In June 2007, Apple released the iPhone, and the device quickly took off to become a major brand in the smartphone market. Yet when the iPhone shipped, security on the mobile operating system was nearly nonexistent.
Missing from the initial iOS (then called iPhone OS) were many of the security features that modern-day desktop software has as a matter of course, such as data-execution protection (DEP) and address-space layout randomization (ASLR). Apple's cachet lured security researchers to test the platform, and in less than a month, a trio had released details on the first vulnerability: an exploitable flaw in the mobile Safari browser.
"It was so insecure, it was bad," says Charlie Miller, a security research consultant for Accuvant and one of the finders of the flaw. "Your Web browser ran as root, and there was no sandboxing, no DEP, and no ASLR. It was a hacker's dream."
How times have changed. Between Apple's harried response to vulnerabilities found by security researchers and the company's own desire for control over the applications running on iPads and iPhones, iOS has become the most secure software platform to date, says Raimund Genes, CTO for software security firm Trend Micro.
"Apple owns the complete ecosystem -- they own the hardware, they own the software, and it makes it quite safe," Genes says. "And thanks to the App Store, they also have a recall switch."
Apple has repeatedly boasted it has an OS that is more secure than the competition. While security experts have frequently debated whether Mac OS X fits the bill, iOS doesn't seem to raise such questions. Miller, for example, does not disagree with the assessment that the iOS may be the current pinnacle of security for a mass-market operating system. "It's in the realm of truth," he says.
- A sandbox isolates programs, and iOS's memory organization makes exploitation more difficult.
- Applications that run on the iOS are vetted by Apple and can be removed if found to be malicious.
- Patches can be quickly applied to the iPhone and iPad to close security holes in the operating system.
- The software is regularly reviewed, especially its open source components.
- The platform has the advantage of attacker psychology -- attackers still target smartphones far less than desktop systems.
Better security with every versionAlthough iOS had a rocky start in terms of software security, the platform quickly gained a rounded set of security features.
iOS 4, the latest version of iOS, includes ASLR, DEP, a sandbox, and code signing. By comparison, Mac OS X has limited application-dependent sandboxing and no code signing, and it only partially implements ASLR. Microsoft's Windows 7 has DEP and ASLR, but code signing is limited to drivers and sandboxing is dependent on the application.
iOS also compares well against its competitors in the mobile space. Google's Android does not have DEP or ASLR, but it does have a strong sandbox and code signing, says Kevin Mahaffey, CTO for mobile security firm Lookout. Research in Motion's BlackBerry OS lacks all but sandboxing. "They all have really good sandboxes in terms on what limits are put on what code can do," Mahaffey says.
Although the inclusion of ASLR and DEP seemingly puts Apple ahead in design, it lacks an advanced feature that helps lock down both Google's Android and RIM's BlackBerry: granular privilege controls. Requiring applications to get specific permissions to access data on the phone can bolster security significantly, Mahaffey says.
The security is in the app storeIt's not surprising, then, that security professionals pointed not to Apple's design but to the company's gated App Store and its required code review before publishing as a major security advantage. "The closed ecosystem makes the model pretty safe," says Trend Micro's Genes. "It is not because the iOS is completely safe. From a system design standpoint, Android is safer."
Although security experts question the quality of the review performed by Apple's team -- the company is not transparent about its process -- Apple does seem to catch most of the bad actors, says Accuvant's Miller. "If you are completely security-clueless, you can still download every app out there and be fairly safe," he says.
But Apple doesn't catch all the bad apps. Lookout's Mahaffey points to the Handy Light incident as an example of the ability of applications to slip by Apple's review. In 2010, Apple pulled the flashlight app after it was discovered that hidden features allowed tethering, where a user could connect to the Internet through the phone's network. While the hidden functionality was not malicious for the user, it did undermine AT&T's own service for allowing network access and underscored that hidden, and potentially malicious, functions could get by Apple's review.
"The review process is great, but it is a reminder that we should not treat any one thing as a silver bullet," Mahaffey says.
iOS speeds patchesPatching is another area where Apple has done as well as desktop operating systems and better than its smartphone rivals. Software developers are fairly speedy in patching vulnerabilities in the operating system and popular desktop software. Yet, in rival smartphone OSes, multiple companies must sign off on a patch to the devices. A patch for an Android phone, for example, is created by the developers responsible for the software component -- in many cases, the product of an open source project -- included in an Android build by Google, integrated into Android by the phone manufacturer, and distributed by the carrier.
In a recent paper, two researchers from the Technische Universität Berlin found that vulnerabilities in "feature phones," a step down from smartphones, were rarely fixed. Five-year-old bugs still affected devices that were just a few months old, accordin to the researchers. Their conclusion: Carriers have the ability to do an over-the-air update for the phones, but they are rarely implemented.
"I have not seen a single case where a phone was updated because of a security bug rather than because a new Android version was available," says Nico Golde, one of the Technische Universität researchers.
On the other hand, Apple has a patch process for iOS that offers updates on a regular basis. Security-conscious iPhone and iPad users will have the latest patches on their devices. Yet, for the average user, Android's over-the-air update mechanism may be a better solution -- but only if the carriers and manufacturers can speed up fixes to their smartphones and tablets, says Accuvant's Miller.
"If you don't plug in your iPhone [into iTunes] all the time, you won't get the patches," he says. "I would almost have someone do it remotely, rather than count on the user to update."
Is anyone really looking to attack iOS?Windows users have to constantly be on the lookout for malware. Increasingly, so do Mac users. But smartphone users still don't have to face the same dangers, and that continues to be a major security benefit.
Although iOS has a lot of security going on underneath the hood, its safety could be due in large part to the fact that attackers have not focused on compromising the devices because there is no economic incentive to attack them, says Lookout's Mahaffey.
"Mobile devices are in the startup phase of the business of malware," he says. "Attackers are experimenting with business models, but we are not yet at the elbow in the curve." The psychology of the attackers will likely change, but figuring out when serious attacks will start targeting mobile devices, including the iPhone and iPad, is difficult.
The best example of a model of attacker's psychology may be a paper published in 2008, which used game theory to predict that attackers would start targeting Mac OS X when the devices reached a market share of approximately 16 percent.
Although predicting when attackers will take an increased interest in mobile devices would be interesting, it is more difficult than predicting the movement of malware from Windows to Mac OS X. The theory uses variables for market share and effectiveness of defenses, but assumes that each platform -- the PC and the Mac -- are of equal value to the attacker. That's not necessarily true for mobile devices.
"I think the model is generic enough to predict when people will move from attacking PCs to attacking handsets," says Adam O'Donnell, the author of the paper and the chief architect of the cloud technology group at Sourcefire. "The problem is that there is going to be different values in attacking each, and actually determining the value of compromising each will determine when attackers move to primarily attacking handsets."
Recognition, but not kudos, for AppleYet Apple does not necessarily deserve the credit for creating the amalgam of software design and process decisions that ultimately results in its secure iOS platform. The security features in iOS were adopted by necessity, not by design. When it initially arrived in 2007, the iPhone immediately became a target of security researchers, who found vulnerabilities quite quickly.
Moreover, the choice to have strict control over the App Store was driven more by profit considerations than by security foresight, he says. "They did not set out to create a supersecure device," Accuvant's Miller says. "They just wanted total control over the apps because they are control freaks, not because they wanted to prevent malware."
Apple's closed platform can also work against its security. Companies that want to develop stronger security for the device have been mostly prevented by Apple's iron-fisted control over iOS. When Trend Micro wanted to release a browser plug-in to identify malicious sites, for example, Apple refused to allow the add-on. After months of negotiations, the security company finally was allowed to release its own stand-alone browser into the App Store.
That's the key: If you can convince Apple of the benefits of the change, the company can be swayed, says Trend Micro CTO Genes. On iOS 4, for example, Trend Micro's Smart Surfing app can intercept the URLs and run them through a list of bad sites, he says. Still, the process for getting there was painful and could slow the adoption of innovative security technologies, he warns.
"We can do things on [other platforms] to protect them that we can't do with the iOS," Genes says, "so their control over the platform has its good and bad points."