This article originally appeared in TidBITS on 2010-08-09 at 12:24 p.m.
The permanent URL for this article is:
Include images: Off

Apple's iOS Security Challenges and Advantages

by Rich Mogull

One of the most controversial debates in the security world has long been the role of market share. Are Macs safer because there are fewer users, making them less attractive to serious cyber-criminals? Although Mac market share continues to increase slowly, the answer remains elusive. But it's more likely that we'll see the answer in our pockets, not on our desktops.

The iPhone is arguably the most popular phone series on the face of the planet. Include the other iOS devices - the iPad and iPod touch - and Apple becomes one of the most powerful mobile device manufacturers, with over 100 million devices sold so far. Since there are vastly more mobile phones in the world than computers, and since that disparity continues to grow, iOS devices become far more significant in the big security picture than Macs.

As reported in this CNET article [1], the iPhone (and by extension, other iOS devices) is already seeing greater scrutiny by the security research community. I can personally attest to the fact that many of my security research associates are gaining interest in mobile devices of all types, but especially iOS- and Android-based devices. And if the number of mobile banking and retail apps in the App Store is any indication, there is now broad use of these devices for significant financial transactions (beyond teenagers' massive texting bills).

Smartphones Change the Security Game -- While mobile phones may never have been the most secure gadgets, their security issues were limited until wide adoption of smartphones. The worst you had to worry about was someone cloning your phone and running up your bill with international calls. Even early smartphones were fairly limited due to their clunky interfaces, terrible browsers, minimal penetration outside of the enterprise, and lack of consistency. But the iPhone ushered in a new age of popular and extensible smartphones. The combination of popularity and functionality changes the mobile security landscape in a number of fundamental ways:

The good news is that although Apple faces new security challenges with their mobile devices, they have already laid a strong security foundation with the potential for far greater security than we will ever see on general-purpose computing platforms like the Mac.

Since I prefer to end on a high note, let's start with some of Apple's security challenges, and close with the company's potential advantages.

Apple's Mobile Security Challenges -- The primary problems Apple faces with the iPhone aren't the hardware, or even the software, but their internal processes and the difficulties of maintaining security on multiple platforms (mobile or otherwise) with a common code base.

First, Apple is historically slow to offer patches for known vulnerabilities fixed in the open source components used in OS X. For example, one of the first exploits used to enable jailbreaking was a known flaw in a common software library used for displaying TIFF images. Since this flaw was patched for other platforms long before the iPhone, it provided attackers a direct road map into the iPhone. While Apple has skated by with these sorts of exposures in Mac OS X (including flaws for the Apache Web server, Samba for Windows-compatible file sharing, and the MDNS service that underpins Bonjour), the increasing scrutiny on the iPhone shortens the time between when a component is patched for other platforms, and when an iOS user is at risk.

Second, Apple also patches their own software flaws on different schedules for different platforms, potentially exposing users to more risks. For example, Apple sometimes patches security flaws for the Mac version of Safari before fixing the same flaws for Mobile Safari. iOS is a version of OS X, and thus it's only to be expected that some security flaws will carry through to both platforms. Apple has even patched the open source version of the WebKit code that underlies Safari (which they manage) before bringing the same fixes back into Safari itself.

These process-related issues likely represent the single greatest combined security risk for iOS devices. Every time some vulnerability is patched on another platform, either an open source component or a piece of Apple's proprietary software, it may give attackers another way to exploit iOS devices.

Apple faces several additional security challenges. Most notably, since jailbreaking relies on the exploitation of security vulnerabilities, any time a new jailbreak is released, it may provide attackers with yet another way to attack iOS devices.

In some cases this isn't a major concern, since jailbreaking relies on physical control of the device. But as the [2] site shows, these exploits can sometimes be activated simply by browsing a Web page. Think of it this way - even if cyber-criminals aren't willing to put in the hard work to break into iOS devices, jailbreakers are. And once a jailbreak is released, the bad guys are free to turn it into an offensive weapon. (And yes, for the record, every jailbreak is a security exploit.)

Finally, while iOS has significantly better security than Mac OS X, there is still major room for improvement, especially in the sandboxing of some of the native Apple applications, such as Safari. Of all the iOS security risks, these are the easiest for Apple to address.

Apple's iOS Security Advantages -- Although the security of iOS devices is under greater scrutiny than that of nearly any other mobile device (the possible exception being RIM's BlackBerry, and with Google's Android undoubtedly receiving an increasing amount of attention), iOS devices also come with some significant security advantages:

Security Wins, For Now -- In the overall calculation of security challenges versus advantages, Apple's iOS devices are in a strong position. The fundamental security of the platform is well designed, even if there is room for improvement. The skill level required to create significant exploits for the platform is much higher than that needed to attack the Mac, even though there is more motivation for the bad guys.

Although there have been some calls to open up the platform to additional security software like antivirus tools (mostly from antivirus vendors), I'd rather see Apple continue to tighten down the screws and rely more on a closed system, faster patching rate, and more sandboxing. Their greatest opportunities for improvement lie in increased awareness, faster response processes, and greater realization of the potential implications of security exposures.

And even if Apple doesn't get the message now, they certainly will the first time there is a widespread attack.