collection of information should pose any threat to an up-to-date iPhone.
Will Strafach is the CEO of Verify.ly, a software security firm specializing in mobile devices. He also used to be one of the most famous iOS jailbreakers around, and his opinion on mobile security exploits is one of the very few that you should actually care about. He’s taken a look at the CIA documents related to the iPhone, and doesn’t see anything to worry about — assuming you’re running the latest firmware.
“The one thing I was at least able to definitively clear up is this: the leak contains nothing which an attacker could download and use to hack an up-to-date mobile phone (iOS),” Strafach told us. “Android experts have said the same regarding android devices on the latest firmware as well, which is interesting as it demonstrates that Android (again, on latest firmware) can be decently secure just like iOS.”
So what about the people claiming the information included in the leak is of dire security concern to everyone with an iOS device? “The best you can do is to ask anyone who claims danger within this leak to go ahead and prove it,” Strafach says. “I guarantee you that if you ask someone to download this leak and try to use the information in it to hack your phone, they would fail.”
The seasoned security expert also wants to clear up some misconceptions about the government potentially keeping vulnerabilities secret rather than reporting them. “Some imply keeping a vulnerability private will make users unsafe,” Strafach explains. “This is an ethical debate rather than a technical one and is up to opinion, but what I can at least say is that the practice is also prevalent among experienced security researchers who need to maintain access to future revisions of an OS in order to continued their research to find new vulnerabilities, which they may either disclose or submit to a bug bounty, or create a jailbreak tool for, etc.”
“While I agree that it can be healthy sometimes to question government and call out actual abuse, in this situation, it is more about having a level playing field and I do not believe there is an ethical issue here,” Strafach says.