You ever plan a short hike thinking it will be a nice, pleasant stroll through nature only for a storm to roll in, you get lost half way through, and when you finally do make it back to civilization 9 hours later you look like a drowned rat that’s been dragged through a compost bin? Well that’s me writing this article right now.
When I started this blog post and began researching iOS security I came into it thinking this will be a walk in the park because everyone knows that iPhones are the most secure phones on the market.
But are they?
After digging through the weeds and spending many hours looking all across the internet for information as to whether Apple’s claims of virtually impregnable security hold true – I have emerged cut, bruised, and shaken to the bone. I can no longer tell up from down, night from day, or iPhone from Android.
Does this mean that the mighty fruit giant has been lying to us all this time?
Maybe…
Or maybe not…
Let’s get into it and find out together.
What security protections does iOS have in place?
Let’s begin by covering all of the features and functions that Apple has implemented to protect its users from the scum and villainy that scour the internet. This is by no means an exhaustive list, but I think I managed to cover the main security benefits that iOS offers.
Closed System
The iOS operating system is considered “closed source” meaning that the code base is known only to Apple and is not made available to the general public, preventing application developers from making any changes and giving them limited access to the system and its core components. The proposed benefits of a closed system are that threat actors looking to develop malicious software (malware) are not able to view the source code and therefore they will have a more difficult time finding vulnerabilities to exploit.
Walled Garden
In the lands of iOS Apple plays the role of God and maintains a biblical style Garden of Eden where they maintain strict control over what is and what is not allowed within its confines. What this means in reality is that iPhone users are only allowed to purchase and download apps from its App Store, all of which are manually reviewed and tested before being made available to consumers. Ideally this prevents dodgy developers from creating and selling malicious software to its customers and ensures that iPhone users stay safe from predators seeking to steal their information and hack their devices.
Sandbox architecture
Sandboxing is the practice of isolating apps so that they can only access specified resources and are restricted from accessing the files of other applications or the operating system itself. Essentially what this means in practice is that Apple treats it’s platform like a super high security prison where all apps are kept in solitary confinement to prevent them from stealing or harming other apps. This way if a malicious app manages to sneak into the App Store or an app becomes infected with malware, the damage is limited only to that app and the data stored within all of your other apps remains secure.
However Apple will still allow you to grant apps access to certain resources in your phone like photos or contacts which opens them up to exploitation or theft – so make sure you think twice before granting permission to apps that you don’t trust 100%.
Strong encryption at rest
When you secure your phone with a passcode your device automatically enables “Data Protection” which encrypts the data on your device with AES-256 bit encryption (virtually impenetrable encryption that is used by the US government). This means that if someone steals or somehow gets hold of your phone, there is no way for them to access your data without the passcode.
Regular updates released without delay
Device updates are critical in keeping phones secure as they deliver vital security patches to ensure known vulnerabilities can no longer be exploited. In this area I firmly believe that Apple takes the cake over Android as they regularly release updates and will continue to provide updates for devices for up to 6 – 8 years (Android can be between 2 – 5 years depending on the phone manufacturer). On top of this they release updates to all devices at once without delay, whereas the timeliness of Android update delivery is dependent on the manufacturer of the phone – meaning that if Google releases a security patch for Android, this is not necessarily rolled out to all Android devices immediately. Instead it is up to the phone manufacturer to roll out the patch which could potentially take days if not weeks or months.
Secure Enclave
The Secure Enclave is an impressive addition to the iPhone hardware that provides a separate processor to handle sensitive operations related to security and privacy. The Secure Enclave performs a variety of operations but the main features are that it generates and stores encryption keys as well as handles processes relating to biometric authentication and storing the related data. This means that even if the Application Processor is compromised the attacker still won’t have access to the encryption keys and biometric data stored in the phone.
Small market share
iPhones only make up 28% of the smartphone market and while this is clearly not an inbuilt feature by Apple it does still provide some additional protection to its users by providing less incentive for hackers and malware authors to spend their time finding vulnerabilities in iOS. To put it in perspective, if you were to go fishing and needed to bring in a big haul to feed your family would you go to the spot where 30% of the fish live or the spot where 70% of the fish live?
Lockdown Mode
Apple has created an optional feature called Lockdown Mode that is designed for the minority of users that are at risk of being targeted by sophisticated threat actors (think Nation State actors, aka spies). This feature will disable a bunch of functions which will reduce your threat exposure but also stop your phone from functioning as you would normally expect. This feature is not for everyone but is definitely a nice to have for those people that genuinely need it. To read up on how lockdown mode actually works see here.
And there you have it, from the looks of things the fruit fan boys might be right about their claims that the iPhone platform reigns supreme in the battlefield of smartphone security. The above controls do appear to minimize the vectors of attack by which hackers might try and steal your data or take over your phone
For example….
Should you visit a website that hosts malware that’s able to exploit a vulnerability in your browser, it would still be blocked from accessing the phone’s memory due to the application sandboxing. Same story with emails or texts that contain malicious attachments. Should an attacker steal or manage to get hold of your phone itself, they would be prevented from accessing the data it contains due to the encryption at rest (assuming you have set a passcode that they don’t know or can guess) and bolstered further by the Secure Enclave. Should an attacker try and create a malicious app that steals your data, the Apple reviewer should pick this up during their tests and reject it from the App store. And once again should the app somehow get through the review process it will be blocked from accessing your data by the application sandboxing.
Sounds pretty damn good right?
