As reported by Forbes, Apple has long claimed that iOS architecture has “built-in security features” and thus Apple owners don’t need separate anti-virus protection:
iPhone, iPad, and iPod touch are designed with layers of security. Low-level hardware and firmware features protect against malware and viruses, while high-level OS features allow secure access to personal information and corporate data, prevent unauthorized use, and help thwart attacks.
Basically, according to Forbes,
Apple doesn’t need an anti-virus program for iOS because it doesn’t leave room for a virus (or trojan, other malware etc.) to get into the system in the first place.
Nonetheless, anti-virus software providers like McAfee do offer versions for iOS. And there are several examples to show that iOS isn’t as invulnerable as once claimed.
In 2014, a security firm discovered a malware program called Wirelurker that was able to attack iOS devices via as USB connection. The effects of the malware, luckily, were minimal.
In 2015, malware called XcodeGhost affected at least 39 iOS apps, including ones for instant messaging, banking, and stock trading.
Most recently, as reported by Tech Crunch, a human rights activist based in the UAE discovered that he had almost been the victim of a sophisticated phishing attack.
The activist, Ahmed Mansoor, received a suspicious text message purporting to offer information on detainees being tortured. Mansoor is viewed as a dissident in the UAE and has been unable to leave since his passport was taken in 2011.
Rather than clicking on the link, Mansoor wisely forwarded the messages to Citizen Lab, a security research organization at the University of Toronto.
The lab discovered that the link would have
leveraged three separate and highly serious exploits in iOS — executing arbitrary code through WebKit, gaining access to the kernel, and then executing code within the kernel.
This hack involved what’s known as a “zero-day.” As explained by Wired,
Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors. This means the vulnerability is also not yet publicly known, though it may already be known by attackers who are quietly exploiting it.
A “zero-day exploit” refers to code that hackers use to take advantage of a zero-day vulnerability.
The expression “zero day” refers to the number of days that a software vendor has known about the vulnerability — i.e., none.
As Wired notes,
Zero day vulnerabilities and exploit codes are extremely valuable and are used not only by criminal hackers but also by nation-state spies and cyber warriors, like those working for the NSA and the U.S. Cyber Command.
This triple zero-day hack attempted against Mansoor is being called “Trident,” and the result would have been a jail-broken phone with just one click.
Once Trident breached iOS security, malware tools including a commercial spyware program called Pegasus would have taken over the phone.
The result of clicking on the link would have been a clandestine invasion of Mansoor’s phone. According to Wired, Pegasus
can surveil virtually anything, relaying phone calls, messages, emails, calendar data, contacts, keystrokes, audio and video feeds, and more back to whomever is controlling the attack.
Apple was notified of the iOS vulnerabilities and released a patch 10 days later — which is considered very fast in the security community. (If you haven’t yet updated your Apple device to iOS 9.3.5, this would be an excellent time to do so.)
Apple users can have their phones checked for Pegasus and other intrusions using apps like Lookout.
Although spyware has legitimate uses against criminals and terrorists, it also has not-so-savory uses.
As Citizen Labs put it,
Citizen Lab and others have repeatedly demonstrated that advanced “lawful intercept” spyware enables some governments and agencies, especially those operating without strong oversight, to target and harass journalists, activists and human rights workers.
Focus on Mobile
And as Tech Crunch noted,
The vulnerabilities show that hackers are increasingly turning their focus to mobile devices, and Apple’s increased focus on detecting zero-days shows that companies are striving to keep up. Mobile phones — particularly the iPhone — are often thought to be more secure than desktop computers and network infrastructure, so vulnerability research and hacking have been focused on those weaker devices. But the revelation of zero-days for Apple’s robust iOS security system marks a new era, in which the focus is heavily on mobile.
You don’t have to be a political dissident to be worried about attacks on your mobile device.
PACid’s dynamic data security technology can work with all mobile devices, including those running on iOS. We believe that everyone is entitled to this dynamic protection, and that the need for government surveillance shouldn’t inhibit its adoption.
As we discussed in this recent blog, quoting Congressman Ted Lieu,
You cannot have 300-some million Americans– and really, right, the global citizenry be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable.