Watch out! Siri Shortcuts on iOS can steal confidential data

By Shubham Sharma

Jan 31, 2019

12:35 am

What's the story

With the launch of iOS 12 last year, Apple introduced Siri Shortcuts as a cool new way to automate complex tasks. The company offered its own pre-designed set of Shortcuts and even gave users an option to create/share custom shortcuts for different tasks. But, as it turns out, the same flexibility from the Cupertino giant opens gates for stealing data from iPhones. Here's how.

Issue

How Shortcuts can be used to steal data?

Simeon Saëns, the developer of iPad app Codea, has revealed that bad actors can create and share custom shortcuts to steal personal and highly confidential information from your phone. Just recently, he was tipped about a malicious shortcut, which posed as a regular memory cleaner but actually siphoned off information from iPhones, uploaded it online, and sent its link to an attacker via iMessage.

Twitter Post

Here's what the developer tweeted

I’ve just been made aware (by @AvimanyuRoy3) that it is trivially easy to steal highly sensitive personal information from an iPhone via Shortcuts

Just browsing through the malicious Shortcut is mind blowing

You'll be unsettled what your phone has on you /1

— Simeon (@twolivesleft) January 23, 2019

Information

And, it stole a trove of information

And, what's even more worrying is the amount of information an attacker could mine using Shortcuts. In this particular case, it was "personal contacts, names you've typed into iMessage, addresses, browsing history, app usage, [and] file contents".

Apple's fix

Apple notified about the issue, but questions remain

Simeon has contacted Apple regarding the issue and hopes that the malicious Shortcut would be removed soon. However, that's not the real issue; lack of oversight and regulation of Siri Shortcuts (like iOS apps) is the main problem. "You couldn't expect a reasonable user to know what they were agreeing to run when receiving an Apple-hosted link," the developer emphasized on Twitter.

Recommendation

So, watch out when you download Siri Shortcuts

That said, it is imperative to note that anyone can create and share Siri Shortcuts, even someone who wants to mine your data. To avoid malicious Shortcuts, it is recommended to exercise caution while downloading and installing intriguing shortcuts available through Reddit threads or websites like ShortcutsGallery.com. As an additional step, go through comments to make sure if they work as promised or not.