Why Apple Updated iOS This Week
Apple‘s iPhone is often touted as being more “secure” than Google’s Android equivalents because it has a tightly managed ecosystem. Apple’s careful not to let malicious apps into its App Store, from where they could worm their way into devices. But that’s not to say they’re completely invulnerable, and recently Apple issued a fresh update to iOS to patch a hole. It turns out that the update dealt with a single loophole uncovered by Trustwave Spiderlabs’ Nick Percoco and team, and Apple worked fast to solve it because as holes go, it was gaping.
The vulnerability was related to the way that Apple’s mobile devices deal with a security feature on “secure” websites like Net banking portals or the checkout portion of an online store (oh, the irony). The Secure Socket Layer (SSL) is the tech that encrypts data like your credit card number so that only you and the website you’ve chosen to share the number with can understand it. It’s designed to prevent tampering or eavesdropping on your transactions by criminals, and it relies on clever “certificates” to work. To get a certificate, a website offering this type of security has to officially request one from a trusted certificate authority, and the certificate is crafted to have the identity of the website built into it. When you surf to the secure bit of this website, your browser asks for the certificate as part of the encryption process and ensures the details match the site you think you’re visiting. If there’s a problem in the certificate loop, the browser is automatically designed to alert you that something fishy is going on, essentially tipping you off to potential data leaks.
Percoco’s team decided to test iOS devices with the same kind of hack that a malicious coder could use to break SSL. They bought an officially issued SSL for a genuine website, cut out the parts of the certificate’s code that equate to its signature of authenticity, and bolted that signature onto a fake certificate for a different website. This kind of violation should be caught by browsers, and it is by desktop ones. But to Spiderlabs’ surprise, mobile Safari just accepted the fake certificate as if it were real.
And that’s astonishing. Because it could let anyone with enough smarts trick you into logging in to what you thought was a genuine website, hand over your credit card details–which the thief would then get, right down to your address and the secure codes on the back–and you’d never know what had happened. All you’d have to do would be to log in to a public Wi-Fi network with your iPhone that a hacker is also present on, and you’d be exposed. It’s not a simple feat from a hacker point of view, and it involves decrypting the data they’ve snooped, but it’s perfectly possible.
Trustwave explained to us that they alerted Apple on July 15th, and Apple’s security team was sufficiently motivated to put a fix in place, test it, and roll it out to the public this week on July 25th, as iOS 4.3.4, destined to patch all the hundreds of millions of iPhones, iPads, and iPod Touches out there in the world.
Android’s Not Safe Either
In addition, Percoco’s team also pulled off an elegant hack of Google’s Android OS that’s actually more fundamentally problematic. The trick involves using perfectly legitimate APIs, the code hooks that let app writers gain access to special features of the Android core code, the kind of connector that lets an app turn on your phone’s camera for a video call, for example. By combining specific APIs, Percoco’s team discovered that it’s possible to steal user log-in credentials–passwords, usernames, and so on–from “the most popular apps in the Android application market.” They’ve alerted Google to the problem, but Google can’t pull off the same kind of fix as Apple quickly pushed out, because the hack involves perfectly valid code right at the core of Android that thousands of apps legitimately use. Trustwave will be revealing the details at the DefCon hacker conference next week, and will be “crowdsourcing” a test of the exploit on audience members.
So what’s more vulnerable–an iPhone or an Android phone? The Apple exploit was serious, but was quickly patched. But both have their weak points.
“If I wanted to attack the Android user population, I’d do it via the application marketplace. I’d write a malicious app, post it to the marketplace, make it sound like it’s a popular game” and promote it via Twitter and so on, says Percoco. But when it comes to Apple’s community, Percoco would wait until an iPhone jailbreak came out, and then attack the code to insert maliclous code on it: “The jailbreak is basically getting root access to your device. You could say ‘here’s a jailbreak, everybody’ and it actually does jailbreak the phone and install the Cydia market,” but you also install a backdoor that gives you, as a remote hacker, direct access to the phone and thus all the data stored in it, and potentially any web activity like log-ins, passwords, and credit card numbers.
The upshot? Google and Apple have different problems to face in terms of security on their phones. And users have to be smart to avoid exposing themselves: Don’t install any old app from the Android marketplace without checking to see if it’s legitimate, and keep your iPhone up to date with Apple’s latest iOS upgrades and unjailbroken. Since smartphone sales are soaring, this is going to get more important over time because more and more hackers will realize the potential benefits of attacking a popular device that’s crammed with sensitive personal data.
[Image: Flickr user Ed Yourdon]