"In short, we can gain control over anyone who asks for our SQLite-controlled database," they continued.
When you search for a contact or look up information in any app, you really search a database and often use SQLite.
Documented in a 4000 word report seen by AppleInsider the company's hack involved replacing part of Apple's Contacts app, and it also relied on a known bug that has not been resolved four years after it was resolved discovered.
"Wait, what? How has a four-year-old bug never been solved?" The researchers write in their document. "This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source, and it was therefore muted accordingly. However, SQLite usage is so versatile that we can still trigger it in many scenarios. "  In other words, the error has been considered unimportant because it was believed that it could only be triggered by an unknown application that gained access to the database, and in a closed system such as iOS there are no unknown apps. However, Check Point researchers managed to get a reliable app to send the code to trigger this bug and exploit it.
They replaced a specific component of the Contacts app and found that while apps and any executable code must have gone through Apple's startup checks, a SQLite database is not executable.
"Persistency [keeping the code on the device after a restart] is difficult to achieve on iOS," they said, "since all executables must be signed as part of Apple's Secure Boot. Fortunately for us, SQLite databases are not signed."
Detail from Check Documentation for Checkpoint
They had to have access to the unlocked device to install this replacement for part of Contacts. After that, however, they could choose what they wanted to do when the Contacts database was searched.
In the form of the demonstration, they just had an app crash. The researchers said they could have created the app to steal passwords.
"We found that just asking if a database is not as secure as you expect," they said. "We proved that memory corruption issues in SQLite can now be reliably exploited."
"Our research and methodology have all been revealed in a responsible way to Apple," they concluded.
This is not the first time that a problem in a SQLite database has resulted in an error, nor one that has remained unmasked for years.