8

On an iPhone, does pressing the home button act as a Secure Attention Sequence?

The home button is a physical button. You can press the home button whereever you are and go back to the home screen. Is this a secure, unspoofable way to get to the home screen? Is it adequate to serve as a Secure Attention Sequence?

On Windows, Ctrl-Alt-Del acts as a Secure Attention Key. Applications can't hook or intercept Ctrl-Alt-Del. Instead, a Ctrl-Alt-Del keypress event goes straight to the OS, which takes control of the UI and displays a trusted login screen. As a result, after pressing Ctrl-Alt-Del you can be sure you're interacting with the OS, not some malicious application that's trying to spoof you. I'm wondering if the home button on the iPhone has similar properties, or if there is any secure attention sequence that works for the iPhone.

For instance, if there was a way that an iOS app could "hook" home button presses, so that pressing the home button doesn't take you to the home screen but instead notifies the app and lets the app respond appropriately, then the home button would not be a Secure Attention Sequence: a malicious app could hook it, and when the user presses the home button, display a screen that looks exactly like the home screen but it is actually presented by the malicious app. However, I don't know enough about iOS to know whether those kinds of shenanigans are possible or not. So, is the home button a Secure Attention Key, on iOS?

Community
  • 1
D.W.
  • 98,860
  • 33
  • 271
  • 588
  • Apps cannot intercept the hardware buttons, so probably the answer is yes. (Of course, this may only hold for a non-jailbroken device) – oefe May 02 '15 at 11:00

2 Answers2

1

My brief research on the Home button showed two trends: (a) the user bypassing it with Accessibility options; (b) using certain features to prevent children from hitting it. It appears that it's a SAK in practice whether or not it's designed for it. Note that this applies to apps that haven't compromised iOS security somehow. If they do that, they might inject code to subvert the Home button or anything else.

So, the trick should help against problematic apps that can't hack OS or drivers. The next question, which I leave to comments on mine, is whether apps can successfully DOS the phone to the point they render it and home button unusable. I don't use iPhones so I'm not sure of their crash-resistance properties.

Nick P
  • 677
  • 4
  • 4
0

I used to work for a company (now defunct) who's only product was security software for mobile 'phones. They could completely lock down Apple 'phones... so at that time it was possible to handle the interrupt generated by the 'home' button.

That was about 8 years ago... the only 'phones they couldn't lock like that were Blackberrys because RIM wouldn't allow anyone else access to the hooks.

matt
  • 101