The Myth of iPhone Security Invulnerability

Your iPhone is no more secure than my Android.

Nine words that are a slap in the face to many iPhone users, a lot of whom believe that their Apple phone has some kind of built-in magical shield that wards off cyber-attacks.

It doesn’t.

What’s more, there is an easy step Android users can take to have high confidence that their device is as pure as the next iPhone.  Read on to find out what to do.

Proof of iPhone’s vulnerability came late last year when researchers at Palo Alto Networks reported they had found iPhone malware that they called WireLurker. This is nasty stuff that collects call logs, address books and more from a victim iPhone.

How do you get WireLurker? The main way seems to be to connect via USB to an infected computer.  Malware on the computer detects the iPhone and if it finds any of many target apps, it copies the app to the computer, infects it, and then re-installs the now diseased app.

That’s a lot of steps but, note, the evil work is done on the computer, far removed from the protections built into iPhone.

WireLurker, truth be told, is more important for demonstrating how to infect an iPhone than it is for the disease it spread. Most of its victims have been in China.  There’s no known count of them, but best guesses are that the number is not high.

But it gets worse.  A few months ago, security firm Trend Micro reported it had found new iOS malware it dubbed XAgent which, said Trend Micro, can “steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server.”

How is it installed? According to Trend Micro, victims clicked on links – which could come in email or live on websites – and that put XAgent on the victim iPhone.

Worse, on devices running iOS 7 – last year’s operating system – XAgent hides, which means purging is not so easy.  (The cure for it, incidentally, is easy. Upgrade to iOS 8 and it is fairly straightforward to clean an infected iPhone.)

A few years ago, an even worse security bug was revealed, when researchers reported that with the iOS 6.1 update, just about anyone could bypass a user’s passcode, gain entry to the phone, and have at the owner’s email, voicemail, address book and more.

 

There are more examples of iOS malware and know this:  there will be still more. Apple iPhone sales are surging and wherever there is hardware in large numbers, there are hackers who want to steal from those owners – and iPhone owners are especially vulnerable because most of them believe in the iPhone’s invulnerability and shun antivirus apps.

Android antivirus apps, by contrast, are commonplace.  Some are better than others, a few are useless, a very few may in fact be toxic – Google to find examples. But the prevalence of antivirus software on Androids give those phones a significant layer of protection that iPhone largely lacks.

So, in the security faceoff, which platform wins? John Gunn, a vice president at VASCO Data Security in Illinois in the U.S. neatly summed up matters this way: “In fact, there are very few attacks today on either operating system. The recently released Verizon Data Breach Investigations Report found virtually no incidents of malware on either iOS or Android mobile devices.”

Out of the box, in other words, Android and iPhone are about equal in terms of security and, as a general rule, phones of either flavor are vastly more secure than desktops or laptops are.

That just is fact, because with computers, security is an afterthought. With phones, security was designed in from the outset with Android and iPhone alike.

By now you want the secret that will keep an Android phone roughly at the same – comparatively high – level of safety of an iPhone. It’s easy. Download new apps only from the official Google Play store and, if you’d like, the Amazon App Store. Nowhere else.

Where Android users have found epidemic problems is when they download from third party websites.  Apple, by contrast, bans that.  Apps can be downloaded in most cases only from the official Apple store. That’s an iPhone plus, but an Android user can match it by self-imposing a restriction to only download from the official sites.

Apple, Amazon, Google all screen apps for security flaws and, no, the checks aren’t foolproof. But they are very good and that means phone owners can reasonably expect a very high level of safety – if only they use common sense about where to download.

We will be happy to hear your thoughts

Leave a reply