When people ask me which smartphone they should buy from the security point of view, I invariably advise them to get an iPhone.
The malware attacks that have been seen against iOS devices have typically been sophisticated state-sponsored campaigns, focusing on high-risk targets. Apple’s tight hold on iOS security may not have won it universal love, but when compared to the significant amount of malware and adware seen being written for Android devices it’s clear that there’s no contest.
Furthermore, there is no doubt that Apple has done a much better job of keeping its iPhone and iPad customers patched with the latest security operating system updates than many of the Android manufacturers – some of whom have left their users in the lurch with badly out-of-date and at-risk software.
But malware and operating system vulnerabilities aren’t the only considerations.
The truth is that the most significant threat is probably not your chances of encountering malware, or whether your OS is properly patched, but rather the third-party apps that you have installed on your device.
After all, you don’t know what your apps are *really* doing do you, or how well they’re keeping your sensitive information safe and secure?
New research has discovered scores of buggy iOS apps that do a lousy job of securing users’ information, and could be making life all too easy for hackers keen to intercept and steal data.
Security researcher Will Strafach says that he was able to identify 76 popular apps in the official App Store that failed to make use of the Transport Layer Security (TLS) protocol, and allowed a malicious attacker to silently perform a man-in-the-middle (MiTM) attack, stealing or manipulating data as it is sent and received from the mobile device.
“The truth of the matter is, this sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use. This can be anywhere in public, or even within your home if an attacker can get within close range.”
“There is no possible fix to be made on Apple’s side, because if they were to override this functionality in attempt to block this security issue, it would actually make some iOS applications less secure as they would not be able to utilize certificate pinning for their connections, and they could not trust otherwise untrusted certificates which may be required for intranet connections within an enterprise using an in-house PKI. Therefore, the onus rests solely on app developers themselves to ensure their apps are not vulnerable.”
Strafach, who works for Sudo Security Group, reports that the apps have received a combined total of more than 18 million downloads.
On Strafach’s list are a number of apps which he classifies as “low risk” despite it being possible to intercept their data. These apps, some of which can leak usernames and passwords, geolocation data and even keystrokes, include:
- ooVoo – Free Video Call, Text and Voice
- VivaVideo – Free Video Editor & Photo Movie Maker
- Snap Upload for Snapchat – Send Photos & Videos
- Uconnect Access
- Volify – Free Online Music Streamer & MP3 player
- Uploader Free for Snapchat – Quick Upload Snap from Camera Roll
- Epic! – Unlimited Books for Kids
- Mico – Chat, Meet New People
- Safe Up for Snapchat – Quick Upload photos and videos from your camera roll
- Tencent Cloud
- Uploader for Snapchat – Quick Upload Pics & Videos to Snapchat
- Huawei HiLink (Mobile WiFi)
- VICE News
- Trading 212 Forex & Stocks
- CashApp – Cash Rewards App
- FreeMyApps – Free Cash, Money & Gift Card
- 1000 Friends for Snapchat – Get More Friends & Followers for Snapchat
- YeeCall Messenger-Free Video Call & Conference Call
- InstaRepost – Repost Videos & Photos for Instagram Free Whiz App
- Loops Live
- Private Browser – Anonymous VPN Proxy Browser
- Cheetah Browser
- AMAN Bank
- FirstBank PR Mobile Banking
- vpn free – OvpnSpider for vpngate
- Gift Saga – Free Gift Card & Cash Rewards
- Vpn One Click Professional
- AutoLotto: Powerball, MegaMillions Lottery Tickets
- Foscam IP Camera Viewer by OWLR for Foscam IP Cams
- Code Scanner by ScanLife: QR and Barcode Reader
However, it appears that these “low risk” apps discovered by Will Strafach are just the tip of the iceberg.
The researcher has declined to post details of the remaining apps that are considered to be at “medium” or “high risk”, as he says he is in the process of reaching out to affected banks, medical providers and other developers to get the vulnerable apps fixed – subject to a two- or three-month responsible disclosure period.
If you’re concerned, one thing to remember is that your chances of having data intercepted are greatly reduced if you use a cellular connection (which requires a hacker to deploy specialist expensive hardware) rather than Wi-Fi.