3 March 2015
Recent research demonstrates that CIOs and other IT leaders need to pay more attention to iOS security.
Vulnerabilities in Apple iOS are cause for concern for CIOs and other IT leaders, as a range of recent research demonstrates weaknesses in the operating system and some of the apps that run on it.
Network security firm GFI Software issued a report that ranked operating systems by number and severity of vulnerabilities reported in 2014.
The report is based on GFI’s analysis of the National Vulnerability Database, which is maintained by the National Institute of Standards and Technology.
According to the GFI report, Apple took the top vulnerability spots, with its Mac OSX at No. 1 with 147 vulnerabilities, followed by Apple iOS with 127 vulnerabilities. The Linux kernel was a close third, followed very distantly by Ubuntu and Windows. Android, meanwhile, had only six reported vulnerabilities for 2014 (although GFI took care to note that this number did not include certain Linux vulnerabilities that also apply to Android).
This report would seem to fly in the face of conventional wisdom that suggests Apple platforms are inherently more secure than their counterparts. Part of this might have to do with the fact that, in the past couple of decades, Apple has gone from tech underdog to tech champion — tightening its grip on the mobile market. In fourth quarter 2014 (Apple’s best ever), iOS dominated enterprise-scale smartphone activations, accounting for 73% of that market. Android accounted for 25% of all enterprise smartphone activations in the same time period.
Enterprise smartphone activations are tracked by Good Technology in its quarterly Mobility Index Report.
Based on analysis of monthly smartphone activations by its customers in Q4, Good Technology determined that iOS makes up 81% of devices in the financial services industry, 82% of devices in the public sector, and 95% of devices in the legal sector. (It’s worth noting that the Good Technology report does not measure BlackBerry enterprise activations).
Little wonder, then, that iOS has become a very attractive target for hackers and malware-makers. According to a February 27 CNBC report citing research by security firm FireEye, hackers have figured out ways to bypass the stringent security measures of Apple’s App Store by pushing their malware through email or SMS messages. The fallout is that hackers are now able to attack non-jailbroken iPhones and iPads just as well as they can hit jailbroken ones.
Even vetted iOS apps can present data security and privacy issues. According to the February McAfee Labs Threat Report, app developers and their advertising partners can be highly abusive, particularly when it comes to mobile games — tracking various network details and other information on their users.
The dangers of mobile apps have long been a topic of concern. In 2010, Robert G. Ferrell, then an information security specialist for the US Department of Defense, told CNET in an interview:
“If you haphazardly visit every link and download every file sent to you in e-mail or posted to your social-networking pages, sooner or later you’re going to get nailed. Period. Platforms are passé [for hackers]. Apps are where it’s at.”
And when the App Store doesn’t nail a target, social engineering might. Consider the curious case of Mat Honan, a tech reporter for Wired who in 2012 became locked out of his entire digital life– online accounts, personal devices, and all. An impostor convinced AppleCare customer support that he was Honan and they granted him access to Honan’s AppleID, despite being unable to answer any of Honan’s security questions.
While Apple promptly announced “patching” the flaw in its processes that made the Honan hack possible, the company has continued to remain susceptible to social engineering. The following year, Apple performed the worst — by far — among 10 targeted companies at DEF CON’s annual Social Engineer Capture the Flag Contest (SECTF). As part of SECTF, contestants inexperienced at social engineering were able to capture oodles of sensitive data (“flags”) from Apple via basic research and social trickery — scoring more than 33% more points on Apple than the next most susceptible company.
To be fair, iOS and other Apple attacks are still not nearly as common as those among Apple’s competitors (FireEye reported that approximately 96% of mobile malware still focuses on Android devices, for instance). That fact does nothing, however, to deaden the growing concern among experts about threats to mobile security. As hackers devote more attention to Apple’s mobile vulnerabilities, so too should security researchers, IT departments, and CIOs.
Source – http://www.informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750