Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple's iOS Security Challenges and Advantages

One of the most controversial debates in the security world has long been the role of market share. Are Macs safer because there are fewer users, making them less attractive to serious cyber-criminals? Although Mac market share continues to increase slowly, the answer remains elusive. But it's more likely that we'll see the answer in our pockets, not on our desktops.

The iPhone is arguably the most popular phone series on the face of the planet. Include the other iOS devices - the iPad and iPod touch - and Apple becomes one of the most powerful mobile device manufacturers, with over 100 million devices sold so far. Since there are vastly more mobile phones in the world than computers, and since that disparity continues to grow, iOS devices become far more significant in the big security picture than Macs.

As reported in this CNET article, the iPhone (and by extension, other iOS devices) is already seeing greater scrutiny by the security research community. I can personally attest to the fact that many of my security research associates are gaining interest in mobile devices of all types, but especially iOS- and Android-based devices. And if the number of mobile banking and retail apps in the App Store is any indication, there is now broad use of these devices for significant financial transactions (beyond teenagers' massive texting bills).

Smartphones Change the Security Game -- While mobile phones may never have been the most secure gadgets, their security issues were limited until wide adoption of smartphones. The worst you had to worry about was someone cloning your phone and running up your bill with international calls. Even early smartphones were fairly limited due to their clunky interfaces, terrible browsers, minimal penetration outside of the enterprise, and lack of consistency. But the iPhone ushered in a new age of popular and extensible smartphones. The combination of popularity and functionality changes the mobile security landscape in a number of fundamental ways:

  • iOS devices are based on a general-purpose operating system with a larger attack surface than less-sophisticated "feature" phones.

  • iOS is widely deployed in three major product lines. While the operating system versions aren't fully aligned, they are extremely close, rely on the same code base, and are likely to converge more soon.

  • Consumers increasingly use their mobile phones for sensitive transactions - mobile banking, shopping, and confidential communications. Bad guys accessing a device have far more to gain than in the past, when the worst they could do was steal your contacts and make phone calls.

  • Email and Web browsing are the top two vectors for attacking personal computers... and they are also the two most popular non-phone functions on iOS devices.

The good news is that although Apple faces new security challenges with their mobile devices, they have already laid a strong security foundation with the potential for far greater security than we will ever see on general-purpose computing platforms like the Mac.

Since I prefer to end on a high note, let's start with some of Apple's security challenges, and close with the company's potential advantages.

Apple's Mobile Security Challenges -- The primary problems Apple faces with the iPhone aren't the hardware, or even the software, but their internal processes and the difficulties of maintaining security on multiple platforms (mobile or otherwise) with a common code base.

First, Apple is historically slow to offer patches for known vulnerabilities fixed in the open source components used in OS X. For example, one of the first exploits used to enable jailbreaking was a known flaw in a common software library used for displaying TIFF images. Since this flaw was patched for other platforms long before the iPhone, it provided attackers a direct road map into the iPhone. While Apple has skated by with these sorts of exposures in Mac OS X (including flaws for the Apache Web server, Samba for Windows-compatible file sharing, and the MDNS service that underpins Bonjour), the increasing scrutiny on the iPhone shortens the time between when a component is patched for other platforms, and when an iOS user is at risk.

Second, Apple also patches their own software flaws on different schedules for different platforms, potentially exposing users to more risks. For example, Apple sometimes patches security flaws for the Mac version of Safari before fixing the same flaws for Mobile Safari. iOS is a version of OS X, and thus it's only to be expected that some security flaws will carry through to both platforms. Apple has even patched the open source version of the WebKit code that underlies Safari (which they manage) before bringing the same fixes back into Safari itself.

These process-related issues likely represent the single greatest combined security risk for iOS devices. Every time some vulnerability is patched on another platform, either an open source component or a piece of Apple's proprietary software, it may give attackers another way to exploit iOS devices.

Apple faces several additional security challenges. Most notably, since jailbreaking relies on the exploitation of security vulnerabilities, any time a new jailbreak is released, it may provide attackers with yet another way to attack iOS devices.

In some cases this isn't a major concern, since jailbreaking relies on physical control of the device. But as the site shows, these exploits can sometimes be activated simply by browsing a Web page. Think of it this way - even if cyber-criminals aren't willing to put in the hard work to break into iOS devices, jailbreakers are. And once a jailbreak is released, the bad guys are free to turn it into an offensive weapon. (And yes, for the record, every jailbreak is a security exploit.)

Finally, while iOS has significantly better security than Mac OS X, there is still major room for improvement, especially in the sandboxing of some of the native Apple applications, such as Safari. Of all the iOS security risks, these are the easiest for Apple to address.

Apple's iOS Security Advantages -- Although the security of iOS devices is under greater scrutiny than that of nearly any other mobile device (the possible exception being RIM's BlackBerry, and with Google's Android undoubtedly receiving an increasing amount of attention), iOS devices also come with some significant security advantages:

  • No other mobile device is as easy to patch and update. Before the iPhone, the only way to patch the majority of phones on the market was to take the device into a retail store and beg for an update, or hack it yourself through a Byzantine process that frequently involved illegally downloading carrier software. For the first time we have a popular, widely deployed, mobile device that is as easy to update as any other software on your computer.

