In the shift from desktop to mobile computing, many age-old cybersecurity issues have lived on, from PDFs with malicious payloads to browser-based attacks. Although leading ecosystems such as iOS and Android are more carefully stewarded than the PC operating systems of yesteryear, this oversight hasn't meant freedom from risk. Trend Micro researchers observed well over 1 million problematic Android apps last year and plenty more have made headlines in 2014 already:
- In China, a computer science student created an SMS client that infected 100,000 phones with messages containing a link to the app. The country's carriers ultimately blocked more than 20 million potentially harmful transmissions.
- A vulnerability in Android's hard-coded certificates was discovered this June. These utilities allow a few applications, most notably Adobe Flash Player, special access to the OS. It's theoretically possible for attackers to imitate the Adobe certificate and inject arbitrary code.
- An F-Secure study found that Android was home to 97 percent of all mobile malware. Most of these threats are downloaded from third-party stores in the Middle East and Asia (relatively few come from the official Google Play Store).
Despite these figures, Android doesn't have a monopoly on mobile security issues. Devices running iOS and other platforms are still prone to surveillance and disruption, whether from network attacks or flaws with the OSs themselves. The gotofail exploit in iOS, patched earlier this year, demonstrated how a simple C-error could compromise the SSL encryption that protects so much on the Web from surveillance and interception.
Undoubtedly, iOS has some significant security advantages over Android. It is managed by one company – Apple – that also serves as the manufacturer, and carriers have minimal input. The current design of iOS also prevents issues that might arise from interactions between apps or unauthorized app stores. Each app is sandboxed (although extensions are coming in iOS 8) and software can't be downloaded from anywhere except the App Store, barring a device jailbreak.
Moreover, Android is under much more pressure from attackers due to its larger installed base, even if it only recently surpassed iOS in actual usage. But, iOS still has enough issues to make it worth addressing as part of endpoint security efforts. As of August 2014, iOS accounted for 67 percent of enterprise mobile device activations.
What can go wrong on iOS?
Botnets and other large-scale infections have been virtually non-existent on iOS since it came to market in 2007. Its aforementioned security architecture goes a long way in explaining this strength. Many iOS issues are proofs-of-concept discovered by security firms, rather than real-world incursions.
With iOS, though, it's important for organizations to avoid becoming complacent. A team of researchers at the Georgia Institute of Technology discovered one possible vector for iOS-specific attacks – the iTunes syncing process. They detailed their findings in a recent paper focused on how exploitation of the Apple File Connect protocol would provide an opportunity to hijack cookies from an iPhone or iPad and steal information from webmail and social media accounts.
"We believe that Apple kind of overtrusted the USB connection," stated Tielei Wang, a member of the team and co-author of the paper.
The vulnerability itself is less notable than the revelation that a key part of many users' daily workflows on iOS could be compromised. For all of the advances over the past 7 years in iOS functionality and the capabilities of the devices running it, there are parts of the iOS ecosystem that feel like relics, from cable-syncing (not required from iOS 5 onward, but popular nonetheless) to the App Store, with its opaque approval process, unusual search algorithms and sea of knock-off apps.
Some examples of small-scale exploits along these lines include:
- An app called Jekyll, created by the same Georgia Tech team last year, passed Apple's approval process and was briefly available in the App Store. Its designers took a novel approach to introducing malware to iOS. Instead of including malicious features in the submission itself, the team created vulnerabilities that could be remotely exploited at a later date.
- Security researcher Jonathan Zdziarski recently published a paper describing what seemed like a loophole left open in iOS for years. The weakness may be for sharing information with law enforcement purposes, but all the same it includes undocumented background services that bypass user data encryption.
- In China, installation of the third-party Cydia app store facilitated the infection of up to 75,000 devices with malware that lifted advertising revenue from apps. Cydia is the most popular alternative to the App Store, often used to download apps with features like widgets and deep-level permissions that aren't granted to normal software.
Addressing Android and iOS security in the enterprise
These incidents and flaws notwithstanding, Android receives the brunt of cybercriminals' attention and effort, which is in many cases the difference in turning a theoretical vulnerability into a real issue. As Android and iOS both continue making inroads in the enterprise, security teams have to know what to watch out for on each one.
Whereas securing Android requires attention to a wide range of potential infections and exploits owing to its relatively loose design, tending to iOS may involve attention to advanced persistent threats or network exploits. The vast majority of iOS apps are safe, but there's still the matter of unsecured Wi-Fi and targeted attacks that can occur without any tell-tale signs.
"The threats that should worry iOS users most are network attacks that occur without them even knowing," Zuk Avraham, CEO of Zimperium, told Help Net Security. "Our phones go with us wherever we go, and many people want to always be connected, so they don't question the security of an airport's Wi-Fi or other so-called 'secured' networks."
Ultimately, the issues with iOS are overshadowed by those with Android (and for good reason). Complacency, though, isn't an option for organizations that rely on increasingly diverse endpoint fleets, with iOS, Android and even Windows Phone taking the place of BlackBerry. A sound network security strategy is a good start to protecting employees and data from attacks that can go after any device, regardless of its OS.
