SRG Goes Mobile, Part Three -- iOS Security and Old Attacks Getting A Makeover

As an intern at Fortify this past summer, I researched analysis techniques for Objective-C and potential security vulnerabilities in iOS (iPhone, iPod Touch, iPad) applications. In this blog post I discuss recent attacks against the iOS platform and note some parallels to older attacks. In my next post, I'll discuss what a attack at the application layer of iOS might look like.

First, I'd like to discuss some articles I've been seeing in the news recently regarding mobile security. There have been a number of articles about "new mobile threats" and "mobile malware," but the attacks described are simply applications that have additional malicious functionality beyond the purpose they claim to the user. This is the exact same type of attack as 10 years ago when downloading a dancing smiley cursor would also give you pop-up ads. When you download a program, whether it be to your desktop or to your phone, there's a possibility that it may have malicious functionality. This type of problem is as old as computers.

Most public attacks aimed at iOS focus on attacking the platform itself or on stealing private data, with the former representing a vast majority. For a glimpse into attacks on the iOS platform, you can get an idea by reviewing the bugs fixed in iOS 4.0. Many of the bugs are from libraries used by iOS, with a large number being in Safari and Webkit. As for privacy, the main public attacks have been from malicious apps that actively steal personal data or legitimate apps that accidentally leave sensitive information in places where unintended agents may access it.

What interests me about these attack trends on iOS so far is that almost no (public) attack has been at the application layer - they've all been attacking the underlying OS or attacking the storage of sensitive data. It's like everyone has been attacking Apache or other programs running on a web server, but no one's been trying to hack the website itself. I think we can expect to see more attacks aimed at iOS applications themselves.