Security on the iPhone continues to improve which is important for owners of Apple mobile products. Ironically it's good for hackers too.
Apple's presence in the enterprise community continues to grow. iPhones and iPads are commonplace in Fortune 500 companies and government agencies, including the White House and the U.S. military. In order to do so, however, Apple had to update its iOS mobile operating system with some of the industry's most robust security features.
Now many mobile app developers no longer put their own safeguards in place, and instead rely almost exclusively on the core security features of the iOS for security. Now one vulnerability can easily effect thousands of apps.. "Security is now an afterthought for many app developers," said Jonathan Zdziarski, senior forensic scientist at viaForensics, in a presentation at the Black Hat cybersecurity conference in Las Vegas on Thursday. "That means if you hack one, you can hack them all."
At Black Hat this year Zdziarski delivered his workshop on "The Dark Art of iOS Application Hacking." The scenarios Zdziarski outlined are scary, but they're also far-fetched. To hack all the apps on your phone, a hacker would need to:
- steal your iPhone, which isn't so hard, and
- discover and exploit an iOS vulnerability before Apple does which has proven to be very difficult to do.
"This isn't Chicken Little and the sky is falling," Zdziarski said "But the message is if you don't add your own security to your app, you're highly susceptible." Zdziarski live-demonstrated some of the vulnerabilities of a few popular iOS apps.
For instance, a bug in PayPal's app allows a hacker to place malicious code in a stolen iPhone and get all the log-in information that a user enters. It's unlikely. The hacker would need about 20 minutes with the iPhone to do it..
"The security of our users is a top priority for PayPal," the company said in a statement. "One of the benefits of using PayPal on a mobile device is that a user's financial information is stored in the cloud and not on his or her device. Therefore, even if a device is compromised a user's financial information is inaccessible."
One vulnerable spot is Apple's lack of password confirmations any time a user returns to an app they've previously logged into. In one demo, Zdziarski tweaked an app's code and entered, "userIsLogged: 1." That "1" means "true" in this case, and the app was tricked into thinking the user had been properly identified. Zdziarski's goal wasn't to call out any company in particular, he said. Rather, it was to warn developers when dealing with security in their iPhone apps. "Apple has good security," Zdziarski said. "Just don't rely entirely upon it."
