Toggle Dark Mode
Last week we saw reports of a yet another serious messaging vulnerability in iOS 13.4 (and iOS 13.4.1) that could crash your iPhone when a certain string of characters is received in a text message or email.
The bug in question this time around involves a Sindhi text string that has been dubbed “Capture the Flag” due to the inclusion of the Italian flag in the early versions of the string that were making the rounds. However, the flag isn’t inherently a part of what triggers the bug, but rather a specific sequence of characters fro the Sindhi language.
For most people, receiving the text string will simply lock up their iPhone, requiring you to force-restart it using the hardware buttons before it returns to normal operation. The worst part of this, however, is that you don’t even need to open the message in question to be affected by this bug — if you have notifications enabled, the mere appearance of the incoming message notification will temporarily render your iPhone unusable.
There have also been reports of some users requiring a full DFU mode restore of their iPhone to get it working normally again, but these seem to be exceptions rather than the rule.
The bug seems to exist in Apple’s first-party Messages and Mail apps, but it’s equally possible that it can be triggered if the string is sent through other channels such as WhatsApp or Facebook Messenger, since the problem appears to be with the core rendering of the Sindhi characters in the operating system itself. The bug also apparently affects not only iPhones and iPads, but also the Mac and Apple Watch. In fact, the Apple TV and HomePod are likely only immune because they can’t actually receive messages in the traditional manner.
A Fix Is Coming
The good news, however, is that Apple plans to move quickly to issue a fix for the problem, and in fact it kind of already has — iOS 13.4.5, which is currently in public beta, doesn’t suffer from the issue at all, so it seems that this is simply a matter of Apple packaging up a public update or either the current iOS 13.4.5, or at least rolling the fix into an interim iOS 13.4.2 update.
While it’s unclear which path Apple is going to take at this point, according to Forbes, Apple is expected to release the “emergency update” this week, which will also patch another vulnerability in the iOS Mail app.
Text Bombs Keep Surfacing
This is far from the first time that a text message has been able to cause problems for iPhone users. In 2015, an Arabic string was found that could crash iPhones, and in fact spin them into a loop of reboots as long as the message remained in the Messages app. There were a few workarounds to deal with the issue, which involved having Siri read and reply to the message so that it wasn’t at the top of your list anymore, and Apple released a patch fairly quickly. A similar problem plagued iOS 10.2 as a result of a weird emoji character, however this one was already fixed in iOS 10.2.1 before more people discovered it.
Then back in 2018, a Telugu language character wreaked similar havoc on devices using iOS 11.2.5 and macOS 10.13.3, impacting not only the Messages app, but also WhatsApp, Facebook Messenger, Microsoft Outlook, Gmail, and probably a few more. Again, the issue was with the way that iOS (and macOS) attempted to render the character string in question at the operating system level, so it wasn’t platform specific. Once again, an emergency update was pushed out ahead of the larger iOS 11.3 release to fix this one specific problem. Another bug found last year was already patched in iOS 12.3 before most researchers found out about it.
Why Does This Keep Happening?
So Apple has generally been able to stay ahead of the problem — even iOS 13.4.5 has already addressed it, whether intentionally or not — but it may lead you to wonder why Apple can’t do something to prevent these problems from recurring. You’d think that once they’d fixed it, it would be fixed, right?
Unfortunately, the answer is a bit more complicated, and it has to do with the wide variety of foreign languages and foreign language characters out there, and the fact that the standards for them get updated each year.
You may have already heard of the Unicode Consortium in relation to the new emoji that appear each year, but approving and standardizing new emoji characters is actually only a very small part of what the Unicode Consortium does. It’s merely the most visible because emoji characters are fun and exciting, while Telugu and Sindhi language characters are considerably less interesting for most people — at least until they start causing your iPhone to crash.
Each year, Apple has to incorporate the new Unicode standards into its iOS versions, and as a result, it’s seemingly inevitable that a few character rendering problems are going to slip through that don’t get addressed, especially since most of Apple’s developers likely don’t even speak the languages in question at all, much less fluently.
While Apple’s developers should arguably be more on the ball, problems with Unicode character encoding and software development go back for decades, and while most of these bugs are annoying, they’re not serious in terms of creating actual security or privacy issues or causing catastrophic data loss, so testing for what amounts to hundreds of thousands or even millions of possible character combinations doesn’t get assigned an especially high priority by software engineering project managers.