Apple Silently Enhanced iMessage Security With BlastDoor Sandbox in iOS 14

A security researcher from Google’s Project Zero security team, Samuel Groß, has shared a detailed blog post about iOS 14.

As revealed, Apple has introduced one more sandbox with the latest iOS. Identified as BlastDoor, this sandbox within iOS 14 protects users from incoming threats targeting the iMessage client. It processes every message, thus preventing any malicious content with the messages from reaching the operating system to cause damages.

Describing BlastDoor, the post reads,

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads). Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.

This diagram illustrates the processing flow of iMessage in iOS14.

Source: Project Zero

Apple already includes multiple sandbox services within the iOS. That’s how it maintains users’ security.

The new security service caught the researchers’ attention following a Citizenlab report that mentioned a zero-click attack not working against the iOS 14.

Apart from BlastDoor introduction, Apple has also brought two other improvements to iMessage security. These include shared cache resliding that prevents ASLR bypass via cache oracle technique and exponential throttling that limits the number of attempts an attacker requires to exploit a flaw.

Hence, the major structural reengineering that Apple introduced with iOS 14 will potentially protect the users from many security exploits. The same changes have also failed the NSO zero-click vulnerability with the latest iOS.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients