It’s nearly impossible to remember now, but there was a time when the iPhone didn’t exist. That time was five years and one day ago, and up to that point the idea of standing in line overnight for a mobile phone was almost as ridiculous as the notion of Apple being thought of as an innovator in security. But the former is now commonplace and the latter is straight fact, if only in discussions about the iPhone.

When the first iPhone hit the market on June 29, 2007, Apple was a company in flux. Lightly regarded in the enterprise, Apple was seen mainly as a maker of shiny, pricey baubles that were gobbled up eagerly by its millions of devoted fans. The iPod was a worldwide phenomenon, having completely turned the music business on its head and Apple was selling tens of millions of the devices every year, swelling the company’s coffers and helping lead it back from the brink of financial disaster.

And yet there was trouble on the horizon in 2007. Steve Jobs, the company’s co-founder and guiding force, was ill. Investors and customers worried that if Jobs was forced to pull back from his duties running the company on a daily basis that Apple would falter again, as it had in the 1980s and 1990s when he was forced out. They needn’t have worried, as it turned out, because Jobs had an ace up his sleeve in the form of an oddly shaped black and silver collection of silicon and glass called the iPhone.

At the time of its introduction, the iPhone intrigued many people in the tech community, and not just because of its groundbreaking design and intuitive user interface. For those in the security industry, the iPhone was a black box, a tiny little computer with a proprietary operating system.

The iPhone was a challenge and there’s nothing that security researchers and reverse engineers love more than that.

Researchers and hardware hackers immediately set about looking for ways to get to the iPhone’s guts. Some were looking for ways to jailbreak the device, others just wanted to see what made it tick, while still others were poking and prodding the iPhone, hoping to find a bug or vulnerability. Apple had done it’s level best to make all of this difficult, not necessarily for security reasons, but mostly because that’s how Apple does. No company is more opaque and tight-lipped about its products and engineering than Apple, and this naturally extended to the iPhone, with the company providing very little in the way of documentation or explanation of how the iPhone OS worked or what happened under the covers.

It didn’t take long, though, for researchers to crack the iPhone. Within a few weeks of its release, Charlie Miller, then of Independent Security Evaluators, discovered the first bug in the iPhone OS and developed an exploit that could be delivered through a drive-by download against the mobile version of Safari. Because Miller had no real visibility into the iPhone’s inner workings, he had to repeatedly crash the mobile browser and then read the resultant crash reports to look for interesting data. There was no jailbreak bug to help him out.

“It was really hard because we couldn’t jailbreak the phone so couldn’t, for example, install a debugger. All we could do is crash the browser, plug in the device, retrieve system generated crash reports, and repeat. It was agonizing!” said Miller, now a principal research consultant at Accuvant and one of the top Apple security researchers in the industry.

That first-generation iPhone mostly relied on security through obscurity to defend itself. Apps could only be installed from the Apple-controlled iTunes App Store, giving the company total control of the software ecosystem, a dream for vendors. But the iPhone then had none of the built-in defenses that we now associate with iOS, and, in fact, was pretty poorly designed when it came to security. The early versions of what came to be called iOS had nothing in the way of exploit mitigations or process restrictions. As Miller discovered, if you got on the phone, you owned it completely.

“Of the things that make current iOS versions secure: mandatory code signing, ASLR, DEP, sandboxing, etc, the original iPhone had none of them. In fact all processes ran as root, including MobileSafari,” Miller said.

Since that inauspicious beginning, a steady stream of researchers have taken swings at iOS, finding more bugs and vulnerabilities and helping to spark the interest of the jailbreak community. Apple, which was not used to that kind of attention from researchers and attackers, eventually took the hint and began adding significant security features to iOS. Exploit mitigations such as ASLR and DEP are now standard in iOS. But if there’s one change that’s made the biggest mark, it’s the addition of code-signing.

“The differentiator is definitely mandatory code signing. This helps make both ways malicious code get onto devices more difficult.  First, it makes malware harder to download, because instead of being able to download any app from anywhere, apps can only be downloaded from the app store.  Apps from the app store must be approved by Apple which has the opportunity to spot malware and prevent it from showing up in the store, although its not clear how they actually do this,” Miller said.  

“The other way mandatory code signing makes it hard for bad guys is that it makes exploitation (drive-by-downloads) harder too.  This is because normally exploits would like to either run some payload in memory, or even better download and execute some payload, like say a trojan.  Mandatory code signing prevents either of these scenarios because the attacker payloads will not be signed and so cannot be executed, even in memory. Therefore, the entire payload must reuse existing signed code (i.e. use return oriented programming) which is a total pain, and if the process dies or the phone reboots, the attacker is completely gone from the device.”

And what’s been the result of all of these security improvements? In the five years since its debut, the iPhone still has yet to be the target of a major piece of malware. Bugs? Sure. Vulnerabilities? Yup. But nothing at all in the way of real attacks or malware. The iPhone has been the most attack-resistant mobile platform developed thus far.

As Miller said: “They’ve come a long way, baby!”

Categories: Apple, Mobile Security

Comments (3)

  1. Anonymous
    1

    Are you kidding me? Just because you’re not a target of some major malware doesn’t make you safe. I could say the same about Blackberries as you did for iPhones. For sensitive information I still trust RIM more than I ever will Apple products. 

    “Nothing at all in the way of real attacks or malware”…do you not remember the drive-by jailbreak via a PDF doc (not just the browser drive-by)? This was a recent problem too that wasn’t resolved with the first iPhone. I don’t know how much closer to a “real attack” you get but jailbreaking (especially without a user being aware) opens up a device to a whole other can of worms. Just because an exploit can’t be downloaded from the app store doesn’t mean it can’t be done other ways. What do you think a jailbreak is? It’s an attack (or hack or exploit) of vulnerabilities…by my calculations that’s a pretty major “real attack” due to it’s popularity amongst iPhone owners- even if it is “self-inflicted.” 

    Looks like Kaspersky has had a little too much of the Apple Kool-Aid with some very vast over generalizations. 

    I frequently look forward to your blog posts but the bias (what I like to refer to as fan boy-ness in this case)  and myopia in this one is laughably ignorant. Something along the lines of “Macs are immune to malware” not too far back. At best, your article regarding iPhone security is misinformed and misleading. 

  2. Anonymous
    2

    I agree 100% witth the previous reviewer. Too much apple kool-aid being swallowed here.

    I’m pretty sure Apple has pulled apps out of the appstore due to security or privacy concerns. (some do to content or even for political reasons, but some due to possible malware, or at least apps not folowing privacy policies (addware) or other app store requirments.)

    The walled garden (IOS appstore) is only as good as who is wathcing the walls. I’m sure something has/will gotten through that causes embarasment.

    It’s just apple is really good at showing everyone the new shiny toy in the left hand, while distracting the media from the right hand sweepng the dirt under the rug. (suicide’s at foxcon, poor working conditions/hours, economic and environmental, concerns etc.)

    Apple makes a great product,  but it is by far not the mot secure handheld device out there.  Although I do agree with the auther and think they have come a very long way in a short amount of time.

  3. Anonymous
    3

    I agree 100% witth the previous reviewer. Too much apple kool-aid being swallowed here.

    I’m pretty sure Apple has pulled apps out of the appstore due to security or privacy concerns. (some do to content or even for political reasons, but some due to possible malware, or at least apps not folowing privacy policies (addware) or other app store requirments.)

    The walled garden (IOS appstore) is only as good as who is wathcing the walls. I’m sure something has/will gotten through that causes embarasment.

    It’s just apple is really good at showing everyone the new shiny toy in the left hand, while distracting the media from the right hand sweepng the dirt under the rug. (suicide’s at foxcon, poor working conditions/hours, economic and environmental, concerns etc.)

    Apple makes a great product,  but it is by far not the mot secure handheld device out there.  Although I do agree with the auther and think they have come a very long way in a short amount of time.

Comments are closed.