Device security a victim of its own success after Apple threats


It’s been a rough couple of months for mobile security. First, hundreds of celebrity photos were hacked and uploaded onto the internet in what many stars called a gross invasion of privacy. Then there has been the emergence of the Wirelurker and Masque attacks. 

What unites these threats is Apple. For years, it has been Android that held the worst reputation when it came to mobile security. The world’s most popular operating system was the one at most risk.

So do these threats represent a sea change in Apple’s reputation as one of the safer OSs? And what does this mean for its ambitious plans to push into the enterprise space?

Wirelurker was revealed by Palo Alto Labs last week. It is malware that targets iPhones, including those that haven’t been jailbroken, from the Mac OS X. The malware installs third party apps onto a smartphone connected via USB.

Days later, and perhaps more worryingly, details of the Masque threat were uncovered by security researchers FireEye. It replaces an app already on your phone with the same icon, meaning hackers could potentially steal banking information by replacing an existing app with malware that has the same user interface. The app tries to trick users into entering their log-in details again.

Jeremy Linden, Senior Security Product Manager at Lookout, describes Masque as “classic social engineering at play”. However, he adds: "There are a number of mitigating factors. Namely, an attacker would have to obtain an enterprise provisioning profile or steal one, neither of which are trivial. There would also always be a warning to the user, which should look suspicious because it’s not something you would normally see in iOS. As long as you select ‘don’t install’, you will be protected from this vulnerability.”

Regardless of the severity of the threats, Nick McQuire, VP of Enterprise Mobility at CCS Insight, says these show how the landscape of attacks on mobile operating systems is changing. He explains: “There are some broader patterns that these [attacks] are coming from Russia or China, markets that are more outside of the traditional Apple demographic. The bigger picture is that we are starting to see a shift to a growing number of targeted attacks.”

McQuire says the stakes are higher for a company like Apple because it is increasingly focusing its attention on the enterprise sector, with its deal with one-time bitter computing rival IBM during the summer a sign of its intentions.

[Read more: Apple, IBM join forces for enterprise assault]

He says: “In terms of consumers, it will have a mild effect [on them] but it’s absolutely on the radar of the enterprise market. Of course this has always been the case, but the way mobility is more mission critical for enterprises, as they make more of their data mobile, means this is more important.”

He adds: “Apple will always be a target because of its business and the profile of its customers. It’s not surprising it is happening. Security is integral to how Apple represents itself to its customers – being seen as a safe pair of hands is important.”

Coincidentally, Android is trying to burnish its security credentials with the release of its Lollipop OS, which is currently being rolled out to its Nexus devices. McQuire says Google’s attempts to encourage security innovation by others on top of its operating system have been “unsuccessful” to date. But he adds Lollipop’s new features make it easier for developers to build new security products upon, as it offers “more consistent and granular” protection to users.

Another method of protection was announced overnight, although it is limited to Samsung devices. The manufacturing giant has teamed up with BlackBerry to embed the latter’s new BES12 security product.

Bloomberg Head of Enterprise Mobility Chris Behringer said: “Security is a top priority for us, and this combined offering provides a new versatile option to the marketplace. BlackBerry and Samsung’s creation of an integrated enterprise solution for Android makes sense."

What of Microsoft? On the PC front, the operating system receives a huge amount of threats but its mobile OS is comparatively unscathed. McQuire says: “What’s interesting about Microsoft is they don’t have a significant enough installed base so it doesn’t draw the same level of threat risk from people looking to hack into user account details, for example.”

The issue OS companies are facing is not that the volume of threats is going up, it’s that they are getting better. McQuire explains: “What we are seeing now is not necessarily a transition to a high volume of attacks. That’s probably getting smaller, but what is improving is the sophistication and acceleration of these attacks.”

One thing that seems certain is that with booming smartphone adoption rates and increasingly clever threats, these kinds of stories will continue to capture headlines. Particularly if celebrities’ devices are the ones attacked.

Have you taken our 2014/15 survey? Click here to take part.