Apple has built a solid reputation for producing secure mobile devices. Some of the tech giant's customers believe that Apple products are so secure that they do not need to take any additional security measures.
However, Apple's mobile devices are not without their flaws.There are known vulnerabilities in the iOS operating system and in the devices' built-in apps.
Plus, malware and third-party apps can put these devices at risk. Knowing about these security risks can help you better protect your mobile devices.
Vulnerabilities in the Operating System and Built-In Apps
Apple's iOS operating system has had some security problems. In November 2015, Zerodium announced that an anonymous team of researchers successfully hacked Apple's iOS 9 operating system. The team received $1 million for its efforts. Zerodium pays for security exploits that are not publicly available, selling them to the highest bidders.
Because Zerodium sells the exploits it purchases, it is tight-lipped about the iOS 9 hack. However, to get the $1 million bounty, the hack had to meet certain criteria, which means that:
- It works on versions of iPhone 6, iPhone 5, and iPad running iOS 9.
- It bypasses all iOS 9 security defenses using previously unknown vulnerabilities or exploits.
- It starts one of four ways. The attack vector might be a web page that either targets the mobile browser (Apple Safari or Google Chrome) or targets a web application reachable through the browser. Alternatively, the attack vector might be a text message delivered through the Short Message Service or a multimedia file delivered through the Multimedia Messaging Service.
- It leads to the installation of a malicious app on a fully updated iOS 9 device.
- It works remotely and silently, without any user interaction except for when the user initially visits the malicious web page or opens the infected text message or multimedia file.
This specific hack might not be used by cybercriminals if Zerodium lives up to its claim of selling its hacks to only legitimate corporations and government organizations. However, because Zerodium announced that iOS 9's security defenses are penetrable, cybercriminals will likely try to discover the vulnerabilities that were exploited.
The hack purchased by Zerodium is not the first problem that researchers have discovered in iPhones and iPads. In June 2015, a cybersecurity researcher revealed the existence of a major flaw in the built-in email client. The flaw let cybercriminals send phishing emails that produced pop-up messages that were almost identical to the real iCloud login pop-up messages. The fraudulent messages automatically filled in users' email addresses and asked for their passwords. After unsuspecting victims provided their passwords, the passwords were sent to the cybercriminals. Although Apple fixed this flaw in its mobile devices running iOS 8.4 and later, iPhone and iPad users need to be on the lookout for similar phishing attacks.
Apple mobile devices are also susceptible to other types of attacks. For example, Skycure researchers discovered the No iOS Zone vulnerability, which exposed iPhone and iPad users to denial of service (DoS) attacks. In a typical DoS attack, cybercriminals try to prevent users from accessing a service by overwhelming it with service requests. With the No iOS Zone vulnerability, the researchers were able to inflict a more destructive DoS attack. After setting up a malicious wireless hotspot that forced nearby iPhones and iPads to connect to it, the researchers manipulated the traffic, causing the devices' operating systems to crash. Sometimes the mobile devices went into a repeating crash-restart cycle, rendering them useless. Fortunately, Apple has fixed the No iOS Zone vulnerability in iOS 8.3 and above.
Malicious Malware and Unsafe Third-Party Apps
Apple mobile devices are vulnerable to malicious malware like WireLurker. WireLurker spreads to iOS devices when they are connected to infected computers. Palo Alto Networks discovered this malware, which steals information from the mobile devices it infects.
Third-party apps can also install malware and other potentially malicious code on Apple mobile devices. You cannot even assume that the apps you download from Apple's App Store are safe to use, as the following incidents show:
- In September 2015, Palo Alto Networks revealed that 39 apps in Apple's App Store were infected by malware named XcodeGhost. Cybercriminals can use XcodeGhost's remote control functionalities to perform phishing and other types of attacks.
- In October 2015, SourceDNA discovered that hundreds of apps in the App Store were collecting more device and user data than what Apple allows. The additional data collected included the device's serial number, the serial numbers of peripherals (e.g., the battery system), a list of installed apps, and a numeric value associated with the user's Apple ID.
- In October 2015, Apple found that some App Store apps were installing root certificates that allowed the app developers to access the app users' encrypted traffic. While the certificates were being used for legitimate purposes, they left the mobile devices open to man-in-the-middle attacks. In this type of attack, cybercriminals insert themselves between two communicating parties. They then intercept data, decrypt it if necessary, and steal any personal information.
In all three cases, Apple removed the offending apps from the App Store. It also neutralized the WireLurker malware.
How to Protect Your iPhone or iPad?
Apple mobile devices have security vulnerabilities, so you need to take some security precautions. Make sure that you:
- Install all iOS updates promptly.
- Use strong passwords for all your accounts. Resist the temptation to use the same password for multiple accounts. If you have to remember a lot of account passwords, consider using a password manager. That way, you will not be tempted to re-use passwords or write them down.
- Do not connect your mobile device to public computers. Only connect your device to computers you know are secure.
- Research an app before you install it, even if you are downloading it from Apple's App Store.
- Do not open any email messages from unknown senders. If a message is from someone you know but looks suspicious, call that person and confirm that he or she sent it.
- Scrutinize any pop-up messages that you receive when working in the email client. A pop-up message is a fake if it appears only in the email message's body or if it scrolls down when you scroll through the message.