Right?
Is iOS really as secure as Apple claims?
Ok so let’s dig into the weeds now and see what evidence there is to suggest that the security features above might not be as full proof and Apple and its congregation of fruitarians might want us to believe.
Let’s get into it.
XcodeGhost
In terms of sheer numbers the XcodeGhost hack probably takes the cake. Xcode is Apple’s Integrated Developer Environment (IDE) that is used to create apps for its various devices and back in 2015 someone hosted a version of the IDE on Baidu (a Chinese file sharing site) that injected malware into any apps that developers created. This was XcodeGhost.
While normally developers would download Xcode directly from Apple, in China developers experienced very slow download speeds from the Apple site, so instead they often opted to download Xcode from Baidu instead.
The malware that Xcode injected into the apps somehow evaded the detection of the Apple reviewers and it is estimated that up to 4000 infected apps ended up making their way into the App Store and potentially infected upwards of 100 million devices.
Holy Moly
Devices that were infected with this malware would send basic device information as well as the contents of the victims clipboard to a central server.
Watering Hole Attacks
Watering hole attacks are when threat actors target a specific group of people by using a website that they are known to visit in order to compromise their devices.
I was able to find two reported instances of watering hole attacks being used to hack both iOS and Android devices.
The first was in 2019 when the Uighur people were targeted over a period of two years. Multiple sites that this population of people frequented were used to infect the victims devices by exploiting a series of vulnerabilities that enabled the attackers to inject malware into the Uighur peoples devices without them ever knowing. Once infected the hackers had near total control over the victims phones.
The second instance was in 2021 when a similar attack was used to target the Hong Kong rioters by using selected pro-democracy sites that the rioters frequented. Just like the previous attack an exploit chain was utilized that gave the attackers near total control over the victims devices.
As you can probably guess both attacks appear to be the work of Chinese state sponsored hackers.
Kaspersky Triangulation Attack
In June of 2023 Kaspersky, a cyber security company, discovered that iOS devices used by the company’s staff had been infected with malware that was delivered via a hidden iMessage.
According to Kasperskey once the device was infected “The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.”
The firm is unsure of who launched the attack against them and stated that the only way to remove the malware was a complete factory reset of the device (resulting in a loss of the users data).
Pegasus Spyware
Now you may have heard of this one recently because it hit the news big time back in March when it was uncovered that Pegasus was able to infect iOS devices using a zero-click exploit by sending an iMessage to the victim. The exploit was termed zero-click because the victim only had to receive the message to get infected. Once installed Pegasus is reportedly able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from a variety of apps
This spyware has been developed by an Israeli cyber-arms company called the NSO group who sell the software to governments and law enforcement agencies around the world. The company markets this software as a tool to be used against criminals and terrorists, however there is evidence that it has been used to spy on journalists, lawyers, political dissidents, and human rights activists.
While the zero-click iMessage exploit has since been patched by Apple the software has multiple other vectors of attack and NSO will continue to add new exploit chains as required.
Reign Spyware
The Reign spyware is pretty much just a competing product on the “selling spyware to three letter agencies and totalitarian regimes” market. This software is created and maintained by another Israeli cyber-arms company called QuaDream and its flagship software product has also recently been in the news.
In April of this year Microsoft and Citizen lab discovered the spyware had been used to hack at least five individuals including journalists, political opposition figures and a NGO worker using another zero-click exploit that used “invisible iCloud invitations” to inject its malware payload into victims iOS devices.
Once infected the attackers essentially had complete control over the device and could exfiltrate a variety of information as shown in the graphic below.
Bug Bounty trends
Ok the last point I want to get into isn’t about an iOS exploit, but about a company that buys these exploits off security researchers and sells them to governments and cyber-arms firms (like our friends at NSO and QuaDream).
The company is called Zerodium and they host a bug bounty platform that pays big dollars for zero-day exploits for both smartphones (iOS and Android) but also computers and servers (Windows, Linux, Mac).
Historically Zerodium has paid much higher bounties for iOS than it has for Android due to the fact that these exploits were much rarer. However this narrative was flipped in 2019 when Android exploits became more valuable (up to $2.5 million USD) than iOS exploits (up to $2 million USD) reflecting the fact that Google has done a lot of work in addressing Android’s security issues.
This was a massive change in the exploit environment as Android exploits were only paying a maximum of $200K USD just a year before in 2018.
One caveat worth considering however is that Android devices make up 70% of the smartphone market so iOS exploits are still relatively more expensive – however it does demonstrate that the gap has closed substantially between the two smartphone operating systems and it doesn’t lend much credibility towards the idea that iPhones are harder to hack. In fact in May of 2020 the platform paused buying iOS exploits altogether for 3 months because it had too many already.
So what can we take away from this?
To conclude this already too long blog post I want to briefly state my takeaways from this rollercoaster of a journey:
- iPhones and the iOS operating system are by no means impregnable. In fact it’s clear that if you have enough money you can pay someone like the NSO group for some very potent malware that has a variety of vectors of attack.
- The fact that Zerodium is paying $2 million plus dollar for both iOS and Android exploits and that most of the attacks mentioned above were carried out by state sponsored groups, it’s clear that the barrier for entry in hacking both iPhones and Android devices is very high. So it is extremely unlikely that your creepy neighbor or a bored pimply faced teenager has the capability to hack your smartphone.
So in conclusion I would say that while your iPhone should be safe from hackers, nothing is certain.
Over and out.