Much of the concern around mobile operating systems and services has focused on the risks inherent in the Android platform. The openness and widespread nature of the ecosystem has certainly led to it being both the most widespread, the most widely targeted, and the most successfully exploited.
Google’s Android has traditionally had a less rigorous system of app permissions, has a more open app distribution platform with support for third party app stores and is embedded far more widely in a greater array of devices and services than Apple’s iOS. For these reasons and others, online criminals have focussed their attention on this platform almost to the exclusion of Apple’s iOS. In fact we have witnessed an explosion of malware and malicious apps for the Android platform that is without its peers in its adoption and acceleration. It took Android malware only three years to reach a volume that took Windows-based malware 15 years to reach, for example.
With this in mind it is perhaps easy to understand how iPhone users have slipped so easily into a mind-set already common among users of Apple’s Mac OS; the belief that their device of choice is simply “less vulnerable” or “more secure” than competing offerings. How true is that? Does “less targeted” equal “more secure”? The answer is “no;” a house without any locks on its doors remains vulnerable even if it has not yet been burgled.
One objective measure of this would be to look at the volume of vulnerabilities notified for each platform. The results may be surprising to some. According to the US National Vulnerability Database iOS has a shade over 400 vulnerabilities since its initial release and Android follows a close second with almost 350. With iOS having been on the market for slightly longer, the small difference in totals is almost unremarkable. What is more remarkable is the lack of malware for the iOS platform.
Two factors may combine in the near future to address this imbalance; one under the control of the vendors, the other decidedly less so.
A key industry trend right now is convergence and Apple is no exception to this as there is already an increasing degree of functional convergence between Mac OS and iOS and who is to say what the future holds from a codebase perspective. This convergence in desktop devices, mobiles, smart devices, home entertainment, and wearables will undoubtedly be exploited by attackers as it presents a more homogenous and interlinked attack surface. Couple this with a mistaken reliance on an imaginary invulnerability and it becomes very attractive indeed.
The second factor harks back to the predictions that we made at the end of 2014. The next 12 months will see the emergence of the first truly cross-platform exploit kits. This will provide an automated means to exploit vulnerabilities on any system unlucky enough to be targeted. In the case of smartphones in particular it means that attackers can break out of the cage of the app store environment. They are no longer obliged to rely on a third-party’s storefront and some injudicious behaviour on the part of the victim, installing bogus apps. A cross platform exploit kit will allow an attacker to exploit iOS and Android alike, as long as vulnerability exists, just as they already do with more traditional computing environments. A critical vulnerability in a mobile OS becomes just as important, attractive and valuable to an attacker and just as problematic to a defender as is already is in the desktop world. Given the high level of integration in work and personal lives and the lack of device management, perhaps even more so…
Let us hope that forums like the Personal Privacy and Security Marketplace at CES serve to elevate the dialogue and bring those concerns and their associated reality even to the ears of the behemoths of the industry.
Please add your thoughts in the comments below or follow me on Twitter; @rik_ferguson.