How secure are Apple's iPhone and iPad from malware, really?

Filed Under: Apple, iOS, Malware, Vulnerability

Anti-virus veteran Mikko Hypponen made an interesting remark on Twitter yesterday:

"iPhone is 5 years old today. After 5 years, not a single serious malware case. It's not just luck; we need to congratulate Apple on this."

Tweet from Mikko

I'm not so sure I can agree.

Of course, there were the Ikee and Duh worms back in 2009, although one could dismiss them as not "serious" malware cases because they only infected iPhones that had been jailbroken without following the critical step of changing the default root password.

Speaking of jailbreaking, this brings up an interesting point about iOS device security.

Jailbreaking

Virtually every version of iOS has been quickly jailbroken (that is, modified to allow installation of apps and hacks not authorized by Apple or the mobile carrier).

Jailbreaking is accomplished by exploiting security vulnerabilities in iOS. The same exploits used to jailbreak (an arguably legitimate hack) could just as easily be used to infect an iOS device with malware.

Twitter reply from Josh

And what happens if you get malware on your iPhone, iPad, or iPod touch? You wouldn't necessarily know it. Not all malware has big, flashy alerts like FakeAlert malware. Some is quiet and surreptitious like Flame.

And what's worse, you wouldn't be able to detect or remove iOS malware easily because Apple doesn't allow full-featured, real-time scanning anti-virus software in the iOS App Store.

Meanwhile, you can get free anti-virus software for Android from Sophos and other vendors.

Android store under fireIn spite of the existence of Android anti-virus software, when you compare Android with iOS, there's certainly a big difference in terms of device security.

Android app stores (including Google's own) have a history of letting in malware apps, while Apple's more restrictive App Store policies and more careful application vetting tend to keep iOS users safer.

So perhaps Hypponen is right that we should be congratulating Apple, but not for the lack of iOS malware. Rather, Apple should be commended for keeping the App Store relatively safe.

I say "relatively safe" because security researcher Charlie Miller has previously figured out how to break the App Store anti-malware model using a flaw in the iOS code signing enforcement mechanism, and there have been reports of developers working around other App Store restrictions with clever tricks; see the Security Now! episode 330 transcript and search for "vetting."

And just earlier this month, a clearly bogus app purporting to be Microsoft Word 2012 was mistakenly approved by Apple, and appeared in the iOS App Store.

Bogus Microsoft Word 2012 app

Apple still has a long way to go in making the iOS platform more secure, for example not making users wait months for security patches.

It took Apple four months after the release of iOS 5.0.1 for the next security update to become available, iOS 5.1, which patched a whopping 81 vulnerabilities. That's too long. I realize that 5.1 added a lot of features, but Apple could have easily patched the 81 vulnerabilities in a security-only update and called it "iOS 5.0.2" while working on adding new features to 5.1, but they didn't do that.

Meanwhile, the jailbreaking community are masters at exploiting undisclosed vulnerabilities, and ready to exploit them whenever Apple releases a new version of iOS. If these hobbyists can collect and take advantage of vulnerabilities, just imagine what others (a government perhaps?) could do.

And this isn't fantasy, defense contractors are already openly hiring for people with experience of exploiting vulnerabilities on mobile devices.

Job description from Booz Allen Hamilton

The history of jailbreaking iPhones and iPads has provided plenty of evidence that smartphone users are being made to wait too long to get security updates for their devices.

So yes; good job, Apple. But you can do a lot better.

, , , , ,

You might like

26 Responses to How secure are Apple's iPhone and iPad from malware, really?

  1. And you would have to be a complete Idiot to buy an app that has not come from Microsoft regardless

    • Ulysses · 662 days ago

      Unfortunately, half of the world would fall into this kind of scheme. The problem is not people are idiot, they just don't read before clicking buy. They would see the icon and assume that would be it.

  2. you make some good points, but the vast majority of all jailbreaks have required a usb tether to accomplish so your pc would have to have been infected first. The scary ones would be the web based ones like jailbreakme dot com as anyone could craft a malicious page to inject bad code instead of just unlocking the device.

