[ajross]

Missing the point, I think. There's no security bug here. The application isn't responsible for verifying the root CA in typical security models (though some, like Chrome, do something similar -- that's how the compromised Dutch CA was discovered). The idea is that the CA list is populated by your platform vendor and you trust it.

The trick here was that Siri was asking for an HTTPS connection to a named server, and you can't MitM that without having a signed cert for that server. So they added a new CA to their local (jailbroken) iPhone platform data and signed a cert for the Siri server.

[Xuzz]

No, it's not jailbroken (there's no jailbreak for the iPhone 4S). This is just a feature of the iPhone: if you embed a SSL certificate in a mobile provisioning profile, it will add it to the system list. This is mostly intended for enterprises who might have a special SSL cert for their intranet, but it also works for this purpose as well.

[jevinskie]

And for anyone thinking about ways to fix that problem, the researchers could have hooked SSL's read/write calls using a DYLD interposing library. Once you get superuser access on the phone, you can't trust your code to be safe.

[Xuzz]

There is no jailbreak for the iPhone 4S (at least not publicly available), so any hacks like this must be done from outside the device.