CVE-2016-4686

Vulnerability

The Contacts component in iOS before 10.1 does not properly enforce address book access revocation. After a user revokes an app's permission to access the Contacts database, the app retains the ability to read contact data because the permission revocation is not actively enforced by the system. This affects iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later running iOS versions prior to 10.1 [1].

Exploitation

An attacker would need to have already installed a malicious app on the user's device that requests and initially obtains address book access. After the user revokes the permission (e.g., via Settings > Privacy > Contacts), the app can still read contact data by using a previously obtained handle or cache. No additional network access or user interaction beyond the initial grant is required [1].

Impact

An app can continue to read the user's contacts without authorization, leading to persistent information disclosure of potentially sensitive contact data. The attacker gains no system-level privileges but violates the user's explicit privacy preferences [1].

Mitigation

Apple addressed this issue in iOS 10.1, released on October 24, 2016. Users should update to iOS 10.1 or later. No workaround is available for older versions [1].