How secure are Apple’s iPhone and iPad from malware, really?

Anti-virus veteran Mikko Hypponen made an interesting remark on Twitter yesterday:

"iPhone is 5 years old today. After 5 years, not a single serious malware case. It's not just luck; we need to congratulate Apple on this."

Tweet from Mikko

I’m not so sure I can agree.

Of course, there were the Ikee and Duh worms back in 2009, although one could dismiss them as not “serious” malware cases because they only infected iPhones that had been jailbroken without following the critical step of changing the default root password.

Speaking of jailbreaking, this brings up an interesting point about iOS device security.


Virtually every version of iOS has been quickly jailbroken (that is, modified to allow installation of apps and hacks not authorized by Apple or the mobile carrier).

Jailbreaking is accomplished by exploiting security vulnerabilities in iOS. The same exploits used to jailbreak (an arguably legitimate hack) could just as easily be used to infect an iOS device with malware.

Twitter reply from Josh

And what happens if you get malware on your iPhone, iPad, or iPod touch? You wouldn’t necessarily know it. Not all malware has big, flashy alerts like FakeAlert malware. Some is quiet and surreptitious like Flame.

And what’s worse, you wouldn’t be able to detect or remove iOS malware easily because Apple doesn’t allow full-featured, real-time scanning anti-virus software in the iOS App Store.

Meanwhile, you can get free anti-virus software for Android from Sophos and other vendors.

Android store under fireIn spite of the existence of Android anti-virus software, when you compare Android with iOS, there’s certainly a big difference in terms of device security.

Android app stores (including Google’s own) have a history of letting in malware apps, while Apple’s more restrictive App Store policies and more careful application vetting tend to keep iOS users safer.

So perhaps Hypponen is right that we should be congratulating Apple, but not for the lack of iOS malware. Rather, Apple should be commended for keeping the App Store relatively safe.

I say “relatively safe” because security researcher Charlie Miller has previously figured out how to break the App Store anti-malware model using a flaw in the iOS code signing enforcement mechanism, and there have been reports of developers working around other App Store restrictions with clever tricks; see the Security Now! episode 330 transcript and search for “vetting.”

And just earlier this month, a clearly bogus app purporting to be Microsoft Word 2012 was mistakenly approved by Apple, and appeared in the iOS App Store.

Bogus Microsoft Word 2012 app

Apple still has a long way to go in making the iOS platform more secure, for example not making users wait months for security patches.

It took Apple four months after the release of iOS 5.0.1 for the next security update to become available, iOS 5.1, which patched a whopping 81 vulnerabilities. That’s too long. I realize that 5.1 added a lot of features, but Apple could have easily patched the 81 vulnerabilities in a security-only update and called it “iOS 5.0.2” while working on adding new features to 5.1, but they didn’t do that.

Meanwhile, the jailbreaking community are masters at exploiting undisclosed vulnerabilities, and ready to exploit them whenever Apple releases a new version of iOS. If these hobbyists can collect and take advantage of vulnerabilities, just imagine what others (a government perhaps?) could do.

And this isn’t fantasy, defense contractors are already openly hiring for people with experience of exploiting vulnerabilities on mobile devices.

Job description from Booz Allen Hamilton

The history of jailbreaking iPhones and iPads has provided plenty of evidence that smartphone users are being made to wait too long to get security updates for their devices.

So yes; good job, Apple. But you can do a lot better.