Earlier this week a video appeared on the Internet that demonstrates the existence of a vulnerability in iOS 9.3.1 (and of course all previous iOS 9 versions) that allows unauthorized users to access your pictures and contacts on a locked iPhone, without knowing or being forced to enter any code. The vulnerability was discovered by Jose Rodrigues, who found something similar last year.
The procedure begins by accessing Siri on a locked iPhone, but unlike other methods, this is relatively simple. Basically, you ask Siri to look for email addresses on Twitter. Once found, using the 3D Touch will open a quick menu where you can create a new contact or change an existing one. Therefore you gain access to agenda. If the Contacts app ever received permission to access photos on that iPhone, just choose an existing contact and select “change picture”, you can access the entire photo library without much effort.
Therefore, if you are an iPhone user and want to avoid such a situation, don’t allow Siri and Contacts to access the Pictures. Also, as an additional safety measure, you can set that Siri can not be activated if the iPhone is locked. Just check the phones Privacy and Touch ID and Passcode settings and make the necessary adjustments.
The vulnerability affects only iPhone 6s and 6s Plus, terminals equipped with 3D Touch, feature only available on them. Also, the phone must have an active Twitter account and Touch ID enabled, and if the fingerprint scan failed 5 times, so the access code becomes mandatory, then the operation fails.
One of the easiest solutions would be disabling Siri from Settings - Privacy - Twitter and/or in Settings - Privacy - Photos.
Apple has not commented about the existence of such error, but definitely will address and fix it.
iOS 9.3.1 is available for only one week to the public and is the first major update after the release of iOS 9, 9.3 at the end of March. The purpose of this update was to fix an error that led to the sudden closure of certain applications that try accessing some links.