iOS and security: how Apple’s iPhone security has evolved
22 September 2017 |
A few days ago, Apple announced its 10th anniversary iPhone- the iPhone X with a promise which, if unfulfilled, could seriously put the company's reputation in danger. The latest iPhone arrived with the ability to authenticate users by reading their facial features and Apple said the chances of the new feature being breached isn't more than one in a million.
Considering that facial recognition software haven't been too successful in the past, Apple's new technology has as many critics as it has admirers. In a world where hackers are just one step away from breaching the most sophisticated technologies, it is worth questioning if Apple should be as brazen and boastful about the security around its technologies.
To be fair, Apple has always prided itself on the security its products enjoy and the fact that iPhones have rarely been breached on a massive scale, unlike Android devices. Here's a timeline of how Apple has strengthened the security around its devices over the years and the number of times hackers managed to put a few past Apple's defences:
The first iPhone arrived in 2007 with in-house apps, no App Store and no 3G conneticvity and was followed by improved models in the coming years. However, it took a couple of years for the first iPhone malware to surface.
In 2009, the Ikee worm got past the defences of jailbroken iPhones whose default passwords were left unchanged by users. Once it infiltrated iPhones, Ikee put up a wallpaper image of Rick Astley with the message stating ‘Ikee is never going to give you up.’
ALSO READ: Mobile device forensics just got better
Siri's vulnerability unmasked
The year Apple launched iPhone 4s, hackers demonstrated the ability to intercept Siri's voice commands to manipulate her responses. These included getting Siri to start and stop cars and to control home automation systems.
Even though the two successful vulnerabilities were minor interruptions and did not affect users on a large scale, Apple went on to improve the iPhone's security by leaps and bounds over the next few years.
Today's iPhones use advanced cryptography to protect the data they store, including photos, messages, videos, and app data. All stored data is encrypted and stored in a secure vault. The keys to such vaults are securely stored in Secure Enclaves inside iPhones and even Apple can't access such keys even if it wants to.
Apple also separately encrypts data that are backed up on iTunes to prevent hackers from gaining access to data by exploiting cloud vulnerabilities. To keep users safe from malicious adware, Apple lets users tap on Reset Advertising Identifier in Settings. At the same time, iPhone users can also deactivate several lock screen functions like notifications, Wallet updates, Siri, Home Control and Reply with Message to keep their data secure from prying eyes.
As far as the security of third party apps is concerned, Apple has mandated developers to use the App Transport Security standard when submitting apps to its various stores. The standard only transfers app data via secure HTTPS connections and thereby protects user data from getting breached.
Despite these advancements, iPhones haven't been able to keep hackers away all the time. In October 2015, app analytics company SourceDNA revealed that as many as 256 iOS apps were being used by hackers to amass personal data of their users including device serial numbers and Apple ID email addresses.
In 2016, security researchers uncovered a vulnerability in Apple's Image I/O API that allowed hackers to cause a buffer overflow and execute malicious code usually blocked by security systems. The vulnerability also allowed hackers to gain control of the devices and steal passwords and other sensitive data as well.
Aside from exploiting these known vulnerabilities, hackers also use phishing emails or texts to make iOS device users voluntarily share their personal details with hackers. For example, iPhone users were targeted by a phishing scam through which hackers sent texts to such users, advising them that their iCloud IDs were deactivated. The texts then ask them to follow a link to enter their details and regain access.
No matter how much Apple invests on the security of its devices, hackers may get past rare vulnerabilities and impact thousands of users and their sensitive details at the same time. However, with the iPhone completing ten years at the top while continuing to serve as one of the most secure devices around, this bodes well for its future and also speaks well of how Apple's engineers and developers have protected the iOS platform in the face of many malicious attempts on its integrity.
Ten years of iPhone: A history of iPhone security
- 2007: The first iPhone is released, which fundamentally transformed the mobile industry. While it was an instant success, this device had no 3G, no third-party apps, no GPS – and a lot of room to grow!
- 2008: The iPhone 3G is launched, which didn’t only bring faster internet speeds, but the App Store. This was a monumental moment in smartphone history, for consumers and hackers alike.
- 2009: The first iPhone worm is detected, mastery of the hacker Ikee. This worm infected jail-broken phones that hadn’t changed their default password. Victims of the Ikee worm were lumbered with a wallpaper image of 80’s popstar Rick Astley, with the message: ‘Ikee is never going to give you up.’ If ever there’s an incentive to change your default password...
- 2011: Major vulnerabilities into Siri are discovered. Hackers are able to intercept Siri voice requests and manipulate the outcomes.
- 2011: One of Apple’s own security researchers finds a security hole in iOS, which lets apps grab unsigned code from third-party servers, and add this to an app after it has gone live on Apple's App Store. He publishes the research. His reward? He gets the sack.
- 2012: It’s thought that the first iOS malware is discovered. ‘Find & Call’ was found on the App Store, and was secretly harvesting data from users’ address books and sending it to the developer’s server. The developer then used this data to spam users via SMS.
- 2015: The first high-profile attack hits Apple’s App Store. XCodeGhost infected over 4,000 apps on the App Store, far greater than the 25 initially acknowledged by Apple.
- 2016: Pokemon Go enters the App Store, which surpasses Facebook’s popularity, and is reported by Apple to be the most downloaded app ever during its first week of release. But cybercriminals are quick to cash in on its massive popularity, creating malicious versions of the game and related help apps that lock screens and deliver scareware and adware.
- 2017: iPhone X released with FaceID…
(Timeline by Trend Micro)
Latest posts by Jay Jay (see all)
- Greater coordination between stakeholders a must to improve IoT security - 16th March 2018
- U.S. agencies using GrayKey devices to hack into citizens’ iPhones - 16th March 2018
- Microsoft fixes critical remote code execution flaw with latest security patch - 15th March 2018
- Police forces in China using smart glasses to track citizens in real time - 14th March 2018
- UK could launch offensive cyber operations against Russia - 14th March 2018