iOS Insecurity - Designed by Apple?
Jul 22, 2014 11:34 AM PT
The long-held belief that Android is the least secure of mobile OSes was shattered by security researcher and expert iOS hacker Jonathan Zdziarski at the Hope/X hackers' conference, held in New York over the weekend.
Zdziarski unveiled a host of iOS vulnerabilities, the scope of which was staggering.
They include undocumented services that bypass backup encryption and can be accessed both via USB and wirelessly; a means to access all data encrypted with data protection if the device has not been rebooted since the user's PIN was last entered; and a packet sniffer that can be monitored remotely over WiFi.
"This is how some features in iOS have evolved over the past few years," Zdziarski wrote in a blog post. "I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware; and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer.
It is "not entirely surprising" that Apple goes out of its way to help law enforcement by bypassing backup encryption for SMS, photos, videos, contacts, audio recording and call history, Craig Young, security researcher at Tripwire, told TechNewsWorld.
However, "it is very interesting that Apple would include a packet sniffer on consumer devices," Young continued. "It will be interesting to see whether these services will be present in the next iOS release."
Some of Zdziarski's Discoveries
Since iDevices are always authenticated, even while locked, they are always at risk of spilling all the data on them to third parties, Zdziarski found.
For example, the com.apple.mobile.file_relay iOS vulnerability retrieves databases and deleted records; transmits raw file data in a compressed archive based on the data source requested; and "completely bypasses" Apple's backup encryption," Zdziarski said.
It was "very intentionally placed" and intended to dump data from the device by request.
HFSMeta, a new com.apple.mobile.file_relay feature in iOS7, renders a "complete" metadata disk sparse image of the iOS file system without the actual file content. It also records when the device was last activated or wiped.
Fiends or Fools?
The com.apple.mobile.house_arrest feature, which originally was used to let iTunes copy documents to and from third-party applications, now allows access to the Library, Caches, Cookies and Preferences folders, which contain highly sensitive data, Zdziarski said.
Com.apple.mobile.file_relay was "once thought benign," but it "has evolved considerably, even in iOS7, to expose much personal data," he continued.
"I'm having a hard time believing that Apple intentionally put holes in their OS so they'd weaken security," muttered Frank Dickson, network security industry principal at Frost & Sullivan.
"Apple's always been about strengthening the user experience," Dickson told TechNewsWorld. "Its motive is to generate profits. At the end of the day, you have to ask yourself, what's the profit in this?"
The code "was probably written by hundreds of programmers," Dickson suggested. "At the end of the day, I have to think there was just unintended sloppiness or someone had thought the security hole was not that big a deal, or was less important than generating the next security platform.
Whither the IBM Partnership?
"Part of the reason the two firms are getting together is so that Apple gets help in addressing these issues," Enderle said. "Recall it was IBM that fixed the antenna problem leading to antennagate."
"Antennagate" is the name the late Apple CEO Steve Jobs gave to the firestorm that erupted over the iPhone 4's problems with its antenna.
"Under IBM, much of the exposure [to the vulnerabilities] can be mitigated," said Enderle, "with management software, access policies and stronger security oversight."