Apple has historically marketed its desktop products as being impervious to the rampant malware that plagued Microsoft systems in the early 2000s, but the iPhone’s swelling popularity has made it a prime target.
According to reports, malware affecting “thousands” of iPhones can steal App Store credentials – but the majority of iOS users remain perfectly safe. Here’s what you need to know about malware and Apple’s approach to mobile security.
What is Malware?
Malware is a portmanteau of ‘malicious’ and ‘software’, and it refers to any software that forcibly gains access to, gathers data from or disrupts the otherwise normal operation of a device – often with damaging consequences.
The behavior of malware varies, as does the severity of a malware infection. Some variants – like Cryptolocker and Aussie specific Torrentlocker – encrypt files and force the victims to pay a ransom to get their files back. Others capture every key-press, relaying it back to an attacker who then pores over it, looking for usernames, passwords and credit card details.
These varieties of malicious software have been long associated with desktop operating systems. But, for the most part, iOS has somehow escaped the worst of it. Why? Well, some very clever design choices on the part of Apple.
Why is iOS Secure?
Apple designed iOS with an emphasis on security, and made a number of architectural decisions that made it a fundamentally secure system. As a result Apple has ensured that malware on iOS is the exception, not the rule.
Apple has exercised an incredible amount of control over their platform. This even extends to the sources where users can download apps. The only officially supported and authorized place to get third-party applications is though Apple’s official App Store.
This has done a lot to prevent users from accidentally downloading malware as they browse through the darkest recesses of the Internet. But that’s not all. Apple has a number of stringent security procedures that prevent malware from getting on to the App Store in the first place, including static analysis of all submitted source code.
That said, this system is not foolproof. In 2013, researchers at Georgia Tech managed to submit a malicious program to the App Store. Dubbed ‘Jekyll‘, it could post Tweets, send emails and make calls, all without the permission of the user. Jekyll was removed from the App Store shortly last year.
All applications installed on an iPhone are isolated from each other, and from the underlying operating system. So, an installed application would be physically unable to remove vital system files, and would be unable to perform an unauthorized action on a third party application, except through authorized API calls.
This technique is called Sandboxing, and is a vital part of the iOS security process. All iOS applications are sandboxed from each other, ensuring that any avenues for malicious activity are limited.
At the core of iOS is a variant of UNIX called BSD. Much like cousin Linux, BSD is secure by design. That is partly due to something called the UNIX security model. This essentially boils down to carefully controlled permissions.
In UNIX, who gets to read, write, delete or execute a file is carefully specified in something called file permissions. Some files are owned by ‘root’, which is effectively a user with what are effectively ‘God permissions’. To change these permissions, or to access these files, one has to open them as the ‘root’ user.
Root access can also be used to execute arbitrary code, which can be dangerous to the system. Apple intentionally denies users root access. For the majority of iOS users, there’s no real need for it.
As a result of Apple’s security architecture, malware affecting iOS devices is unfathomably rare. Of course there is one exception: jailbroken devices.
What Is Jailbreaking And Why Can It Be Bad?
Jailbreaking is a term used to describe the process of removing the restrictions Apple places on its operating system.
It allows users to access parts of the operating system that were previously off-limits, download apps from third party sources such as Cydia, use apps that have been banned by Apple (like the Grooveshark app) and tweak or customize the core OS.
There are a number of serious security risks associated with jailbreaking an iOS device, and we’ve recently summed up some of the reasons you might want to avoid the practice.
Crucially, applications that haven’t gone through Apple’s rigorous security testing process can be dangerous and even compromise the security of applications that have already been installed. The default iOS root password is well known and rarely changed, which is a real concern for anyone installing software from third party sources. Apple is clear about its policy with jailbreaking: updates cannot be installed without reverting to stock iOS.
At present there is a very real threat from malware targeting jailbroken devices called AppBuyer, and getting infected can cost you dearly.
iPhone Malware In The Wild
Well-known and respected network security firm PaloAlto Networks recently encountered an iOS virus in the wild that has infected thousands of iOS devices. They called it AppBuyer, due to how it steals App Store credentials, and then purchases applications.
It’s not been definitively proven how it infects devices, but what is known is that it can only infect devices have been jailbroken. Once installed, AppBuyer waits for victims to connect to the legitimate App Store, and intercepts their username and password in transit. This is then forwarded to a command and control server.
Shortly after, the malware downloads some more malicious software that is disguised as a utility for unlocking .GZIP files. This uses the user’s credentials to purchase multiple applications from the official App Store.
There’s no clear way of removing AppBuyer. The official advice from Palo Alto Networks is to not jailbreak your iOS devices in the first place. Should you get infected, you’d be well advised to reset your Apple credentials, and to reinstall the stock iOS operating system.
The low-level details of how AppBuyer works are described further in an excellent blog post from Palo Alto Networks.
An Unclear Yet Present Threat
In short: yes, your iPhone can get infected with malware. But realistically, this is only possible if you jailbreak it. Want a secure iPhone? Don’t jailbreak it. Want a super-secure iPhone? Read into hardening.
Do you jailbreak your phone? Had any security issues? Tell me about it, the comments box is below.