Conventional wisdom seems to be that Apple is secure from hackers and malware. But the reality of the situation isn’t very reassuring.
In the relatively short lifespan of the iPhone, users have felt fairly safe using them, because almost all the malware seemed to be focused upon the more widely used Android devices. However, with the increasing popularity of iOS devices — including iPads — the “bad guys” are increasing their focus on the iOS mobile platform, and are inevitably finding vulnerabilities in the Apple computer OS as well.
As of February 1, the Common Vulnerabilities and Exposures (CVE) database lists 12 new iOS vulnerabilities documented so far in 2016 alone, including five with a score of 9.3 (out of 10). Just this week, a flaw was discovered that will “brick” your newer iPhone by merely setting the system date to January 1, 1970.
Note that these are just the flaws that have been reported and confirmed. Those discovered by the black hats are not reported, but rather explored and researched for use in malware.
A recent example of this is the malware called YiSpecter, which could infect normal (non-jailbroken) iPhones, and went undiscovered for over ten months. This malware could install unwanted apps, replace legitimate apps, force apps to display unwanted ads, send user information back to its server, and reappear after being manually removed.
Fortunately, Apple updates its software regularly and automatically, and has a fairly good record of responding quickly to malware reports. However, unreported vulnerabilities present an ongoing threat.
Most of the iOS attacks occur by the user installing an infected app (yes, even the App store lets a few through) or by responding to a phishing email. It’s important to remember that most of the big corporate security breaches of the past few years have been the result of an executive, employee or contractor responding to a targeted spear-phishing attack. The best defense for the corporation is, as always, to control what apps are installed on company owned-devices, putting controls in place for BYOD, and continuing training of users to detect spear phishing attacks.