Search Apples app Store for iPhone or iPad antivirus software and youll find only a handful of security programs designed to defend these iOS devices from malicious software (malware). The search is just as likely to turn up game titles such as OperationAntiVirus and AntiViral Lite, in which you pretend to rid fictitious computers of intruders.
Theres a reason this software is so missing: Until now Apples mobile gadgets have yet to face a serious security threat. The iPhone and iPad are not immune to viruses, but Apples stringent app vetting process, the devices architecturewhich partitions, or sandboxes, code to protect itand relatively low demand for mobile malware (compared to PCs anyway) among cyber attackers have helped iOS fly under the radar of cyber attackers.
No longer. Apple has crept a little closer to the crosshairs thanks to two new research papers. One was presented this week at the annual Black Hat cybersecurity conference in Las Vegas. A second will be unveiled in mid August at the 2013 USENIX Security Symposium in Washington, D.C. Researchers from the Georgia Tech Information Security Center (GTISC) have written both papers, and they are using the shows to describe two different ways of exploiting flaws in Apple security and infecting an iPhone with viruses.
Such research has become common in recent years as so-called white-hat academic and corporate researchers hack away at computer systems to find security flaws before the bad guys do. Common practice is to alert the maker of the targeted hardware or software before publicly disclosing any problems, providing a reasonable amount of lead-time so the vulnerabilities can be fixed before any malicious attackers come calling.
One iOS attack is an end run around Apples mandatory app review process, which the company established to ensure that only approved apps run on iOS devices. Georgia Tech research scientist Tielei Wang and his colleagues discovered they could install malware onto iOS devices via a Trojan Horse-style attack that disguises malicious code that Apple would otherwise reject during the review. Once inside Troyor in this case someones iPhone or iPadthe app, nicknamed Jekyll, lies dormant until an attacker remotely sends a signal instructing it to misbehave, posting tweets, taking photos, sending e-mail and SMS messages, and attacking other apps, according to the researchers. Any of these modes of communication could be used to divulge sensitive information stored on the device, including passwords and PINs.
For the other attack, Georgia Tech research scientist Billy Lau and his team built a phony plug-in charger they used to install malware onto iOS devices. They called this charger a Mactansnamed after a type of black widow spiderand designed it to resemble a normal iPhone or iPad charger.
The researchers say they contacted Apple about their work in advance of the Black Hat and USENIX presentations, prompting the company to implement a feature in iOS 7 that defends against a Mactans-like attack by notifying users when they plug their mobile device into any peripheral that attempts to establish a data connection. Apple has yet to publicly release a way to counter Jekyll, the researchers add.
Audacious cybersecurity demos are nothing newMicrosoft, Cisco and other tech giants have suffered through years of their most popular products being publicly dissected during Black Hat presentations. What makes the attacks on smartphones and tablets more disturbing is the general lack of protection these devices have.
Theres not much, security-wise, that antivirus apps provide because of the way the phone is architected, says Charlie Miller, a security engineer at Twitter who is best known for testing mobile-device security when he was a principal analyst with Independent Security Evaluators. On your PC, the reason your antivirus works is that it has access to everythingit can search for malware at the lowest levels in your computer. On my Android or iPhone, when you download an antivirus app, due to sandboxing there are limits to what it can do. So it turns out it cant scan the entire device.
Sandboxing is how Apple partitions iOS so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device. As a result, iOS antivirus could neither scan the memory nor the file systems of other apps on a device, Lau says. Antivirus software on iOS, if available, would be completely useless in detecting the type of malware installed by Mactans and, likely, against something like Jekyll, he adds.
Mobile devices using Googles Android operating system more compatible with the current, PC-based approach to antivirus, where they have access to more system resources, says Con Mallon, senior director of mobile product management at security software maker Symantec.
Antivirus apps running on Android can scan more of their respective devices than those running on iOS, Lau acknowledges. But, he adds, they still dont fully protect users.