SecureMac, Inc.

Checklist 18: 016 iOS Security Year In Review

January 5, 2017

Last week we took a look back at the defining moments in 2016 for Mac security, and this week we’re giving iOS the same treatment! A lot has happened in the past year, and we’ve got plenty to cover in this episode!

Checklist 18: 016 iOS Security Year In Review

Can you believe it’s been almost a year since the Apple/FBI iPhone unlock drama? Time sure does fly! With 2016 coming to a close, it’s a good time to look back on the most important iOS security stories of the past year.

  • Apple, the FBI, and iOS unlock drama.
  • The first iOS trojan horse appeared.
  • Password-stealing trojan horses were found in the App Store.
  • A trio of iOS vulnerabilities led to some nasty spyware.
  • Apple’s year of iOS vulnerability whack-a-mole.

Apple, the FBI, and iOS unlock drama. Way back at almost the beginning of the year, headlines were filled with news of the standoff between Apple and the FBI. At the heart of the matter was a request by the FBI that Apple “unlock” and provide access to an iPhone belonging to the terrorist behind the San Bernardino shooting that took place in early December 2015. The FBI saw Apple’s resistance to providing an unlock mechanism as hindering their investigation, while Apple saw it as a “slippery slope” issue.

Apple argued that there was no way to securely provide the FBI with a tool to unlock a single iPhone without weakening the security of all iOS devices. Apple worried that by giving in to the FBI on this particular case, they’d be opening the door to future requests for similar access to iOS devices, and if the unlock software fell into the wrong hands it would put all iOS users at risk. After taking Apple to court, the FBI dropped their case at the last minute, as they found a third party unlock solution. Apple’s fight for encryption and privacy is only just beginning, as there are sure to be future tests of their mettle in the years to come.

The first iOS trojan horse appeared. 2016 saw the appearance of the first trojan horse to infect non-jailbroken iPhones by simply plugging them into a computer. Wait…what do we mean by “non-jailbroken” iPhones? Let’s cover a bit of background on jailbreaking before we get to the details on this particular piece of malware:

Jailbreaking is the removal of software restrictions imposed by Apple on iOS devices. This allows a user to run apps from outside of the official App Store, but also opens up the device to all sorts of security threats. The majority of iOS malware specifically targets jailbroken devices. The actual jailbreaking process actually involves exploiting vulnerabilities in iOS itself – so jailbreaking itself involves sidestepping the security measures Apple puts in place to keep iOS safe!

Ok, back to the topic at hand: In mid-March, the AceDeceiver trojan horse was found to be attacking non-jailbroken iOS devices. The attack was a bit convoluted, involving multiple steps to actually get the malware on the iOS device. Users first had to download one of a specific set of infected apps from the App Store. The app would then prompt the user to download and install a separate program that would only run on Microsoft Windows. Once the user ran the Windows app with their iPhone plugged into the computer, the trojan would be fully installed on the iOS device. Any other iOS device plugged into the same computer would also be infected.

Luckily, this attack was limited in scope. Apple quickly removed the offending apps from the App Store, and the attack only appears to have targeted Chinese iOS users.

Password-stealing trojan horses were found in the App Store. In late March, a pair of password-stealing trojan horses were found in the official App Store. The trojan horses, which were also being distributed in the Google Play Store, enticed Instagram users with the lure of seeing who viewed their profile, a feature which is simply not possible with the way Instagram currently works. Once installed, the malicious apps stole login credentials for Instagram, sending the username and password to a server controlled by the malware author. From there, the affected Instagram accounts were hacked and used to post spam messages on the user’s feed.

While not the first time these types of malicious apps were seen in the App Store, this particular attack was unique in a few different ways:

First, Apple already knew about the malware author. An app released under the same publisher name was busted by Apple back in November 2015, when it was found to have pulled a similar stunt. At that time, the app was removed from the App Store, and that should have been the end of the story. For some reason, Apple didn’t ban the malware developer’s account the first time around, which is the usual result in cases like this. Apple has the ability to revoke a developer’s code signing certificate, which is needed for an app to be able to run on an iOS device, and this step can quickly stop the spread of malware.

Second, the trojans remained live in the App Store for over six weeks, despite a slew of 1-star reviews from users claiming they’d been hacked after using the app. During this time, the apps continued to rank high in charts across the board, reaching the #1 spot for the entertainment app category in the Great Britain App Store, as well as making it into the top 10 apps overall. Prior to its removal from the Google Play Store, one of the trojans was listed as having between 100,000 and 500,000 installs, and it is likely that a large number of iOS users were infected as well.

Third, it took some extra prodding to get Apple to fully remove the trojans from the App Store. After the apps were removed from the Google Play Store, Apple eventually followed suit and removed one of the malicious apps, but missed the second one. We actually ended up contacting Apple’s security department to let them know the other trojan was still live in the App Store, at which time it was finally taken down as well.