    So no the iphone isnt perfect, but it takes a long time quite often to get jailbreaks to work on new software once the holes are closed and usually apple closes the holes pretty quickly anyway

    Id far rather use my iphone without anti virus than any android with it

  3. Anonymous · 662 days ago

    F-Secure always rocking the scene, lol. xD

  4. Anon · 662 days ago

    Do you work for a antivirus company? I love the way mobile is taking off so antivirus companies are probably get far less in monthly payments so they start spinning scare tactics. Jailbreaking is nothing like malware and I wouldn't say the iOS 5 untethered jailbreak was done "quickly". Aim your efforts at Android, Apple fix issues themselves, google don't care

  5. anonymous · 662 days ago

    Use-after-free webkit exploit, anyone?
    Jester claims he got both 'droid and iOS devices, with a remote drive-by...
    http://th3j35t3r.wordpress.com/2012/03/09/curiosi...

  6. Anonymous · 662 days ago

    iOS = no malware & no real time A/V products.
    Android = plenty of malware & plenty of A/V products.

    A/V = snake oil.

  7. Subash · 662 days ago

    For argument sake we can say apple have not done much to secure its IOS, but reality we cannot compare with an android phone. Apple does a good job securing its IOS moderately. By Anyway, securing its apps store . Also why to bother on a jail broken devie which is not under apple scope. Vulnerabilities cannot be stopped by any human I blve . Any way any android is least secure by its openness.

  8. Stan · 662 days ago

    You state, "...for example not making users wait months for security patches...". How often do Android users get updates to their phones?

  9. Well this have two sides the good and the bad one, in the good apple 're so lucky because every exploit found it's used for the develop of jailbreak, but if this guys turn to the dark side and make a malware no more lucky, in the good side every one who buys an iDevice can jailbreak and have fun :) I love iDevices but Apple must change the counterintelligence strategy they not just have to release new version, they must hire hackers to exploit they iOS before a release and patch it so jailbreak gone to end I hope this never happens x)

    • Guest · 335 days ago

      Why would u think apple doesn't want jail breaking your idevice? Jail breaking is what kept people to apple's territory in mobile sector... I bet apple wants it, and yes without crack apps, of coz... :)

  10. Michael · 662 days ago

    CarrierIQ. Enough said.

  11. Despite iOS having a larger installed base than Android 365 million vs 300 million, web browser share 4x larger than Android and iOS users being responsible for 90% of mobile commerce revenue and 84% of mobile gaming revenue, it is Android that has had 100% of the new mobile malware and exploits for the last few quarters and counting.

    According to McAfee, Android has over 13,000 malware apps and exploits compared to Zero for iOS. F-Secure reports Android malware quadrupled in the last year.

    There is no doubt that the "open" model espoused by Google and Android has some very serious security side effects compared to the curated model followed by Apple.

    With anyone able to upload anything to Google's app market and no restrictions on side-loading etc, it is patently obvious that Android will continue to be the most targetted malware ghetto in the mobile space.

    In contrast, iOS users will continue to be eminently justified in knowing the next app they download won't be a premium SMS tester app or a zombie root kit or worse.

    This article is FUD-laden, scare mongering at its worst.

  12. Davester · 662 days ago

    I can't believe how uneducated people are thinking that Android is less secure by being open. An open source system is just as likely to have security holes as a closed system. Closed does NOT mean secure. And 98% of the malware claims on Android were made up. Google has something called "bouncer" which runs apps in a sandboxed environment when they're added to the store, and checked for malicious activity. And, if an app somehow does get past that, it still gets down voted so fast that the average user would never see it. You'd have to go hunting for 1 star apps, and even then you won't find it since people can just touch one button to report an app for malicious activity.

    Seriously, get educated before making ridiculous claims. If you believe everything the anti-virus companies say, you're naive. Some even revoked their statements after Google called them out on their crap; kind of sad if you ask me. Don't hate on an OS until you've tried it extensively.

