Security

Siri bug reveals hidden messages even if iPhone is locked

The flaw is present in iOS 11.2.6 and the beta of iOS 11.3. Apple is working on a fix.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • An iOS 11 bug allows Siri to read out all messages from every iPhone app except iMessage.
  • Apple is aware of the iOS message reading bug, and has a fix planned for their next update.

It seems as though Siri can't keep a secret. A bug in iOS 11 allows you to ask Siri to read out loud any messages you may have from any app other than iMessage—even when the iPhone is locked, according to Brazilian tech site Mac Magazine.

One of the hallmarks of iOS 11 on the iPhone X is that it automatically hides the content of your messages from the home screen. Being able to see that you have a message—but not the message itself—was hailed as a fix after some users complained about prying eyes snooping in on their messages.

But a number of websites tested the iPhones, and found that Siri would gladly read out all messages when asked. Siri only asks you to unlock the phone, either through Face ID, pin code, or thumbprint, for iMessages.

SEE: iOS 10 and the enterprise (Tech Pro Research)

Messaging apps like WhatsApp, Skype, Signal, and Telegram were susceptible to the read-out bug, and Apple was quickly notified of the issue.

"We are aware of the issue and it will be addressed in an upcoming software update," Apple said in a statement to MacRumors.

Being that many of these apps are used by business professionals, this could create security concerns for on-the-go workers who deal with sensitive communications.

The hidden messages feature is only the default on the iPhone X, though other versions of the iPhone also have that capability, found in the settings. The bug was found in both iOS 11.2.6 and iOS 11.3.

This is just one of the many security issues that have cropped up with Apple's new iOS features. While features like Face ID have been hailed a step forward, the ACLU and privacy experts have questioned how much access app developers should have to facial scans.

While facial scans are secured on the iPhone itself, a host of app developers can gather and store information on "how often users blink, smile, or even raise an eyebrow," according to MacRumors.

Jay Stanley, a senior policy analyst at the ACLU, told Reuters in November that people should focus on app developer access to these facial scans, as opposed to them being hacked or used by the government.

"The real privacy issues have to do with the access by third-party developers," Stanley told Reuters. Apple has made an effort to show how secure their system is, and to assuage fears that facial recognition software may be used in nefarious ways.

According to Reuters, which was provided copies of Apple's developer agreement, app makers have to get "clear and conspicuous consent" from users before collecting or storing face data, and can only do so for a "legitimate feature" of an app.

"Apple does have a pretty good historical track record of holding developers accountable who violate their agreements, but they have to catch them first—and sometimes that's the hard part," Stanley said. "It means household names probably won't exploit this, but there's still a lot of room for bottom feeders."

Also see

siri.jpg
Image: CNET

About Jonathan Greig

Jonathan Greig is a freelance journalist based in New York City. He recently returned to the United States after reporting from South Africa, Jordan, and Cambodia since 2013.

Editor's Picks

Free Newsletters, In your Inbox