A trio of iOS vulnerabilities led to some nasty spyware. A series of events that took place in early August led to the discovery of a trio of severe vulnerabilities in iOS that were being used to spread spyware targeting human rights activists. Ahmed Mansoor, a human rights activist from the United Arab Emirates, received a suspicious text message from a number he didn’t recognize. Having been targeted by government hackers in the past, he contacted Citizen Lab, a digital rights watchdog. After further research, Citizen Lab found that the text message led to an advanced piece of spyware that would have allowed the attackers to gain full control over Mansoor’s iPhone.

The spyware exploited three separate vulnerabilities in iOS, all of which were previously unknown. Zero-day exploits such as these command top dollar in the gray market of third party exploit brokers. One zero-day exploit being used in an attack like this is enough to raise eyebrows. The fact that three separate zero-days were used shows that there was a significant money behind this particular attack.

Once Apple was alerted to the vulnerabilities, they took immediate action and quickly raced to issue a fix with the release of iOS 9.3.5 in late August.

Apple’s year of iOS vulnerability whack-a-mole. Apple spent a lot of time in 2016 patching vulnerabilities that cropped up in iOS. While this is good news for users from a security standpoint, it does show that iOS remains a prime target for attackers. Covering each and every one of these vulnerabilities in detail is beyond the scope of this episode, so we’ll touch briefly on the salient points:

Way back in January 2016, Apple released iOS 9.2.1 which included a fix for a long-standing vulnerability that could have seen malicious “captive portals” stealing a user’s cookies and impersonating them on sites they visited. If you’ve ever connected to wi-fi at your local coffee shop or at a hotel, you’ve likely encountered a special login page, otherwise known as a “captive portal.” It turns out that a security firm called Skycure first discovered and reported this vulnerability to Apple back in June 2013, and it took apple 2.5 years to get around to fixing it! Luckily, Skycure acted responsibly and didn’t disclose the vulnerability publicly until after Apple had implemented a fix. The fact that this particular vulnerability remained wide-open for such a long time is troubling, however.

Other vulnerabilities that were addressed throughout the year included one bug in Apple’s encryption for iMessage that allowed attackers to decrypt photos and videos that were supposed to be sent securely, and another that could achieve remote code execution on a device by simply sending the victim a booby-trapped image file. As we discussed in a previous episode, users were recently inundated with iCloud calendar spam, which proved to be rather tricky to delete without notifying the spammer that your e-mail address was valid. Apple did eventually take some steps to tighten up security and spam detection on their servers, which seems to have solved this particular issue for now.

Things didn’t slow down for Apple as we neared the end of the year, with a slew of continuing headaches for iOS users. If the team in Cupertino was hoping for a respite during the holiday season, they were in for some disappointment!

There were more than a few vulnerabilities that gave attackers ways to bypass the iOS Activation Lock, which Apple touts as “a really powerful theft deterrent.” Back in November, a security researcher discovered that by entering a long string of characters for the WiFi network name and password during the iOS setup process, he could bypass the activation lock and access the home screen. Apple went on to patch that particular bug in iOS 10.1.1, but it appears they didn’t quite lock everything down, as other security researchers found they could still access the home screen by entering a string of emoji characters and rotating the screen at just the right time.

Not wanting to miss out on the fun, Siri also played a role in further security shenanigans. By utilizing Siri to enable the VoiceOver feature on a locked iOS device, and executing a specific sequence of taps on the screen, attackers were able to access the contacts, and eventually other portions of the phone including photos, and potentially the home screen. Another VoiceOver flaw gave attackers access to sensitive information by reading stored passwords aloud. Apple took the sledgehammer approach to fixing this one, and simply disabled VoiceOver for the affected portions of iOS.

There was one final nasty vulnerability that surfaced at the tail end of 2016, which basically renders the Messages app completely inoperable. By crafting an extremely long and complex vCard (a type of virtual business card used to share contact information), an attacker can send it to the victim, which causes Messages to crash when attempting to open the vCard. Restarting the device won’t solve the problem, since Messages will just try and open the most recent text, and crash once again. Thankfully, the hacker who came up with this attack only wanted to point out the security flaw, and not do any lasting damage, so he also released a fix for the issue – affected users can simply open a special link on their device to undo the damage.

While Apple spent much of 2016 putting out various security fires (all virtual, unlike Samsung), they also made some great strides in hardening the security of iOS. While there is no doubt that 2017 will continue to hold more threats in store, Apple definitely appears up to the task of taking them on.

That wraps things up for this episode! If you’d like more information on the topic we covered today, or if there’s a specific topic you’d like to see featured on a future episode, send us an e-mail at checklist@securemac.com!

Get the latest security news and deals