Home iOS Enterprises need to get smart about iOS security

Enterprises need to get smart about iOS security

195
16

The XcodeGhost malware attack that allegedly affected 128 million iOS users is an excellent illustration of the kind of sophisticated attack all users should get ready to defend against as platforms become inherently more secure.

Designer label malware

XcodeGhost was an intelligent exploit that presented itself as a malware-infested copy of Xcode made available via websites targeting Chinese developers. Developers in the region downloaded it because it was easier to get than the real code because local networks wereunreliable.

Software built using these copies of Xcode was injected with malware, but at such a low level and so far behind Apple’s perimeter level of trust that many subverted apps made it past the App Store review process. And so the  infection wormed its way into more than 4,000 apps, and onto the devices of millions of users.

Previously confidential internal Apple emails revealed in a recent court case suggested that roughly 128 million customers wound up being affected.

More recently, we saw a similar attempt to seed developers with subverted versions of Xcode called XcodeSpy. And last year, we saw an attempt to infect the Apple ecosystem using GitHub repositories as vessels for bandit code.

There have also been attempts to exploit iOS vulnerabilities to stage man-in-the-middle attacks in which hackers hijack communications between managed iOS devices and MDM solutions.

Cracking into capital

Why do hackers go to such trouble developing these complex attacks? For the money, they know that Apple’s devices are seeing growing use across the world’s most profitable enterprises.

Trend Micro warns: “Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse.”

When most of the Fortune 500 firms use Macs, iPads, and iPhones, it’s no surprise hackers are paying attention to the platforms. (They are just as likely to seek out vulnerabilities in IoT devices, Wi-Fi, and broadband provisions, and will always seek out those forgotten Windows servers in dusty backrooms.

During the pandemic, we’ve also seen increasing attempts to exploit vulnerabilities, with phishing and ransomware exploits on the increase. Developing hacks at this level of sophistication is expensive, which is why most successful attacks appear to emanate from nation states and highly organized gangs.

These groups are already using the same security tools your company is likely to use – if only to identify and exploit vulnerabilities within them, or (in the case of XcodeGhost and derivatives), build them in.

Safe as houses

The truism in security preparedness today is that you don’t think about if your security will be subverted – you accept that it probably will be. Instead, you think about what to do when your security is undermined.

[Also read: 12 security tips for the ‘work from home’ enterprise]

That means putting plans in place to protect systems during and after an attack, ensuring staff are security aware, and making certain you develop a workplace culture supportive enough that employees aren’t fearful of coming forward if an action they take puts the system at risk.

Does the sheer number of people affected by XcodeGhost reveal an Apple security problem? Not really, because it’s a given that attempts against its platforms will be constant — and within that context some will make it through. And, of course, Apple responded swiftly once the problem was identified.

That’s the right approach. We know attacks will happen and must have mitigation in place when they do. One of Apple’s best ways to inhibit such attacks is to manage distribution via the App Store. It isn’t perfect, but it works most of the time.

Preparation is better than cure

We know standard perimeter security models no longer work. We know security incidents will happen, meaning  good practice is to make it hard for those events to take place and to act decisively when they do. 

Perhaps Apple was irresponsible for not revealing the number of people affected by the attack? I don’t think so because Apple cleared this mess up.

It is important to note that in this case the exploit wasn’t really used for anything more malicious than device fingerprinting – though this could have chilling repercussions in China.

Up next?

So, what’s the lesson here? Attacks are becoming more sophisticated, more targeted, and more dangerous as a result. They are also becoming more expensive, which means most people are unlikely to be attacked – but if you are an enterprise, an NGO, or a dissident voice, you should be concerned.

How to harden iOS device security

Here are a few steps you should always take to harden device security:

  • If you receive a new device, update your OS.
  • Always install security updates.
  • Never jailbreak your device.
  • Enable automatic app update downloads.
  • Enable remote wipe and encrypt device backups.
  • Set a complex passcode and ensure your device will erase data if too many passcode attempts are made.
  • Turn off Location Services and disable Lock Screen access to Control Center.
  • Don’t download apps unless you really need them.
  • Regularly audit and delete unused apps.
  • Set your App permissions to the minimum.
  • If you use Safari or any browser, enable fraud warnings, disable form autofill, block third-party cookies, and turn on do not track.
  • To mitigate network security issues, turn off AirDrop, Bluetooth, and Personal Hotspots when not in use, and forget Wi-Fi networks unless you utterly trust them.
  • Stay up to date with the latest security news as it relates to your industry.
  • Read Apple’s Platform Security guide.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2021 IDG Communications, Inc.

16 COMMENTS

  1. Everything is very open with a very clear explanation of
    the issues. It was really informative. Your website is useful.
    Thank you for sharing!

  2. You made some good points there. I checked on the net to find out more about the issue and found most people will go
    along with your views on this web site.

    my homepage … online casino real money (bgoldbet.com)

  3. I am extremely inspired with your writing abilities and also with the
    format to your weblog. Is that this a paid topic or did you modify it
    your self? Either way stay up the nice quality writing,
    it is rare to peer a great weblog like this one these days..

    My web site … http://www.mhes.tyc.edu.tw

  4. of course like your web site but you have to take a look at the spelling on several
    of your posts. Several of them are rife with spelling
    issues and I to find it very troublesome to inform
    the truth however I’ll surely come again again.

    Here is my webpage; http://vetearii.free.fr/

  5. Hey just wanted to give you a quick heads up. The text in your post seem
    to be running off the screen in Firefox. I’m not sure
    if this is a format issue or something to do with web browser compatibility but I figured
    I’d post to let you know. The design and style look great though!

    Hope you get the problem fixed soon. Many thanks

    my webpage Helio CBD Oil

  6. Thanks for sharing excellent informations. Your web-site is so cool. I’m impressed by the details that you have on this blog. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for more articles. You, my friend, ROCK! I found simply the info I already searched everywhere and just could not come across. What a perfect web site.

LEAVE A REPLY

Please enter your comment!
Please enter your name here