Reliable and secure mobile communications are a must for any modern organization, be it a company, a government agency, NGO, whatever. As things stand, the choice is essentially limited to Google\u2019s Android platform or Apple\u2019s iPhones based on iOS. At first glance, the iPhone appears much safer: restrictions on third-party programs; the only tightly controlled marketplace; a fraction of the malware found elsewhere\u2026 But let\u2019s dive deeper to see if this is really the case.<\/p>\n
News about malware infections of Apple devices has become commonplace in recent years, all thanks to the \u201clegal surveillance software\u201d Pegasus<\/a>. But because Pegasus\u2019s victims were mainly activists, politicians and journalists, the threat was treated more as an urban legend \u2014 nasty, yes, but so rare and targeted that the chances of encountering it in reality were tiny (unless you went looking for it). But then it came knocking on our door: in June of this year, we talked about an attack on the Kaspersky management using the Triangulation malware<\/a> (by the way, at the upcoming Security Analyst Summit we plan to present a detailed analysis of this attack; if you\u2019re interested, join us<\/a>).<\/p>\n Our company \u2014 that is, a privately-owned corporation \u2014 which used iPhones as the standard means of mobile communication, came under attack. After carrying out a thorough investigation<\/a> and releasing the triangle_check<\/a> utility to automatically search for traces of infection, we set up a mailbox for victims of similar attacks to be able to write to. And the emails poured in from other users of Apple smartphones, claiming that they also found signs of infection on their devices. Trust us \u2014 we no longer perceive targeted attacks on iPhones as rare cases.<\/p>\n Paradoxically, the oft-repeated assertion that iOS is hands-down more secure than Android only makes the situation worse. Public denial of the threat causes people to take their eye off the ball. They say to themselves, \u201cSure, someone got infected, but chances are I won\u2019t.\u201d<\/p>\n Even some of our colleagues (hardly strangers to information security) refused to believe they had been \u201cTriangulated\u201d. Even after the threat was publicized, some had to be persuaded to check their iPhone for traces of the malware, and were genuinely surprised to learn that they had been targeted.<\/p>\n The thought \u201cWhy hack me?\u201d is comforting but dangerous. There could be many reasons. You don\u2019t have to be an interesting target<\/em> yourself to have your phone hacked. It\u2019s enough to be related to a top executive or government official. Sometimes it\u2019s enough to attend meetings or just be physically near the real target of the attack. Then all of a sudden you find yourself in the firing line because important business information leaked from your device.<\/p>\n A closer look at the vulnerabilities market (be it darknet forums, or some gray platform like Zerodium) reveals that iOS and Android exploits are now roughly equal in price. And this indicates how the attacker market views these systems\u2019 level of security. Some exploits for Android are even more expensive than for iOS. In any case, both systems are viable targets.<\/p>\n The real difference lies in the availability of tools for countering attacks. If attackers exploit the latest zero-day vulnerability to bypass Apple\u2019s vaunted security mechanisms, there\u2019s nothing you can do about it. Most likely you won\u2019t even figure out that it happened at all. Due to system restrictions, even top professionals will have a hard time getting to the bottom of what exactly the attackers were after. Meanwhile, an Android-based smartphone might be equipped with a full-fledged security solution \u2014 not only an antivirus, but also an MDM (mobile device management) solution that allows remote administration of corporate devices.<\/p>\n Getting even more granular, we see that the reputed advantages of iOS in the event of an attack actually turn out to be disadvantages. The closed nature of its ecosystem, off limits to outside security experts, only plays into the hands of attackers. Sure, Apple engineers have built pretty good foolproof protection: the user can\u2019t accidentally go to a malicious site and download a trojanized APK, say. But in the case of iPhone hacks (which, as practice shows, are well within the capabilities of sophisticated attackers), victims can only hope that Apple itself will come to the rescue. Assuming, of course, that it detects the hack in good time.<\/p>\n The argument that all real-life attacks on iOS thus far have been part of targeted campaigns also fails to reassure. It\u2019s generally accepted that the EternalBlue exploit was developed by a government agency and intended for very narrow application. But then, after being leaked by the Shadow Brokers group, it fell into cybercriminal hands and was used to carry out the global WannaCry<\/a> ransomware attack.<\/p>\n Even Apple\u2019s marketplace can no longer be considered impregnable. Our colleagues recently found<\/a> a number of scam apps in the App Store which, under certain conditions, phished personal data from the user. Sure, it\u2019s not yet a massive threat, but it sets a precedent: apps bearing a malicious payload were able to bypass Apple\u2019s stringent controls and get published in its official marketplace.<\/p>\n Having learned the Triangulation lesson, we, like many other private companies and government agencies, are phasing out the use of iPhones for work purposes. As an alternative for now, we\u2019re using Android equipped with our solution<\/a>, which we know is effective. This doesn\u2019t mean we think it\u2019s harder to attack. Just that it\u2019s simpler to protect and certainly easier to detect signs of attack.<\/p>\nThe illusion of security<\/h2>\n
The real problem<\/h2>\n
The scale of the threat<\/h2>\n
What to do?<\/h2>\n