Apple is known to be very keen on securing its users’ devices to protect them from attacks, but many different attack vectors have managed to bypass the security features of iOS. Today’s post provides a high-level overview of the six most common types of attacks that impact iOS devices. We’ll follow-up on these with a series of blog posts that expand on these iOS attack vectors.
No matter how hard Apple tries, it just can’t seem to lock out jailbreaks. In fact, the Pangu jailbreaking team announced last week it had released a successful jailbreak for iOS 9.1. Jailbreaking continues to be a major problem that undermines the entire iOS security framework.
Some users actively jailbreak their devices, but many devices are jailbroken by malicious factors in order to infiltrate them. Many methods can help users and attackers to hide themselves from Mobile Device Management (MDM) solutions, compromising enterprises’ data.
iOS Enterprise or Developer Certificates
Apple’s architecture includes three different avenues in which a third party app can run on the device. The first and the most common are apps certified by Apple’s code review and published on the official App Store.
The second and the third are developer and enterprise certificates. Apps developed using these certificates do not go through Apple’s security review and can be used freely on iOS devices. This has been a factor in major architecture breaches in iOS in recent years. Many attacks used these certificates to successfully bypass all security measures.
Furthermore, enterprise and developer certificates are commonly used to distribute apps in third-party stores. These stores are prevalent especially in China but also exist elsewhere. Malware has managed to utilize these third party stores to spread themselves time and again, so this is not a unique phenomenon.
A recent survey Check Point conducted in a Fortune 100 company showed that among the 5,000 devices analyzed, 318 unique enterprise apps were installed. If only one of them is malicious, all of the company’s data could be compromised.
Malicious iOS Profiles
These attacks leverage the permissions of a profile to circumvent typical security mechanisms to do almost anything. A profile is an extremely sensitive optional configuration file that can re-define different system functionality parameters, such as mobile carrier, MDM and network settings.
A user may be tricked into downloading a malicious profile. In doing so, he may unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attacker-controlled server, to install further rogue apps, and even to decrypt communications.
Man in the Middle (MitM) attacks are sometimes mistakenly disregarded as highly unlikely. However, they are a grim reality we have observed in the wild. MitM attack methods vary and can be initiated by a malicious hotspot, server or even a malicious base station. The attacks themselves re-route all communications through the attacker-controlled network device, thus compromising all data passing through. Whether the user is accessing financial accounts or corporate assets, the information will fall into the hands of the attacker.
Check out our blog post on targeted SSL attacks for a deeper dive into how cyber criminals can use MitM attacks to hijack your data.
WebKits enable web browsers to render web pages correctly for a user. Attackers will exploit vulnerabilities in a Webkit to execute scripts of their own. Attackers commonly use them as a springboard for remote device infection.
An example of a WebKit was the popular iOS4 jailbreaking technique, named JailbreakMe. It took advantage of flaws in the Safari browser, enabling users to jailbreak their device when they visited a dedicated website. While this is an example of an intentional use of a Webkit by a user, Webkits can be easily used by attackers to hack your device.
Zero-day attacks represent exploits of vulnerabilities that have been uncovered but not yet released. And with vulnerability researchers reportedly earning $500K per vulnerability, the race towards exposure is in full throttle. These vulnerabilities can lead to the silent installation of mobile Trojans on a device through a remote exploitation technique.
Once on the device, they may enable the attacker to steal passwords, corporate data and emails, as well as capture all keyboard activity (key logging) and screen information (screen scraping). They may also activate the microphone to listen in on conversations and meetings, or act as a botnet to steal contacts or text messages (SMS texts).
So how secure is it?
The truth is that as secure as iOS is, there will always be groups trying to climb over Apple’s garden wall. iOS devices are treasure troves of valuable information that, if left unprotected, could yield tremendous gains to cyber criminals who are increasingly targeting these devices.
Be sure to follow our Over the Garden Wall blog series to learn even more about how these vulnerabilities can let criminals take hold of your sensitive data.
Check Point Mobile Threat Prevention
Schedule a demo of Mobile Threat Prevention
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.