iOS Single App Mode Escape

Introduction

Single App Mode is a feature that locks an iOS device to run a single application. These 'Guided Access' restrictions, once configured, prevent the user from exiting the current app or launching any other apps. In other words, Single App Mode restricts the device to a single app, ensuring that users can't switch to another app or return to the home screen. This mode also controls app-related functionalities, such as touch, motion, keyboards, and dictation, to limit access. Its configuration can be done remotely via Mobile Device Management (MDM) or manually on each individual device.

Single App Mode is primarily used in public spaces, schools, businesses, or any setting where a device is intended to perform a singular function. For instance, it can be used in kiosks at trade shows, electronic storefronts, or in museums to provide information or for interactive public exhibits. Single App Mode is also used during student exams to prevent cheating, by limiting students to just the exam app. In a business setting, it can be leveraged to create point-of-sale systems, schedule displays, or any other application where a dedicated device is beneficial.

During a recent security assessment, WithSecure researchers identified a number of issues, which, when chained together, could allow an attacker to escape Single App Mode on a restricted device, thus accessing any information stored within. In common deployments, this would include credentials for the WiFi network and any other services the device was connected to. 

 

Vulnerability Details and Reproduction Steps

The steps described in this section have been successfully tested on a 9th-generation iPad running iOS 16.4, as well as an iPhone 11 and 12 on iOS 16.5 and 16.6. This list should not be considered exhaustive, and it should be assumed that all iOS devices are potentially affected.

Based on WithSecure's research, it is possible to escape Single App Mode on a device by taking advantage of what appears to be a race condition in the operating system's user interface. The process primarily involves engaging and disengaging the Sleep/Wake button, interacting with the Siri suggestion panel, and waiting for specific time durations throughout the sequence to ensure the device correctly responds to each action. Note, however, that due to the potential race condition anchoring this method, it may not be successful every time.

1. Confirm that the device is set in the Single App Mode. Users should not be able to navigate away from the foreground application through typical means.
2. Press the Sleep/Wake button to deactivate the screen.
3. Press the Sleep/Wake button again to reactivate the screen.
4. Place your finger near the battery icon on the top right corner of the screen and swipe (2-3 cm on 9.7" iPad and less on smaller devices) down from there.
5. The device should transition into a state that opens a Siri Suggestions panel at the top.
6. Continuously try to input text to the Siri Suggestions text field. When the text field starts accepting and showing input, go to next step.
7. Proceed to enter text into the Siri Suggestions box. If the UI is responsive and text appears in the box, continue with the following steps. If the device remains unresponsive, or if the Siri Suggestions box has disappeared, attempt to repeat the process from step 2.
8. Press the Sleep/Wake button to deactivate the screen.
9. Wait for approximately 30 seconds
10. Press the sleep wake button to reactivate the screen. If it doesn’t respond, wait for a few more seconds.
11. Finally, perform a swipe-up motion. This should transition you to the Operating System desktop, hence successfully escaping the Single App Mode.

From this point on, the user can interact with the device as if it was never placed in Single App Mode. This state persists until the original kiosk application is reloaded, and allows the attacker to perform actions without further restrictions. If the device is not protected with a passcode or biometrics, the attacker would be able to access and modify device settings, and retrieve information such as WiFi credentials stored within iOS.

 

Disclosure to Apple

The vulnerabilities were initially disclosed to Apple on the 8th of July 2023. Apple responded promptly, clarifying that they did not consider this bypass to be a security vulnerability and stating the following:

Thank you for contacting us. Apple takes all reports of potential security issues seriously.

Features like Guided Access and Restrictions are designed to provide parents and system administrators with the tools to discourage violations of policy by legitimate users. These features are not intended to protect a device against manipulation by a malicious person, and physical security remains an important part of protecting the data on your iPad, iPhone, or iPod touch.

In addition, please remember physical security remains an important part of protecting the data on your iOS and iPadOS device.

WithSecure researchers reached out multiple times to request further clarification on Apple's "physical security" advice, highlighting that affected devices would be publicly accessible by design. WithSecure also noted that Apple's own documentation of the feature[2] makes no mention of the fact that Single App Mode should not be relied upon as a security control. However, no further communication was received.

The following timeline details WithSecure's communication with Apple Security regarding this issue:

• 8th June 2023 - WithSecure provides initial notification and documentation to Apple Security.
• 9th June 2023 - Apple responds indicating that the issue will not be considered a security vulnerability, closing the query.
• 9th June 2023 - WithSecure acknowledges Apple's response and requests clarification regarding their suggested mitigation actions.
• 19th June 2023 - WithSecure notifies Apple of its intention to publish their findings in line with the Vulnerability Disclosure Policy.
• 30th June 2023 - Reminder e-mail sent to Apple.
• 30th July 2023 - Reminder e-mail sent to Apple.
• 23 October 2023 - Publication of blog post.

 

Remediation and Recommendations

Despite its usefulness in certain applications, Single App Mode presents considerable security vulnerabilities which cannot be ignored. The fact that it can be easily bypassed calls into question its reliability as a tool for securing devices against unauthorised access. Apple's response further complicates this issue, and indicates that future vulnerabilities of a similar class would not be addressed. Based on the inherent vulnerabilities and Apple's stance on the matter, we strongly recommend against the use of devices operating on Single App Mode in sensitive scenarios. This would especially apply to situations where an attacker obtaining access to the device's network could lead to exposure of other assets.

However, the specific vulnerability identified by WithSecure can be mitigated through careful review of Single App Mode settings[2] on all devices. By disabling the Sleep/Wake button (and any other buttons which are not essential to the device's operation), users can limit the potential attack surface of affected devices.   

 

Further Information

[1] Apple Documentation - Start Single App Mode in Apple Configurator - https://support.apple.com/en-gb/guide/apple-configurator-mac/cadbf9c172/mac
[2] Apple Documentation - Single App Mode features - https://support.apple.com/guide/apple-configurator-mac/single-app-mode-features-cadb1d640325/2.16/mac/12.4