The iPhone is often considered to be an inherently secure device. While it’s certainly true that it’s better protected than Android, it has its vulnerabilities, too.
The iPhone’s security problems exist and are not insignificant. Android is normally known as the malware champion, since most of the threats are aimed at this platform, and the fact that it is very easy to join Google Play doesn’t do much to help the protection of devices. But there are ways to infect Apple handsets. Jailbreaking is one of the doors that allows malware into the iPhone, but it’s not the only one.
Apple always recommends that users upgrade to the latest version of iOS, which contains the new security patches that eliminate the handset’s vulnerabilities. They do this precisely because the device isn’t protected 100%; if it were, most of the time updates wouldn’t be needed. Like all operating systems, Apple’s also has to be improved little by little, including the knowledge gained from the previous version. An essential part of this knowledge is related to the protection of the handset.
Apple has made great efforts to create a controlled ecosystem that is closed to prevent malware from getting in. However, a report prepared by Symantec in 2013 indicated that in 2012, there were 387 security holes in iOS, with just 13 attributed to Android. Apple itself acknowledged that 70 vulnerabilities were eliminated in iOS7 with respect to the previous version of the software. However, it is true that a vulnerability is one thing, and a threat is another; but the former is the first step that is required for the second, although they do not always have to be cause and effect.
Vulnerabilities in applications
According to experts at The Guardian, one way to collect information on smartphones is by exploiting the vulnerabilities in applications. One of the problems is 301 forwarding, an action that will be familiar to anyone who’s ever had to migrate a domain or tweak SEO. This same technique is used in many iOS applications to allow developers to easily change the URL that they use to obtain the data.
However, when connected to the same Wi-Fi network, an attacker can change this URL to point to a malicious site, so the user will be exposed to the possibility of the attacker looking for vulnerabilities in the handset. Another common mistake by developers is allowing applications to store information on the device. This can sometimes include unencrypted or poorly encrypted access codes. This content, along with the information sent by applications, can be extracted over a Wi-Fi network using different methods.
The installation of third-party certificates is another way that it can be used with malicious intent. It’s not easy for attackers to get their hands on these, but they are sometimes sold on clandestine forums or extracted by breaking into the machines of developers who want to upload software to the App Store. Using the certificates, it’s possible to take someone’s identity and send phishing messages.
Also, the fact that the App Store is a walled garden doesn’t mean that it’s impossible to introduce malicious applications, as demonstrated by technical experts at the Georgia Tech Information Security Center; their software was accepted by Apple, but it contained an instruction that reconfigured the application’s code as soon as it was installed, converting it into malware.
Jailbreaking is another one of the iPhone’s security problems. When users jailbreak their phones, they leave a door open for threats to get in, and eliminate the security instructions that prevent an application from taking control of the device. However, many of the risks can be avoided by taking into account a few simple tips.
Image | Morid1n