If you wish to read the latest on XcodeGhost and iOS click here.
I wrote a report in April 2015 titled ‘Is Apple’s iOS a malware magnet’ and it's worth a read now to refresh your memory. It was a companion article to ‘Is Android a malware magnet?’ and ‘Is Apple’s OS X a Malware magnet?’
It is time – not to re-write those articles because they are still relevant – but to look at what has happened since April. It is not pretty for iOS.
Let’s start with the Apple assertion (quote) “The iOS platform is completely secure – Apple designed the iOS platform with security at its core. Keeping information secure on mobile devices is critical for any user, whether they are accessing corporate and customer information or storing personal photos, banking information, and addresses. Because every user’s information is important, iOS devices are built to maintain a high level of security without compromising the user experience."
This is clearly nothing more than marketing hype.
|
|
Vulnerability challenge
Zerodium has offered a US$1 million iOS 9 bug bounty (and $3 million in total) for a browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices. It is focused on “high-risk flaws accompanied by a fully functional and reliable exploit leading to arbitrary code execution, or privilege escalation, or sandbox bypass/escape, or sensitive information disclosure.”
Zerodium says, “Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation.”
I think there are several words there that need to be clarified.
- ‘often affected’ – how often?
- ‘critical security vulnerabilities’ – how critical?
- ‘the most secure mobile OS’ – not true as Windows Phone has just one reported vulnerability
- ‘But, don’t be fooled’ - perhaps the most telling words in this statement
And finally Zerodium may not find a vulnerability and not have to pay out – the competition ends on 31 October. Why isn’t Apple offering a bug bounty? Microsoft, Google, and many more – in fact, 152 software organisations offer this.
CVE now lists 694 vulnerabilities in iOS – up from 127 listed in April. Remember that most — not all — of these have been actioned by Apple in its iOS 9 release. This increase simply means that cyber criminals have now decided iOS is the next big target.
By comparison
- Windows (apart from Windows Mobile OS) – in its entirety has had 727 vulnerabilities – only seven were discovered in 2014 and it's too early to tell for Windows 10
- OS X in its entirety – has had 1206 vulnerabilities – 352 of these discovered in 2014/15 so far
- Android is a little more complex as there are 47 versions starting from 1.0 to 5.x but in total there are 54 main vulnerabilities and an unknown number of variations.
Many of the issues are caused by programs like Flash and Java with 545/413 vulnerabilities that affect multiple OSs.
All OS makers have learned lessons and only take responsibility for apps loaded via their own app stores. Windows cannot do that (except on Windows Phone and later Windows 10 Mobile) as it has depended on user installable programs from hundreds of thousands of independent developers.
Back to iOS and its app store checking process
Apps are entirely checked by other software – with little human intervention apart from whether they look good. There are scans for malicious code that XcodeGhost could disguise in a compiled app. Xcode also passed Apple’s Gatekeeper technology and was allowed to execute on iOS — a major issue — so much for sandboxing.
In April, more than 1,000 iOS apps in iTunes were found to have an SSL exploit that could compromise users' banking details. It was not maliciously exploited by cyber criminals – but it could have been. Prior to that, there was the potential for WireLurker (via USB from Mac or Windows), Masque, HeartBleed, ShellShock, Olag Pliss ransomware (driven by Find my Phone cloud vulnerability), Safari vulnerabilities, Java and Flash vunerabilites, and the iCloud Jennifer Lawrence password hack. Many vulnerabilities are initially aimed at OSX and can be modified for iOS which has UNIX roots too.
According to Source DNA there are too many apps in the store to keep up-to-date. Sadly, many developers do not actively keep their apps up-to-date with bug fixes, and there are a bunch of apps which are still using the broken version of AFNetworking, despite the availability of a patch. SourceDNA analysed 20,000 apps which contain versions of the AFNetworking package, and determined that about 1,000 are still using the broken SSL check. Apple claim over 1 million apps in the store.
Security firm Sophos comments, “Apple’s walled garden App Store — where applications are fully vetted before being made available to customers — has prevented widespread malware infection of iOS users … Evidence of malware showing up in the App Store is anecdotal at best, as Apple does not typically volunteer such information. iOS is vulnerable. Take the tale of Charlie Miller, a security researcher who deliberately created a suspicious application and submitted it to Apple. Apple initially approved the application, which uncovered a bug in iOS …”
Conclusions
It appears that cyber-attacks on iOS will ramp up in the future.
Apple does not help by continuing to insist, nay convince people, that they do not need to protect their devices.
Apple does not help by ignoring this and not seeking independent help from the security industry.
Apple does not help by preventing malware infected apps making their way into its supposedly safe app stores.
Apple does not comment …
I don’t care if it's Android, iOS, Windows, OS X or Linux – the greatest security issue is you. Poor passwords, opening phishing emails, loading mal/ware/spyware, and complacency are all major contributors.