  • iOS devices are difficult to hack. Apple has combined the hardware and software to lock down the platform in ways that aren't possible on a general purpose computer without severely restricting the user experience. While some users complain about Apple's rigid control, it does provide some extremely important security advantages. For instance, all applications are cryptographically signed with digital certificates tied to the device's hardware, making it extremely difficult to install malicious software. Yes, we've seen exploits that circumvent these controls, but creating such exploits tends to require a high degree of skill.

  • The iOS is a closed system. All apps are vetted and distributed by Apple, with the exception of enterprise-specific apps that are managed by internal IT departments and that have limited distribution. Although we are sure to see malicious apps sneak through the App Store eventually, Apple can quickly remove these when identified. This has already happened on the open Android Marketplace, where a malicious wallpaper app was downloaded by millions before being identified and removed. We're trading a closed system and some freedom for increased security (something I worry about in society in general, but I'm okay with when it comes to a phone... as long as they don't listen to my calls).

  • Greater market share and public scrutiny means that Apple faces considerable public pressure to keep the platform secure. As Microsoft learned in the late 1990s, security failures directly translate to material market risk when you're the big dog in the industry. When a minor antenna problem appears on the front page of every major newspaper, it's clear that a major security breach could cause much worse problems for Apple.

Security Wins, For Now -- In the overall calculation of security challenges versus advantages, Apple's iOS devices are in a strong position. The fundamental security of the platform is well designed, even if there is room for improvement. The skill level required to create significant exploits for the platform is much higher than that needed to attack the Mac, even though there is more motivation for the bad guys.

Although there have been some calls to open up the platform to additional security software like antivirus tools (mostly from antivirus vendors), I'd rather see Apple continue to tighten down the screws and rely more on a closed system, faster patching rate, and more sandboxing. Their greatest opportunities for improvement lie in increased awareness, faster response processes, and greater realization of the potential implications of security exposures.

And even if Apple doesn't get the message now, they certainly will the first time there is a widespread attack.


PDFpen and PDFpenPro 9 add 100+ enhancements to improve your PDF
editing experience, with annotations, Tables of Contents, and more
export options. For PDF reviewing, editing, signing, redacting and
exporting, PDFpen has you covered. <>

Comments about Apple's iOS Security Challenges and Advantages
(Comments are closed.)

Graham Lee  2010-08-10 01:36
"And even if Apple doesn't get the message now, they certainly will the first time there is a widespread attack."

My own concern is that Apple _will_ need a widespread attack before they start reacting to security seriously. Of course by that time it's too late - machines have been compromised, data and time lost.

As far as iOS goes, I think faster patching is the most important improvement requirement. I agree with you totally that opening the platform up for AV vendors is not good, as it opens the platform up for everybody else who may not have friendly intentions. On the other hand there have been two different remote jailbreaking (i.e. kernel-level execution) exploits in the wild, and it can take months to get the patch out.

Having worked in mobile telecoms I know that's probably because the network operators (AT&T etc) require slow turnarounds with full regression testing for firmware updates.
Rich Mogull  An apple icon for a TidBITS Staffer 2010-08-10 08:56
They could always try and adopt the model that the FDA had to come up with for medical devices. It used to be you couldn't patch them without going through full FDA approval again, but now they can patch components not directly involved with parts that could affect patient care.

For the iPhone, this would be anything other than the baseband/messaging.
Johannes  2010-08-11 07:26
The pdf exploit (to jailbreak and) to run arbitrary code hints to not so good IOS security.
And it looks like Apple removed some security layers from OS X.
This is because for example the pdf exploit should not result in a 'root' level security breach. The same breach on OS X compromises the user account (and that could be an administrator account) but this doesn't compromise the system on 'root' level, because all 'root' actions require the user of the system to enter the administrator password via a pop-up. This is actually a very clever way to give a user administrator power but not constantly (some authorization has a timeout, other must always be acknowledged by a user password).

It seems that this kind of sophisticated user account is missing, as is (fast) user switching (especially nice for the iPad).

Rich Mogull  An apple icon for a TidBITS Staffer 2010-08-12 12:01

That's what I meant by more sandboxing- both at the user account level and the process level. My understanding in this case is that there were two exploits involved, one of which escalated the privileges. many vulnerabilities on the Mac also totally circumvent the user account control protections.

Now I would sure like user switching for other reasons, but as a security control it is more of a bump than a wall.
Johannes  2010-08-13 06:54
Ok, I also read about the other exploit needed for the security breach.
So Apple didn't skip a security layer on iOS. I didn't expect them to, but the 'evidence' was against them.
But the second exploit explains it nicely. So this could have happened on Mac OS X too.

My understanding of security is that is should be layered, when one layer fails - for example sand-boxing - the next one should take over.
So better and more sand-boxing is a good idea, but so is account control.