No one still thinks iOS is invulnerable to malware, right? Well, knock it off The comforting notion that iOS devices are immune to malicious code attacks has taken a knock following the release of a new study by mobile security firm Skycure. Malicious mobile apps in Apple's App Store are mercifully rare (XcodeGhost aside) compared to the comparative "Wild West" of the Google Play store, which has come …
Hmmm... virtually unknown "security" outfit posts blog article exaggerating and misrepresenting the current state of iOS security, and finishes it with a link to their own app that can supposedly detect and protect against these supposed issues....! How many times have we seen that?
Most of their "Ways to infiltrate an iOS device" are either ancient (patched ages ago), or use legitimate iOS features and social engineering to get installed, and are therefore are very limited in spreadability. Yet they present them all as current ways.
It's rather telling that they refused to provide actual figures to back-up their claims, especially the "percentage of enterprise iOS devices with malware tripled over the last two quarters while the rate of Android malware stayed relatively flat over the same period" one.
"Tripled" is meaningless without actual figures. It could've gone from 1 infected device to 3, whereas Android could've stayed flat at 20 million infected devices. Who knows?! And conveniently, no mention of how these device(s) came to have malware on them, nor what type.
> It's rather telling that they refused to provide actual figures to back-up their claims, especially the "percentage of enterprise iOS devices with malware tripled over the last two quarters while the rate of Android malware stayed relatively flat over the same period" one.
That's probably the one claim in their piece that I can believe
> It could've gone from 1 infected device to 3, whereas Android could've stayed flat at 20 million infected devices.
And that's why :)
In the full PDF report the "tripled" figure comes from an increase from 0.21% to 0.65% of enterprise iOS devices having "high severity malicious apps installed" (although it doesn't mention what these are, or whether these are jailbroken devices).
So that's an increase from 2 devices per 1000 to 6 devices per 1000.
They also include adware, scareware and JavaScript popups(!) in their definition of exploits.
Also, in an article specifically about iOS, they suddenly switch to showing a statistic that 34% of "all devices are rated as medium-to-high risk". This is very misleading because up to that point the statistics are about iOS, and someone not concentrating could understand this as 34% of iOS devices being at medium-to-high risk.
The what now? I don't see any meaningful recent iOS market share increase (and before you start yelling yes it's Wikipedia but the data is supposed to be Gartner's...)
I wonder what percentage of iPhones are Jailbroken? 1% or a lot, lot less.
AFAIK, people don't seem to feel the need to JB their iDevice. The "sheeple" effect eh?
Anyway, as has alreay been said, this aticle is nothing more than free advertising for the makers of software that is supposedly able to detect malware on iOS.
Come on ElReg, you can do better than this clickbait. We know that no OS or system is totally secure. All it takes is one Numbskull to totally F**k things up.
It is all a matter of risk. IMHO, iOS is a lot less risky that Android.
Others will no doubt have a different opinion and that is their right.
> It is all a matter of risk. IMHO, iOS is a lot less risky that Android.
Part of assessing the risk, though, isn't just weighing the probability that something will happen, but also of assessing the scale of the consequences if it does happen, despite the odds.
Clearly they're overstating the probability (or, at least, being very vague and misleading on it), but it does raise an interesting point. Assuming their stats (such as they are) are correct - the primary iOS target is enterprise devices. Meaning the malware is more likely to be targetted at exfiltrating data from, or getting a foothold in enterprise networks.
That's potentially much higher consequences than if you get one of the many, many, many ad serving android malware variants. And there's probably a much lower probability, if you get iOS malware, that it'll simply serve ads.
Basically, what I'm getting at, is advertising article not-with-standing, iOS has a lower probability of malware, but for a business the risk may be higher. So you should at least have plans in place.
As I elaborate below, Apple has removed and does not allow any anti-virus (anti-malware) programs into their App Store. As such Skycure app is NOT any sort of anti-virus program. Also it's specifically designed for enterprise uses. Here are the app's description notes:
"Skycure enhances enterprise mobile security.
"With Skycure's dedication to proactive mobile security, you can more securely practice mobile productivity for work or conduct any type of sensitive file sharing or financial transaction on your devices.
"Most users have a low pain threshold for false-positives. Skycure neutralizes alert fatigue by factoring in crowd intelligence and providing descriptive and actionable notifications."
From this vague rhetoric, I assume the app involves file encryption across networks. But I have no guess as to what 'false-positives' is referring to. The provided illustrations demonstrate only that it will redundantly 'alert' the user of iOS updates, which is a feature iOS alone already provides. Apparently, the app is not popular. It was released in 2012, is now up to version 3.3.0 and has zero reviews.
For example there are apps displaying ads in some form of quiz. Normally you'd classify this as a form of adware and therefore malware, however such "security companies" might not.
For some regimes, any software which allows you to communicate in an even remotely secure way might be considered malware.
Depending on your point of view, the only way to install non-malware might be side loading.
I have to fully disagree.
Don't get caught up, people have become so opinionated that people will justify the definition of any word to justify their own opinion. Malicious software is not advertising software, neither is networking software.
Also, this article seems to prove statistically that "sideloading" increases the probabilities of malware.
The article is F.U.D., but it does remind people that the longer it takes to find serious flaws, the more the pressure builds. If a serious flaw in iOS is ever found, DUCK!!! Of course if you use Google's Android like me, that might not be an option as your back might already be broken. If you use low powered phones like me, Google's Android has cut you in 2.
Depends on your definitions.
If 5 years ago, 1 million people used phones, and 50% of them are Apple, but now 100 million people are using phones, but only 25% of them Apple, then a higher proportion of the population are using Apple devices than were 5 years ago, but Apple's share of sales has decreased.
Its not the most popular, but it is more popular than it was.
The iOS share of "mobile phone sales" has increased since 2012. The iOS share of "smartphone sales" has decreased, because ever cheaper smartphones replace all but the very cheapest feature phones in the market. Apple isn't selling phones for under $100, so all that smartphone growth on the bottom end has gone to Android, decreasing Apple's share of smartphones sold.
Much of that growth hasn't even gone to Google, however, since at least in China almost all low end Android phones have Google's stuff removed and replaced by Baidu, WeChat and so forth. It would be interesting if it was possible to see a market breakdown between iPhone, Android+Google and Android w/o Google.
"The comforting notion that iOS devices are immune to malicious code
Nobody ever said that, what could be claimed is that iOS is relatively immune to the kind of click-and-install malware that is rife on the Wintell platform and as you point out in the article such attacks that do succeed require social-engineering and downloading malicious apps from unauthorized third party sources.
"As scary as all of this may be .. there are absolutely actions that you can take to keep yourself and your device safe from would-be attackers .. Protect your device with a free mobile security app like Skycure"
Ah, go on go on go on link..
The only ones who claim there's a notion iOS is immune to malware are security companies that just happen to sell malware defenses for iOS.
Pretty much everyone would agree malware is a bigger problem on Android than iOS, but I don't know anyone who has purchased anti-malware software for Android. Running Windows without AV software has been asking for trouble for a long time, but since it isn't a must-have on Android it is damn hard to argue that it is needed on iOS except as a way to keep companies like Skycure afloat.
"Nobody ever said that, what could be claimed is that iOS is relatively immune to the kind of click-and-install malware that is rife on the Wintell platform"
It really isn't if you mean clicking on a browser link. There have been numerous Safari browser based vulnerabilities for instance that could jailbreak a phone simply by visiting a website.
I may be wrong, but I only recall one Safari vulnerability that allowed a jailbreak / installing malicious code simple by clicking a browser link (JailbreakMe). This was around 2011 I believe.
All other non-computer jailbreaks or web based malware attacks I've seen since have involved downloading and installing an enterprise certificate and then installing an app from a third party. This is a 6-8 step process with lots of popups and warnings about installing non-App Store apps and trusting enterprise certificates. Not the sort of thing you can accidentally do (social engineering aside).
There's a pretty good list here (https://www.theiphonewiki.com/wiki/Malware_for_iOS) and it seems 99% of the 'in the wild' stuff are malicious 'tweaks' from the Cydia store, only applicable to Jailbroken devices or installed via enterprise certificates. Certainly not 'numerous Safari browser based vulnerabilities'.
"I may be wrong, but I only recall one Safari vulnerability that allowed a jailbreak / installing malicious code simple by clicking a browser link "
You are wrong. A number of relatively recent jailbreaks - notably by Taig - have used such exploits.
And the list of similar historical holes in Safari is pretty long....
This IS WHY trump AND LADY MALIGANT use IPHONES TO WTWEET AMORICAN policy decision to the NAYSHINE. ITs cos COMMIES can't HACK iPhones where THEY CAN HICK Androol. phones.
TRUMP has NAKKID PICTURES of his HOD. HOOD. HAIR. HEAD. WYFE.. on his phone I BET.
I have GUNZ and PIZZA TONIGHT WHICH isn't tha same as GOONS AND RISES (banned). I am NOT. MAKID. NAKKID. thanks you. Stay SOFA.
I've studied Apple device security for 12 years and donated my time to write about it for 10. I have never run across anyone saying iOS is Invulnerable to malware. Instead, what I occasionally come across are headline and article claims, such as those found here, slamming unspecified people who were ignorant enough to make such a claim. I find that approach to tech journalism to be silly.
For those interested, here is some helpful information for iOS users provided as an addendum to that provided by the article:
• The best way to keep your iOS device safe is to never jailbreak it. This will keep your device clear of the majority of iOS malware. Apple's walled garden of vetted apps is renowned for its safety.
• Back up your iOS device regularly. You should keep two backups. One should be local and easily accessible, as is provided in iTunes. Another should be away from your locale, such as in the cloud, again provided in iTunes. Encrypting your backups provides further safety.
• There have occasionally been malware apps that have been approved into Apple App Store. Typically, they have been proof-of-concept malware used to entice Apple to improve its App Store security, Considering the vast number of apps available in the App Store, the number that have been malware approaches statistical insignificance.
• In 2015, Apple became confident enough in the quality of its app vetting process that it removed all anti-malware apps from the App Store. If you perform a search, you'll find that none are available.
(See - https://9to5mac.com/2015/03/19/apple-app-store-antivirus/ )
• The Apple developer security certificate system, which prevents the installation and running of malware on iOS, has been by and large a success. However, there have been breaches in that system specific to enterprise developer security certificates whereby a developer has gone rogue or their certificate was stolen and inserted into malware. In 2016, this became the single greatest security threat against iOS. However, no similar certificate breaches have occurred thus far in 2017.
From my point of view, we still remain in what I call The Dark Age of Computing. We expect every software program and operating system has the potential of containing significant security flaws. The more elaborate the software, the more frequent the security flaws. By far, the most common security flaw is a variety of buffer overflow in device memory. The main cause of this problem is our continued reliance upon relatively poor coding tools, including coding languages. It is hoped that with time we will leave behind these tools and progress onto superior coding tools that, by design, will not allow for coding error security flaws. One improved coding language is Swift, an open source project supported by Apple, applicable to any computing platform.
Also note: USB port security problems are primarily due to Intel's faulty USB standards. This problem is not isolated to any particular hardware or operating system. For those concerned, there are now USB port protection adapters available which act as a safety intermediary between the device and anything connected to its USB ports. An example is the PortaPow USB Adapter, available at the usual sources.
:-Derek Currie
https://Mac-Security.blogspot.com
@DerekCurrie:"The best way to keep your iOS device safe is to never jailbreak it."
This. Jailbreaking was only introduced to provide features Apple hadn't put into the original iPhone such as cut-and-paste, playing games or tethering. There's no need to jailbreak any more, unless it's for bragging rights...
Anyway, the most recent publicly available jailbreak is for iOS 9.3.something - people like qwertyoruiopz and cturte aren't making their exploits for 10.something publicly available as they're worth way too much money. Just look at the FBI and how they had to pay some Israelis $900,000 to crack the San Bernardino shooter's iPhone 5C.
Initially I read this as IoS: the Internet of Shit being delivered instead of the Internet of Things: soon Kazakhstanian hackers will be able to turn your fridge off while you are at work. Connected is Vullnerable.
Anyway, why would anyone bother attacking Apple PC's? There aren't enough of them to make it worthwhile.
I can see why some may take exception to classifying a Javascript pop-up as an exploit, but when said pop takes away control from the user, the not so savvy user is likely to think their device has been infected.
A case in point that I've seen first hand on an associate's iPad Air: dodgy site throws up a message and somehow manages to lock up Safari that prevents the active tab from being closed and prevents switching to another tab.
Now user is stuck and can't use Safari at all. Close and reopen Safari and it oh so helpfully restores all previously open tabs including the malicious one.
And the dumbed down, sorry, simplified UI doesn't provide a straight forward route to regain control either.
Resolving such issues as always involves outsmarting the miscreants.
@Anonymous Coward:"A case in point that I've seen first hand on an associate's iPad Air: dodgy site throws up a message and somehow manages to lock up Safari that prevents the active tab from being closed and prevents switching to another tab.
Now user is stuck and can't use Safari at all. "
His first problem is that he's using Safari, but anyway...
A double-press of the home button brings up the running apps. Swipe up on Safari to close.
Then go to Settings -> Safari -> Clear History and Website Data. Pretty straightforward huh?
Those with an aversion to JavaScript can turn it off in Settings -> Safari -> Advanced.
Interesting this was published the same day as this https://www.theregister.co.uk/2017/07/19/apple_patches_ios_os_x_flaws/
Sadly, as people are people, and our society is what it is, a significant amount of what is said by vendors is hype, otherwise no one would even look at their products, whether they are superb or awful.
But 47 assorted flaws is not exactly zero.
There are some interesting, but uninformed comments on this article that I will try my best to address with useful answers and reference links, particularly those started by Anonymous Coward and those who share these views.
- on being a "virtually unknown 'security' outfit": For our many Fortune 500 and other enterprise customers, every major analyst organization and the mobile security community at large, Skycure is very well known and respected. Two proof points are that 1) Symantec just acquired Skycure to address mobile security for all of their enterprise customers and 2) Frost & Sullivan awarded Skycure Company of the Year. See references -
LINK: http://investor.symantec.com/About/Investors/press-releases/press-release-details/2017/Symantec-to-Acquire-Skycure-Providing-Customers-with-Comprehensive-Mobile-Threat-Defense-Across-iOS-Android-and-Windows/default.aspx
LINK: https://ww2.frost.com/news/press-releases/frost-sullivan-names-skycure-2016-company-year-mobile-enterprise-security/
- on whether iOS devices are truly vulnerable in at least 7 ways (graphic) and whether social engineering is a thing: Only currently possible iOS infiltration methods are included in the graphic, even if the well-known examples listed are not as recent, and most are successfully executed through social engineering. Note that malware infiltrations mostly do NOT come from the App Store, which everyone acknowledges does a great job of staying very clean. And yet, those following the news will see that the Pegasus spyware and many other serious exploits do find their way onto iOS devices through clever and effective social engineering methods. There is a constant stream of legitimate vulnerabilities patched regularly by Apple, like the ones used by the Pegasus spyware (note the 47 security patches in the iOS 10.3.3 update), and also vulnerabilities by design that Apple simply tries to make harder to exploit, like malicious profiles. See references -
LINK: https://support.apple.com/en-us/HT207923
LINK: https://en.wikipedia.org/wiki/Pegasus_(spyware)
LINK: https://www.skycure.com/blog/apple-ios-10-3-finally-battles-malicious-profiles/
- on whether "tripled" iOS devices infected is meaningless: First, those interested in the data to back up the numbers should read the report (https://www.skycure.com/wp-content/uploads/2017/07/Skycure-10YrsofiOS-MobileThreatIntelligenceReport_2017Q1.pdf) and not just this article. Second, it is true that the number of infected iOS devices is small and typically far lower than that of Android, yet a tripling of that number is still a huge concern to our enterprise customers who cannot allow even a single breach that may cost millions and their good reputations. This perception may be different to an individual consumer, but our enterprise customers greatly appreciate the essential protections that Skycure provides against very real threats.
REPORT: https://www.skycure.com/wp-content/uploads/2017/07/Skycure-10YrsofiOS-MobileThreatIntelligenceReport_2017Q1.pdf
- on iOS market share: A number of reputable sources are all reporting that iOS market share is growing in the US. Here is one article among many that also shows iOS shares growing in Great Britain, France, Italy, Spain, Australia and Japan, all locations where Android is growing more slowly or even losing share -
LINK: https://9to5mac.com/2017/01/11/ios-market-share-kantar/
Please click on all of the included links for additional information, then feel free to contact us directly with any additional concerns or questions you may have. hello@skycure.com
- Brian Duckering, Head of Product Marketing, Skycure - now part of Symantec
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
