iPhone security not perfect, but still beats most
The biggest "security" stories spun off from the release of Apple's iPhone 5 earlier this month were about managing crowds and riots. Here's what you might have missed on the real security front.
Source: Lucas Jackson/Reuters
In the days before the U.S. launch, stories cropped up from various locations of harsh tactics used by private security and local law enforcement as thousands of expectant consumers camped outside of local Apple stores ahead of the phone's launch on September 12.
Then, in the days following the launch, around 2,000 workers at Foxconn's Taiyuan manufacturing plant in Northern China rioted. The circumstances leading up to the incident aren't known, but it is known that the Taiyuan plant manufactures the rear casing for the iPhone, and that Apple is rushing to produce more iPhone 5s to keep up with demand, after selling around 5 million of the devices in its first weekend. More than one news source cited pressure to churn out iPhones for ratcheting up overtime – and tensions – within the facility.
All the "guns and badges" stuff means we heard less about the kind of "security" problem we usually associate with popular electronics. You know: the kind that crashes your phone or, worse, divulges your contacts, credit card numbers and booze-fueled texting sessions? Indeed: Apple's launch of the iPhone 5 contained almost no mention of device security –either good or bad.
That's no accident. As with all its product launches, Apple jealously guarded even minor details about its new phone or the launch event beforehand and, because it makes both the hardware and software that make up the iPhone, the company can keep a tight lid on almost every detail of its devices. The company knows that later, in the excitement of the launch ("Thinner! Bigger screen! Faster!") sniggling questions about buffer overflows or the vulnerable Webkit mobile browser component sound like sour grapes from the mouth of a reporter.
Now that the excitement has died down, it's worth a look under the hood to try to answer that all-important question: is the iPhone 5 more secure? The answer, of course, depends on what you're comparing it to.
One would certainly be safe in stating that security wasn't an area of intense investment for Cupertino-based Apple this time around. The most oft-rumored security feature for the phone: a biometric finger scanner, never made it into the iPhone 5. This, even after Apple bought Authentec, the company that made the top mobile device finger scanner. In most other areas, Apple's iPhone 5 and iOS 6 operating system carried over security features from earlier iPhone editions, many without substantial changes. In its press materials and technical specifications for the iPhone 5, Apple touts iOS's built-in security features including strong passwords, data encryption both at rest and in transit, as well as a myriad of features to limit hackers' access to core operating system elements, such as application sandboxing, address space layout randomization and data execution prevention. What it doesn't mention is that all of them are legacy features. Address space layout randomization (ASLR), for example, was released with iOS 4.3, for example, which came out in 2011.
Does that mean iOS and iPhone 5 are hacker-proof already? Sadly, no. In fact, The iPhone 5's design team missed an easy one: allowing anyone to use the phone's Siri voice recognition feature to send Twitter messages and Facebook posts without first unlocking the device. Oops.
More significant: two Dutch security experts from the security firm Certified Secure in the Hague demonstrated a working exploit for a zero-day vulnerability in Webkit on an iPhone running iOS 6 on the same day that Apple's CEO was unveiling his new phone in downtown San Francisco. The exploit could be used to steal sensitive information from the system. There's no way to know if it will work on an iPhone 5, but the researchers certainly seem to think that's possible; they've turned over the exploit to TippingPoint's Zero Day Initiative.
So iPhone 5 and iOS aren't perfect on security. But ask a security expert – even one who has defeated the iPhone's many layers of security features – and they'll tell you they're pretty good. In fact, The Dutch team that bested iOS6 still took time to sing the OS's praises after the fact.
"Even the BlackBerry doesn't have all the security features that the iPhone has," Joost Pol, the CEO of Certified Secure told ZDNet upon winning the $30,000 cash prize in the Pwn2Own contest. "With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said. And Charlie Miller, famous for his own iPhone hacks, has also publicly admired the security features built into Apple's phone.
And the security of Apple devices extends beyond the code. Experts note that the company's top-down control model has advantages over the decentralized ecosystem that Google created with its open source Android platform.
Apple may not be any faster than Google to address critical vulnerabilities in its mobile operating system, but it's far more efficient in distributing those updates to its massive, global user base. Unlike Google, Apple was able to throw its weight around and wrest control for updating its devices away from carriers. The result is that iOS updates stream directly from Apple to iOS devices via its iTunes application, bypassing the carriers whose networks the phones connect to. The result: iOS devices are far more likely to be running the latest and most secure version of their operating system than Android devices.
"Apple got a lot of things right," said mobile security expert Jon Oberheide of the firm Duo Security. "They've done a much better job in the software update category – they have just a handful of hardware platforms that are all controlled by them and they control the software, too. So it's much more reasonable for them to provide updates."
In contrast, Google makes and manages the underlying Android operating system, but partners with a panoply of mobile carriers and OEM hardware makers to provide a wide range of different Android phone makes and models. As a result, any software update has to follow a torturous path from Google to the handset maker, and then out to customers via the various mobile carriers.
With little incentive to patch the mobile devices their customers use, it is no surprise that mobile carriers have a poor record of distributing software updates that repair critical security holes in mobile operating systems or applications, Oberheide said. Instead, they wait months or even years to disseminate Android updates to their customers.
Data from Duo Security found that 60% of the 20,000 Android devices running the company's X-Ray application were using a version of the Android OS, 2.3.3 that was released in February, 2011. There have been five separate updates to Google's mobile operating system since then, but they account for just over 18% of the global population of Android devices, Duo Security found. Those millions of vulnerable devices are the "biggest problem in the mobile security space" today, he said.
Apple's AppStore is also nominally more secure than Google's Android Marketplace, with Apple requiring developers to identify themselves and leave a deposit, then vetting submitted apps for quality and adherence to its security and privacy guidelines. None of those are insurmountable obstacles for a determined malware author – but they are impediments and a discouragement to all but the most motivated malware author.
Malicious code authors and cyber criminal groups have taken notice. The firm Lookout Mobile security reported detecting over 30,000 instances of unique malware in the month of July – much of it targeted at Android devices. To date, iOS malware has been mostly of the 'proof of concept' variety, with few or no instances found in the wild.
The security gulf between iOS and Android has prompted some industry watchers to declare the iPhone as the successor to The Blackberry, Research in Motion's flagship product, which dominated the enterprise mobility market for close to a decade. "iPhone now as secure as BlackBerry, say tech chiefs" reads one headline. The gist of the argument is that Apple's implementation of data encryption and password protection, coupled with stronger native and third party mobile device management features make iPhones a plausible replacement for the trusty Blackberry and Blackberry Enterprise Server (BES). RIM's financial teetering no doubt adds fuel to the fire, as enterprises worry about being left without a support life line in the event of a precipitous collapse at that company.
Of course, RIM could charge back from the brink of death with its new Blackberry OS and some savvy new devices. Or, Apple could stumble badly with the iPhone 5 and its successors. The company has a sterling track record for much of the last decade, but its Apple Maps debacle certainly has eyebrows raised. Or, Google could find religion on patching and security and woo enterprises with a lower price point and some attractive management tools. What actually happens is anyone's guess.
What is clear is that security is just one of many features that the iPhone 5 offers – and its not even close to the most desirable. Device makers that want to grab some of Apple's market share will have to be able to go toe-to-toe with the company on device and software security. More daunting: they'll have to do that while also finding a way to craft a cool, consumer-friendly device that people really want to buy and own. That last bit may be the biggest obstacle of all.