iOS Security Reports Say No iPhone Is Safe - InformationWeek
IoT
IoT
Mobile // Mobile Applications
Commentary
4/2/2015
03:36 PM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

iOS Security Reports Say No iPhone Is Safe

Recent research demonstrates that CIOs and other IT leaders need to pay more attention to iOS security.

Smartwatches, Ultra-Thin Notebooks, Odd IoT: Gadgets For Spring
Smartwatches, Ultra-Thin Notebooks, Odd IoT: Gadgets For Spring
(Click image for larger view and slideshow.)

Vulnerabilities in Apple iOS are cause for concern for CIOs and other IT leaders, as a range of recent research demonstrates weaknesses in the operating system and some of the apps that run on it.

Network security firm GFI Software issued a report that ranked operating systems by number and severity of vulnerabilities reported in 2014.

The report is based on GFI's analysis of the National Vulnerability Database, which is maintained by the National Institute of Standards and Technology.

According to the GFI report, Apple took the top vulnerability spots, with its Mac OSX at No. 1 with 147 vulnerabilities, followed by Apple iOS with 127 vulnerabilities. The Linux kernel was a close third, followed very distantly by Ubuntu and Windows. Android, meanwhile, had only six reported vulnerabilities for 2014 (although GFI took care to note that this number did not include certain Linux vulnerabilities that also apply to Android).

This report would seem to fly in the face of conventional wisdom that suggests Apple platforms are inherently more secure than their counterparts. Part of this might have to do with the fact that, in the past couple of decades, Apple has gone from tech underdog to tech champion -- tightening its grip on the mobile market. In fourth quarter 2014 (Apple's best ever), iOS dominated enterprise-scale smartphone activations, accounting for 73% of that market. Android accounted for 25% of all enterprise smartphone activations in the same time period.

(Image: Hurk via Pixabay)

(Image: Hurk via Pixabay)

Enterprise smartphone activations are tracked by Good Technology in its quarterly Mobility Index Report.

Based on analysis of monthly smartphone activations by its customers in Q4, Good Technology determined that iOS makes up 81% of devices in the financial services industry, 82% of devices in the public sector, and 95% of devices in the legal sector. (It's worth noting that the Good Technology report does not measure BlackBerry enterprise activations).

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Little wonder, then, that iOS has become a very attractive target for hackers and malware-makers. According to a February 27 CNBC report citing research by security firm FireEye, hackers have figured out ways to bypass the stringent security measures of Apple's App Store by pushing their malware through email or SMS messages. The fallout is that hackers are now able to attack non-jailbroken iPhones and iPads just as well as they can hit jailbroken ones.

Even vetted iOS apps can present data security and privacy issues. According to the February McAfee Labs Threat Report, app developers and their advertising partners can be highly abusive, particularly when it comes to mobile games -- tracking various network details and other information on their users.

The dangers of mobile apps have long been a topic of concern. In 2010, Robert G. Ferrell, then an information security specialist for the US Department of Defense, told CNET in an interview:

"If you haphazardly visit every link and download every file sent to you in e-mail or posted to your social-networking pages, sooner or later you're going to get nailed. Period. Platforms are passé [for hackers]. Apps are where it's at."

And when the App Store doesn't nail a target, social engineering might. Consider the curious case of Mat Honan, a tech reporter for Wired who in 2012 became locked out of his entire digital life-- online accounts, personal devices, and all. An impostor convinced AppleCare customer support that he was Honan and they granted him access to Honan's AppleID, despite being unable to answer any of Honan's security questions.

While Apple promptly announced "patching" the flaw in its processes that made the Honan hack possible, the company has continued to remain susceptible to social engineering. The following year, Apple performed the worst -- by far -- among 10 targeted companies at DEF CON's annual Social Engineer Capture the Flag Contest (SECTF). As part of SECTF, contestants inexperienced at social engineering were able to capture oodles of sensitive data ("flags") from Apple via basic research and social trickery -- scoring more than 33% more points on Apple than the next most susceptible company.

To be fair, iOS and other Apple attacks are still not nearly as common as those among Apple's competitors (FireEye reported that approximately 96% of mobile malware still focuses on Android devices, for instance). That fact does nothing, however, to deaden the growing concern among experts about threats to mobile security. As hackers devote more attention to Apple's mobile vulnerabilities, so too should security researchers, IT departments, and CIOs.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
4/4/2015 | 5:39:17 PM
Re: Apple: We are about Products. Not Security.
"..If you're online, you're at risk. What decisions will each of us make to help mitigate that risk on a daily basis? That's the real question."

 

@jagibbons    Excellent points.     Very true no one is safe.    And it is the responbility of the individual to be proactive in their use of safeguards and sensibility.   We are talking about the less technically inclined which numbers far more than we would like to admit.

True.    Not everyone is truly invested in the tech experience.    Many people see it as just something that just is much like a car or the phone. So I have to ask the question of are vendors ( Apple in particuliar ) doing enough for these types of users ?

On it's face, Apple is doing a decent job, but as you mention it is about pro-active management and awareness of threat.   For many years Apple either has(in) overtly claimed to be a "safer" computing experience - and since we and ( Apple ) know this is not necessarily the case - How long do they continue to benefit from the mis-conception ?

This misconception whether purposely or not has resulted in millions of additional units sold but I guess my real question is when will they ( Apple ) come clean to the laymen and when they actually educate this segment ?

Sounds to me like a series of commericals from Apple might raise awareness.   I doubt we will be seeing such a commerical anytime soon though.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
4/3/2015 | 12:40:43 PM
Re: Apple: We are about Products. Not Security.
This is not a binary situation, not a choice of a "secure" product or an "insecure" product. The fact is that every device on the internet can be attacked. The individuals out there trying to perpetrate fraud and theft outnumber those who are chasing them down. All it takes is one vulnerability to gain access. The good guys have to protect 100% of vulnerabilities. It's a losing battle.

Now that we can all agree that nothing is completely safe, let's make sure consumers are properly informed that they aren't safe online just because they buy an Apple device (still a common misconception that I see among those less tech inclined).

If you're online, you're at risk. What decisions will each of us make to help mitigate that risk on a daily basis? That's the real question.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
4/2/2015 | 11:15:47 PM
Apple: We are about Products. Not Security.

Did people really think Apple's products were more secure ?  Of course they did and thanks for debunking the myth.  I must admit I was surprised by the number of vulnerabilities in OS X.   I am a little more understanding of iOS, which leads me to believe Apple has lost some focus since Jobs passed.  

Instead of working on the "hard stuff" like vulnerabilities and that fact that OS X still doesn't work well in a network environment - we have instead approx. four different models of watches on the way.  

I thought Mr. Cook might be a granular type of CEO, but I was wrong.   It is simply about how many products they can sell - Vulnerabilities ?   What vulnerabilities.

 

Apple seems to have taken a page from Microsoft's book.

How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll