For a long time, there have been several assumptions regarding hacking iPhones. First, it has long been considered near-impossible since iOS has been viewed as the world’s most hardened mainstream mobile OS. Second, due to the difficulty of iPhone hacking, it was assumed to be an outlier phenomenon. Generally, it was thought that it could be carried out only by a very sophisticated actor, a nation-state perhaps, and it would be used only against the highest value targets. These assumptions have been shattered by a flood of exploits and vulnerability disclosures in recent months.
Thousands of Unsuspecting Victims Every Week
One of the most eye-opening pieces of evidence came at the beginning of August 2019 when Natalie Silvanovich of Google’s Project Zero gave a talk at Black Hat conference. She presented several fully remote (zero-click) iPhone vulnerabilities. The team behind the investigation reported a total of 10 vulnerabilities, most of them in the iMessage app. The full report can be found on the team’s blog.
Another set of iOS exploits was exposed again by Google’s Project Zero team. This time, the attacks were carried out through hacked websites that silently attacked iPhones for two years. Users of almost any iOS version from iOS 10 to iOS 12 were vulnerable. All it was needed to get hacked was to visit the website with the exploit. To gain full control over iPhones, the sites utilized five unique exploit chains consisting of 14 security flaws that penetrated iOS protection layers such as browser’s sandbox and kernel protection mechanisms. What was surprising about the discovery was that the hacking happened en masse. The sites had thousands of visitors and victims per week. Detailed write-ups of all the privilege escalation exploit chains can be found on the team’s blog again.
The recent exploits are not the only problems iOS faces. Sometimes, there are blunders on the Apple side too. A great example is a recent jailbreak for iOS 12.4, the first public jailbreak for fully updated iPhones (at the time) that appeared in years. The jailbreak is based on a SockPuppet vulnerability that was discovered by Ned Williamson from Google. Apple originally fixed the vulnerability in iOS 12.3 but reintroduced it in iOS 12.4. The bug was finally fixed in iOS 12.4.1.
The jailbreak blunder is not the only example. Serious vulnerabilities were already discovered in iOS 13. Even though you might excuse bugs in the OS beta versions, you can hardly excuse one so serious that it involved access to iCloud Keychain passwords and usernames. And, as the recent iOS 13 release demonstrates, even the release version isn’t free of bugs. It contains a bug that allows the lock screen to be bypassed and contacts to be accessed. Barely released, iOS 13 is already stigmatized and reportedly marked with recommendations to ignore it and better wait for the release of iOS 13.1.
Apple Reacts, Black Markets Do As Well
The worsening security of iOS had a couple of effects. It was a wakeup call for Apple who decided to raise their bug bounties. The Cupertino company will pay up to $1.5 million for a single attack technique. Surprisingly, Apple also decided to give a special “hacker version” of the iPhone, one that enables better examination, to select security researchers. The flood of iOS exploits had another interesting outcome. The black market prices for iOS exploits dropped below those for Android. Currently, the price of an Android full chain (zero-click) exploit with persistence is as high as $2.5 million. Meanwhile, the price for the same type of exploit on iOS is only $2 million.
All these fairly recent stories show that iOS is not as secure as we used to think. Security-sensitive apps should incorporate own countermeasures rather than simply relying on Apple doing things right. There is In-App Protection for iOS too and — believe it or not — it’s vitally important in making your app secure.