Mobile Security Weekly – Are iOS and Android full of holes or is it just Gamma Group?


Questions continue to be raised, both by users and now governments, regarding the safety of mobile devices. With news items going both ways, it’s hard to keep up and make sure that your enterprise is aware of all the relevant risks.

In light of the recent Gamma Group leak, is iOS that much safer, or not?
In today’s mobile landscape, Apple loves to highlight the fact that Android phones are more susceptible to malware while the iPhone is considered more secure. Now, leaked documents from Gamma Group, one of the world’s leading surveillance companies, seem to have reaffirmed the idea, or did they?

The latest Gamma Group document leak exposes quite a lot of information on the groups most advanced surveillance tools for sale. Included is a full breakdown of Finspy – an advanced mobile Remote Access Trojan (mRAT) that can be used to monitor Skype conversations, take screenshots and photos using a device’s camera, record microphone use, emails, voice-over-IP and extract files from hard discs. FinSpy can be controlled remotely as soon as the compromised device is connected to the Internet.

While FinSpy has the capabilities to infiltrate Android, Blackberry, and older Microsoft handsets, iPhones are out of reach unless the device’s core security protocols have changed through jailbreaking.

Why is this Significant?
In a world where nobody uses a jailbroken device – this would indeed be a headline proving iOS’s superior security. In actual fact:

  • Tens of millions of users around the world (including many that bring their devices to work) have jailbroken their own iOS devices.
  • Advanced attacks against iOS devices also include the installation of malicious configuration profiles – settings “packages” created with Apple’s iPhone Configuration Utility that are easy way of distributing network settings to iOS devices. Threat actors can use malicious profiles to hijack network activity and retrieve confidential data – for more listen to our recent podcast.
  • Targeted Man-in-the-Middle attacks are much easier to carry out against mobile devices.
  • APT campaigns targeting mobile users also include the installation of developer and enterprise certificates, known to have been used in former version of FinSpy.

To learn more about the top-5 cyber security threats to iOS devices, watch our 5-min YouTube video.

Metropolitan Police calls for mandatory passwords on all new mobiles in the UK
In light of the worrying rise in mobile related crime (both from cybercrime and theft), senior officers from the Met’s National Mobile Phone Crime Unit (NMPCU) have met with firms including Apple and Samsung to discuss the new measure, which police see as a key way of tackling handset and identity theft. Police want to see each phone sold with a password already in place.

Recent research suggests that up to 60 per cent of phones do not have a password, offering thieves access to a vast amount of valuable personal information. Putting espionage aside, an unlocked device is also worth much more on the streets.

Why is this Significant?
This is the second time in as many weeks where British officials have taken action regarding mobile security. Like last week, we see this as a very positive step forward (although it’s obviously also a sign that mobile-related crime is growing). It’s important to note that the manufacturers aren’t ignoring this issue either. Apple and Samsung are constantly looking at ways to improve device security. Both are slowly but surely going deeper into the realm of biometrics. Fingerprint scanners are already here and retina scanners are on the way. It’ll be interesting to see how this area continues to evolve over the coming months (the iPhone 6 is just weeks away…).

New report claims that 178 million Android devices in the Middle East & Africa are at risk
Researchers claim that more than 94 percent of popular Android apps used in the Middle East and Africa are potentially vulnerable due to the prevalence of older Android versions. This is based on a problem with the Android Internal Storage – a protected area that Android-based applications use to store private information, including usernames and passwords.

The report goes on to say that a threat actor may be able to steal sensitive information from most of the apps on an older version of Android OS using the Android Debug Bridge (ADB) backup/restore function. What’s more, many of the security enhancements added by Google to prevent this type of attack can be bypassed. With about 85% of Android devices in the Middle East and Africa running 4.0 or below – millions of people are in harms way.

Unfortunately, most of the apps on the Google Play marketplace, including pre-installed email and browser applications, use the backup system, making them vulnerable. Many Android apps store user passwords in plaintext in Android Internal Storage, meaning almost all popular e-mail clients, FTP clients and SSH client applications are vulnerable too.

Why is this Significant?
This goes back to the much discussed issue of Android fragmentation. The fact the more recent versions of Android OS are immune to this and many other security problems is almost irrelevant when there are hundreds of millions of devices that are still running earlier versions, often with users not even knowing that they are in danger or being able to do something about it.

This type of problem requires a joint effort from Google, the app developers and the cellular providers. The apps need to improve their security, Google needs to find a way of supplying security enhancements to more users and the cell providers need to help make the process as simple as possible. This is obviously not something that will happen in the immediate future. Enterprises need to consider third party solutions that can provide a comprehensive, integrated and scalable mobile threat management solution to detect and mitigate advanced mobile threats to corporate resources