Apple's iOS 13 Arrives with Multiple Bugs and Vulnerabilities. Fixes Are on the Way.
What is the purpose of software updates? Well, in addition to introducing new features that make products more useful, they are also designed to fix various security vulnerabilities and bring performance enhancements. Ironically, regardless of whether we're talking about applications or entire operating systems, new versions introduce security and usability problems of their own all the time. Apple's iOS 13 is no exception to the rule.
iOS 13 was launched on September 19 alongside the iPhone's latest generation – the iPhone 11. It introduced a number of different features including the "Sign in with Apple" authentication system that won't share your email address with service providers, dark mode, a built-in keyboard that supports swipe typing, photo and video editing tools, and many others. iOS 13 and iPadOS 13 are available on a wide range of devices (everything newer than the iPhone 6S and the iPad Air 2, respectively), and because Apple is known for putting relatively few obstacles between users and software updates, the new operating systems are bound to reach quite a few people very quickly. As a result, the impact of any bugs and vulnerabilities is bound to be significant. Let's see what sort of flaws the new operating system has shown so far.
A new location privacy mechanism wasn't working as expected
One of the major new features in iOS 13 was supposed to limit the amount of data companies like Google and Facebook harvest. Users were told that they have a new way of completely blocking apps from accessing the device's location, but no more than 24 hours after the official release of the new operating system, reporters from Fast Company noticed that the location setting didn't behave as expected.
In a video, they used the new privacy feature to block Facebook from accessing their device location, but when they checked again a few seconds later, the setting had automatically reverted back to "Ask Next Time". On the bright side, it wasn't sharing the user's location without their consent, but it was still not what people wanted to see from a brand new privacy-centric feature.
Third-party keyboards could get full access without explicit permission
On September 24, Apple issued a short advisory saying that under certain circumstances, third-party keyboards could present an issue. Normally, apps like Google's G-Board and Microsoft's SwiftKey can (and are known to) request "full access" permissions to the user's iDevice. This allows them to offer a more comprehensive spell checker as well as the ability to share GIFs more easily. What the iPhone maker discovered, however, is that because of a bug in iOS 13, third-party keyboards could be granted full access without first asking for it.
And with full access, the developer of a malicious third-party keyboard can even record users' keystrokes, which can potentially result in the theft of sensitive information. The consequences from the bug were quite serious, although an attack would involve crafting a malicious keyboard and then pushing it past all security defenses, which, in the iOS ecosystem, isn't the easiest thing in the world.
The TouchID authentication screen remains hidden sometimes
iOS 13's latest bug was reported yesterday by 9to5Mac. After the iOS update, reporters using pre-FaceID iPhones started experiencing some signing in issues with a few online banking and password management applications. Normally, these apps would let them log into their accounts with TouchID, but after upgrading to iOS 13, they suddenly stopped seeing the authentication screen.
Baffled, they tried to find out what was going on, and after some trial and error, they figured out that the screen had appeared. Because of a bug, however, it was invisible to the user. They said that touching the home button would complete the authentication process, despite the lack of a prompt and that in some cases, shaking the device might make the TouchID screen pop up.
Are the bugs really that serious?
People reading about all these bugs might be tempted to draw the wrong conclusion and say that we should stay as far away as possible from iOS 13 because the operating system is riddled with faults and security issues. The fact of the matter is, however, that bugs like this are bound to appear in any new piece of software, especially when we're talking about a complicated operating system like iOS 13. What is more important is to see that the vendor is addressing the problems quickly and efficiently, and thankfully, in the case of Apple, this is indeed the case.
Both the location privacy and the third-party keyboard issues have been fixed in iOS' latest version (13.1.1). The TouchID bug hasn't been addressed yet, but it's been reported to Apple, which means that a patch should be coming in the near future.
Timely patching aside, the bugs aren't even that dramatic. Indeed, under the right circumstances, some of them could present an attack vector, but successfully exploiting these particular flaws would have been a complete nightmare.
In any case, as annoying as they might be, bugs that appear after a major update should never be used as an excuse for running old software on your devices.