Insecure Default Configurations

Despite all the impressive security features built into the iOS platform, Apple apparently still fails to understand the importance of safe-guarding its users' SMS text messages. By default, when you get a new iPhone, "previews" of your received messages are displayed on the device's screen, even when its locked. This can lead to some obviously uncomfortable disclosures ranging from your mid-day "sexting" in the workplace to the SMS alerts from your local pharmacy telling you that your herpes prescription is ready to be filled. But what many people (...and apparently Apple) fail to realize is that this seemingly innocent information disclosure can have consequences that are far worse than disclosing your extra-marital affair with your wife's best friend (as if that isn't already bad enough).

Why is this a Problem?

SMS text messaging is commonly used by applications and services for MFA (multi-factor authentication) and account recovery (password resets). This means that if somebody is able to peer into the contents of your messages on your locked device, they can potentially gain access to any number of your web service accounts (email, social networks, bank account, etc...). 

Fun with Dick and Jane

Lets consider an example of a domestic couple. Lets call them Dick and Jane.
Dick is naive and thinks that Jane is "a really nice girl" who is just overly-friendly. Despite his misplaced trust, Dick eventually gets suspicious and decides that he wants to hack into Jane's gmail account. Fortunately for Dick...Jane has an iPhone and, like most casual users, she does not bother to change the default configurations of the device. One day, Jane goes to the ladies room to "freshen up" and happens to leave her phone on the coffee table. But its locked and Dick does not know her passcode to unlock the phone. But all hope is not lost for Dick. He can probably still gain unauthorized access to any of her accounts. How you ask? Lets do a quick demo...

Gmail Hacking Demonstration

In order to successfully complete this attack, the follow conditions must exist:
  • Access to the victim's locked iPhone (hang around someone long enough and this opportunity presents itself)
  • Knowledge of the victim's email account and phone number (if you know the person, you probably already have this)
So grab a computer and attempt to login to Gmail with the victim's account. But instead of entering the password (since you don't know it), you click the "Forgot Password" link. Google will then ask you what the last password is that you remember. If you click "I don't know", you will be given the option to recover the account using SMS.
As soon as you confirm, the victim will receive the message on their iPhone. Assuming they have not changed the default configurations, you can now see the recovery code from the lock screen of their iPhone.
Provide this code back to Google...
...Voila!!! You are now able to reset the password...
...and gain unauthorized access to the account.
I used Gmail in this demonstration because it is a common well-known example of how this insecure iOS default configuration could be leveraged to gain unauthorized access to someone's accounts. But this same type of attack could similarly be used for numerous services across the web (email, social networks, bank account, etc...). So how can iPhone users avoid being a victim?

Remediation

Until Apple addresses this issue on their end and makes the secure configuration the default, this will have to be addressed by each individual user. This problem can be addressed by changing the default configurations of your iOS device. To do this, go to Settings > Messages and then flip the slider for "Show Previews".