In-depth

Why Apple fanboys are in security denial

Davey Winder tells Apple users why they're wrong to assume their operating systems are "more secure" than Microsoft's

Apple's operating systems are often considered to be "more secure" than Microsoft's offerings, particularly on the malware front.  

More secure is not (no matter how loud the Apple fanboys scream) the same as totally secure though.

Apple claims "iOS is designed with advanced security technologies built in so that IT has end-to-end control of devices, data and apps" and goes on to insist that "iOS delivers a secure architecture and provides enhanced data protection." Both these claims would appear to be less than, well, secure.

Last week security researchers at FireEye talked about an iOS vulnerability under a disclosure piece entitled 'All Your iOS Apps Belong to Us.'  The so-called Masque Attack is of particular interest to enterprise iOS users because it means a genuine 'App Store App' could be replaced by a malicious one installed through the enterprise provisioning process.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

All it takes is for both applications to use the same bundle identifier. The only apps not at risk are the pre-installed iOS ones such as Mobile Safari for example.

How can this be? Surely there's some highly convoluted methodology at play to get around the iOS secure architecture of which Apple is so proud? Erm, nope, not really.

iOS simply doesn't enforce matching certificates for apps with the same bundle identifier. End of. This isn't your usual 'oh but if a device is jailbroken then users get what they deserve' exercise either, as FireEye verified the vulnerability for jailbroken and non-jailbroken devices with equal impact.

What's more, the company did so through wireless network and USB access. The researchers responsibly disclosed the vulnerability to Apple back in July, and Apple says the vulnerability "hasn't been used against customers, and security measures are in place to prevent bad software from making its way onto your device" so that's OK then. Apart from the fact it isn't.

FireEye says it has examined how the WireLurker malware is actively utilising Masque, albeit in a limited form, to attack iOS devices through USB.

It's possible, the researchers say, to replace a banking app this way and gain access to banking credentials. It's also possible for the malware to be able to access the original application's local data as this is not always removed when that app is replaced. Data which may include login-tokens or cached emails, for example. Still, as long as Apple isn't concerned you don't need to be, right? Wrong! With a bloody big W.

Advertisement - Article continues below

Individual iOS users are, fair enough, pretty safe from the risk which Masque poses, but enterprise users are not. Apps distributed using enterprise provisioning profiles are not subject to the Apple security review process.

Obviously, to mitigate the enterprise risk, only apps from the enterprise's own secure site should be installed, and users shouldn't install any from third-party sites or just because a pop-up tells them to.

Any iOS alerts concerning untrusted app developers should be taken seriously and the don't trust option selected. Better still, Apple could get off it's high horse and fix the problem for everyone, and that includes enterprise users.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/business-strategy/33311/apple-launches-new-tv-gaming-and-finance-services
Business strategy

Apple launches new TV, gaming and finance services

25 Mar 2019
Visit/hardware/laptops/354509/apple-macbook-pro-16in-review-a-little-bigger-a-lot-better
Laptops

Apple MacBook Pro 16in review: A little bigger, a lot better

10 Jan 2020
Visit/mobile/23617/the-best-smartphones-to-buy
Mobile

Best smartphone 2019: Apple, Samsung and OnePlus duke it out

24 Dec 2019
Visit/hardware/354336/the-it-pro-products-of-the-year-2019-all-the-years-best-hardware
Hardware

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/network-internet/broadband/354530/openreach-offers-free-full-fibre-installation-for-thousands-of
broadband

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020
Visit/security/vulnerability/354524/microsoft-to-patch-extraordinarily-serious-cryptographic-flaw
vulnerability

Microsoft to patch ‘extraordinarily serious’ cryptographic flaw

14 Jan 2020