With the resignation of longtime CEO Steve Jobs still looming in its rear view mirror, Apple Computer will be on the marketing offensive this week when it releases a major upgrade to its popular iPhone mobile phone line and talks up a pending update to its iOS mobile operating system.
Speculation about the iPhone 5’s new features has been rampant, with Apple fan sites predicting a slew of new features that include a thinner profile, faster processor, more powerful camera and better speech recognition. But amid all the hyperbole about the new features, we’re confident that there will be scant attention paid to one of the iPhone’s most important, but least sexy feature improvements: security.
What will those security improvements be? To try to get an idea of the security impact of this week’s announcement, Threatpost talked with mobile security experts about what they’d like to see in the upcoming release. Their conclusion: Apple’s iOS is no “Windows ’98,” they agreed, so any changes to the device’s current security features are likely to be more evolutionary than revolutionary. But there is still room for improvement. Here is a top five list of security fixes that our experts would like to see from the folks in Cupertino:
- Strong passwords: Let’s face it: most iPhone users don’t lock their device at all, making it and the data it contains fair game to pretty much anyone, regardless of their technical skill. For a smaller set of security-conscious users, Apple has provided a four digit screen lock password. For most security-conscious users, that’s security enough. Andrew Hoog, the Chief Investigation Officer at mobile forensics firm ViaForensics says that, for enterprise users, four digit passwords don’t hold up long to professional pen testing or cracking tools – about 15 minutes, to be exact. Hoog says that Apple, which has an option for using complex passwords, should make them the default. “Going from four digits to four or five characters – alphanumeric – would increase the time to brute force it from minutes to a week or two,” Hoog said. “If they go to six alphanumeric characters, it’s done,” he said.
- Fewer vulnerabilities: According to data from Kaspersky Lab’s research team, there are far fewer malicious mobile applications that run on Apple’s iOS platform than on those of its competitors, including Google’s Android and Nokia’s Symbian platforms. iOS accounted for just half of one percent of mobile malware samples collected by Kaspersky researchers in August, 2011 – the most recent month for which figures are available. By comparison, Android accounted for 24% of malware and Symbian for 13%. Still, iOS isn’t immune to remote attacks against unknown (zero day) vulnerabilities, or known, but –unpatched holes. The success of researchers like COMEX in developing stealthy exploits that can be used to circumvent software based protections on iOS devices has been well proven. Timothy Armstrong, a researcher at Kaspersky Lab, says that Apple needs to do a better job hunting down and removing the kind of remotely exploitable software holes that power Web sites like jailbreakme.com. The company’s recent decision to offer an internship to Comex, (aka Nicholas Allegra, a Brown University undergraduate who developed the Jailbreakme exploit) is a good sign. “It means they’re taking the problem (of software vulnerabilities) seriously,” Armstrong said.
Armstrong hopes that, by hiring expert vulnerability hunters and exploit writers like Comex, Apple will release finished operating system updates that are harder to exploit, complicating the job of hackers at sites like Limerain.com that have sprung up explicitly to share information on how to jailbreak and otherwise disarm the mobile operating system.
- Mobile device management: Harder passwords and a hardened OS are only part of the solution, however. Apple also needs to give employers better tools to manage their iPhone-dependent employees. The Threatpost Mobile Security Survey found that, while only 46% of respondents claimed their employer supported non-company issued smart phones, 91% of respondents claimed to check work e-mail using their smart phone. Hoog said that he expected Apple to introduce a range of new management tools and APIs (Application Program Interfaces) that will make it possible for third party mobile device management software vendors to manage and enforce security policies (such as strong passwords) on iPhones.
- Data Encryption that works: Hoog said Apple has done a good job improving the use of data encryption to protect sensitive information on its iPhones, in particular the iOS Keychain – which securely stores passwords and account data on iOS devices. Earlier iterations of iOS made it easy for moderately skilled attackers to bypass that security and get access to protected files stored in the Keychain database. With iOS 4, the company improved the on quality of the encryption used on iPhones and other devices running iOS. But that, too, eventually fell to researchers at Germany’s Fraunhofer Institute for Security Information Technology (SIT) who, in February, published a paper that showed that, with physical possession of an iPhone, they could crack the device’s password, then extract enough data from the phone to generate the keys necessary to decrypt content on the device. Practical attacks to break the device’s encryption and siphon off sensitive data aren’t a concern today – but they shouldn’t be ruled out either. “There are a number of ways to exploit the keychain, even while the device is running,” writes John Zdziarski, a senior forensic scientists at Viaforensics. Most of the proven exploits — including the Graunhofter Institute research and a tool by Russian firm Elcomsoft — require the attacker to have physical access to the device. But Zdziarski said that its not a requirement. “One really only requires remote code execution – that could be by way of public exploits available on penetration testing tools like Metasploit, or offered up by Web sites like jailbreakme.com to iPhone users looking to bypass limitations built into the iPhone firmware. “The point is that – frequently – remote code exploits are found for the device, and when they are found, I can think of at least one approach to decrypting the keychain that would work from a running and exploited device,” Zdziarski wrote.
- Hardened convenience: Like most software companies, Apple is constantly trying to balance the desire for user convenience with the need for security. And, as often happens, security loses out. The iPhone 5 is no different. Among the features that Apple is rumored to be adding is a quick access feature to the device’s built in camera. That’s all well and good (anyone who has fumbled to capture a great moment while unlocking their screen and then clicking through to the camera app will surely agree). But Hoog said that any passcode bypass feature is a red flag to both security researchers and potential attackers. “Things that end up being great features for users often provide an additional attack vector,” he said. In this case, pen testers and black hats are bound to look for ways to jump the fence limiting access to the camera application and see if they can’t access other parts of the OS, too – thereby rendering the device password useless. Apple should make sure its camera bypass and other convenience features are iron clad before releasing them to the world.