Early in the adoption of enterprise mobility, iOS was considered the “better” choice. A more stable and consistent operation system was preferable for developing custom apps, and Apple’s iOS operating system was believed to be inherently more secure than Google’s Android due to the controlled app store ecosystem and better app sandboxing mechanisms. Fast forward to today and we see that enterprise devices are still twice as likely to be iOS than Android, with even higher ratios (up to four times) in regulated industries that are more concerned with security.
Malicious hackers pay attention to trends as well. Hackers are motivated by the opportunity for financial gain, intending to steal data and access valuable corporate resources. Smart hackers have been shifting more of their time from the previous largest enterprise target, Windows PCs, to the new biggest and most profitable target—mobile devices in general and iOS specifically. Whether an operating system is inherently more secure or not, persistent hacking efforts will lead to a greater number of identified vulnerabilities and attacking techniques than one that gets less attention.
Over the past year, we’ve been seeing a significant growth in the number of malware campaigns being uncovered against iOS users, whether the device is jailbroken or not. Many of the attacks we see have existed for a long period of time before being uncovered!
In addition to high profile campaigns uncovered over the past eight months, such as XCodeGhost and YiSpecter, we have witnessed another major campaign, uncovered just a couple of months ago, dubbed AceDeceiver. The biggest pain point of AceDeceiver is that it can continue to spread, even after spotted by the researchers and Apple. Another concerning aspect of AceDeceiver is that the attack techniques it relies on can be easily mimicked by others, thus leading to many additional sophisticated attacks against iOS victims. It is interesting to note that AceDeceiver utilized a technique called “FairPlay Man-In-The-Middle”, which was described in detail by researchers a few years ago. For much more information, take a look at our take on AceDeceiver.
Another recent example of malware getting into the Apple App Store (even worse, reappearing as a similar variant of a previous malicious app in the store) can be found here. This joins a growing number of malicious applications that managed to get into the Apple App Store in the past few months. Similar to past progressions in major security markets in the past (e.g., network-security, desktop security), the techniques used by the malware writers are often based on efforts by security researchers, which then evolve to become toolkits for attackers.
Malicious profile-based attacks have also become an increasingly hot topic, with multiple discoveries made by the Skycure research team, including the invisible malicious profile, as well as the threats of taking advantage of the existence of MDM on the device. I discussed this type of threat at RSA Conference 2014 with SC Magazine and demonstrated the power of such an attack in this interview.
The most common exploitation techniques we have identified within our customers’ mobile devices include Content Manipulation, SSL Stripping and SSL Decryption attacks. SSL Decryption threats are particularly bad and pose a clear threat to organizations who utilize iOS for work purposes, as they are easy to mount by attackers (e.g., providing invalid certificates when the victim tries to access his/her email account via the native iOS mail app) often resulting in the exposure of corporate Active Directory credentials. The following video demonstrates how easy it is to attack victims via Wi-Fi networks and what the ramifications of such an attack may be: https://www.skycure.com/resource/demos/malicious-wifi/.
Vulnerabilities: The Focus Has Shifted to Mobile
The aforementioned trends are supported by the significant rise in the number of identified and published vulnerabilities (which represent a subset of the actual number of vulnerabilities in the wild) for mobile operating systems. Especially for iOS, which as I discussed above is receiving a significant amount of attention from malicious hackers, we have witnessed massive growth in the number of publicly disclosed vulnerabilities in the last year (see chart below), with 32 of the vulnerabilities uncovered in 2015 rated as posing a critical threat to iOS users.
Note that this alarming graph does not necessarily indicate that Apple became sloppy from a security perspective, but instead that the focus of researchers has shifted from traditional computers to the new breed of computers and operating systems—mobile devices/Oss and iOS in particular.