  13. Joshua Long · 661 days ago

    In response to the haters...

    I, the author of this article, am a user of Apple products. Although I'm a guest blogger for Sophos, my main source of income is not related to the antivirus industry. I don't spread FUD. I don't have anything to gain from doing so. I just report the facts and share my own personal perspective.

    I like to help raise awareness that Apple security isn't as perfect as many people think it is. Just because you're using an Apple product doesn't mean you're invulnerable to attacks. Unfortunately, casual users (and even some who consider themselves geeks) often have this misperception.

    As a user, I would absolutely love for Apple to make its platforms more secure. I submit security bug reports to Apple. Last year, Apple even credited me for a service-related vulnerability that I reported: http://support.apple.com/kb/HT1318

    @bengillam makes a good point that some recent jailbreaks have required tethering a device rather than exploiting a vulnerability in Safari for iOS. The JailbreakMe site's method has not been updated since Apple hired comex (JailbreakMe's exploit developer) in August.

    However, we know from Charlie Miller's past work on fuzzing (http://security.thejoshmeister.com/2010/04/charlie-miller-on-pwn2own-mac-security.html) that finding bugs in Safari, or more specifically Apple's PDF handler which is built into Safari, is so easy it can be done with 5 lines of Python code.

    So just because JailbreakMe hasn't been updated since August doesn't mean that bad guys can't do the same thing for malicious purposes—and do it without requiring a user to tap or slide something first.

    • Joshua,
      Surely you would have to admit that the iOS platform is FAR and away vastly safer than most other platforms - Android in particular - in terms of runs on the board?

      Do you disagree with McAfee that 100% of mobile malicious exploits and malware apps targetted Android last quarter? Or that Android has the dubious honour of having over 13,000 malware apps and exploits?

      Do you not agree that so far iOS has had virtually zero malware apps or malicious exports (of non-jail broken devices)?

      Does this not deserve at least a little pat on the back for Apple's security model for iOS?

      If these were neighborhoods, would you not quite rightly feel safer in the iOS community with zero attacks for 5 years versus the Android ghetto with 13,000 criminals on the loose and 100% of the crime statistics?

      There is a difference between vulnerabilities and exploits. The fact that for 5 years all the vulnerabilities used for jail breaking have still not been utilized for malicious purposes means something. It doesn't matter if it is because they require the phone to be tethered or whatever - the end result is iOS users have been spared the malware apocalypse hammering Android.

      Give Apple at least some credit for this achievement.

      The proof is in the pudding.

      • Davester · 659 days ago

        Wow how ignorant are you. First of all, Android has not had exploits in its system so much as these "malware reports" are just bad apps. Apps that are very difficult to find because they get rated down and reported extremely fast, if they bypass google's bouncer (which admittedly isn't the most trifling thing to do, but the point still stands).

        The Android ghetto? How far up your own ass are you? Seriously?

        Oh, and like I said above, Googled rebuked some malware reports, which then Norton and McAfee both went back and said that there weren't as many as they originally reported. Obviously, they're just trying to scare people into using their products.

        And really, you're going to trust McAfee? The McDonalds of Anti-Virus software? And the reason Android is targeted is because it is far more used around the world; the same is true of Windows. But now that Apple has gained a loyal and non-questioning following, you can rest assured they will be targeted more and more in the coming months and year. Just you wait. People exploit systems that will lead to the most potential users they can attack. Always have, and always will.

  14. z3r0567 · 641 days ago

    Davester, you are correct. Antivirus makers always push the numbers and make things seem worse than they are. I have never run antivirus software on any of my Android devices and have not had any issues with malware. My first phone was a Droid1 (retired) and am now running a GNex. Both devices are rooted. I have a Transformer tablet and my wife had a HTC evo shift and now has a Droid Razr. My daughter has a pre paid Android phone. We have not had one instance of malware. I always make sure to download high quality apps and will opt for paid if available. My wife and daughter on the other hand will download anything that's looks interesting. Never found any malware. My brother is an apple fan and tries to bring up Android malware when we get into the debate (Android vs iOS). My question to him is: Where is it? I have been running Android since early 2010. Out of all the apps I have downloaded (including downloads from outside sources) why have not been infected? My answer to him and everyone else: The antivirus companies want me to use their software, the issue is not as bad as they claim, so they lie trying to scare me and others into using it.
    Smart phones are the new market. Everyone wants a piece of the pie including antivirus makers. They have been begging apple to let them make AV for iOS but Apple won't let them. They are able to make AV software for Android and if they were to say "android malware is not as big an issue as we have claimed" they will lose users plain and simple. If create something and want you to use it I will turn the numbers in my favor. If there are malware apps in the Play store I can guarantee you they are at the bottom of the barrel and you would have to dig and look specifically for the infected apps.
    Its good to be aware that there is a possible risk but that is with any operating system. Being aware and paying attention will protect you better than anything else. iOS has its risks too Charlie Miller and this most recent malware find in the App store has proven that. The difference is I can see the permissions an app asks for and judge for myself while iOS users are relying on Apple to protect them. A company that is well known for pushing issues under the rug and denying them until forced to face them.
    Here is a question everyone should consider. How many malicious apps have been found by Apple in the App store and removed with no explanation before anyone else found out about it? Apps disappear all the time and no one knows why. Most assume its due to a developer violation but it could have been a malicious app. Apple would never tell you about.

  15. b.quinn · 569 days ago

    My husband has an android phone and is frequently downloading and surfing the web with it, I on the other hand have an iphone that I use for, online banking, facebook and playing games. My husband has had numerous problems with his phone while I have not. He is insiting that I need to get extra security on my phone. However, IOS will not let me download the apps that he is insisting I get, Does anyone have any advice? Do I need extra security?

  16. Imho iPhone security is crap, Itunes worse, I have lost everything on my device, the device beacon of non security

  17. TK1 · 410 days ago

    if there is no app to detect heuristic malicious activities on IOS devices, no transparency over internally discovered malicious applications submitted to or apearing in iStore and therefore no public method of infected users to be warned of their infection or the need to clean their devices... Apples security through obscurity leaves the sensible users understandably insecure. After all, alledgedly, Apple themselves installed GPS logging spyware as part of the normal function of the older iphones so yeah lets trust Apple to keep our mobile digital life secure... not!

  18. Jim · 264 days ago

    I am searching for a way to reset my iPhone because I clicked on a link that redirected me to a CBSNews article. This link ALSO installed something on my phone - all of a sudden, my status bar is translucent - a hack that requires a jailbroken phone and I NEVER JAILBROKE MY PHONE!!

    Apple's support blithely insists "you're safe, nothing can get through" but my phone is acting differently and LOOKS different now too.

    I'm a software developer - not an idiot - there is something in there and I cannot get it out!

    HELP!

    Jim

  19. James · 227 days ago

    Would love for you to list all 81 vulnerabilities and dissect each one. It's easy to make blanket statements with no depth nor discernment.

    Would also love to see you explain how to actually exploit those 81 vulnerabilities. Anyone can say sharks are dangerous, especially if you get bitten by one.

    But...hey...I live 1000 miles from the ocean. So what?

    • Paul Ducklin · 227 days ago

      Thing is, sharks are potentially dangerous to humans, regardless of where you live. (You might visit the ocean, right? And as a result of its novelty be unaware of some of the precautions you mght take, such as not swimming at dawn and dusk.)

  20. iOS 7 download links · 197 days ago

    I totally get the point you are trying to say here. I understand you are saying that if one can exploit iOS security for jailbreak purpose, then others can also follow the steps to land a malware.

    But seriously, I want to shed some light on iOS security which requires Jailbreak hackers to work around the clock for several months to properly land and exploit iOS security. After the widespread of iOS Jailbreak, Apple takes a week to release an update. Furthermore, several studies show that how iOS exploits are expensive than Android exploits.

    Android has its own perks, but its open-source platform is killing it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog security.thejoshmeister.com, and follow him on Twitter and Google+.