In this interview, Zuk Avraham, CEO of Zimperium, talks about iOS security myths and threats, discusses the difficulties in exploring iOS security vs. “breaking” Android and offers advice to those managing a variety of iOS devices in a large organization.
What are today’s most striking iOS security myths? Why do they still persist?
The biggest iOS security myth I’ve seen is that, because of Apple’s “walled garden” approach and curation of its App Store, iOS devices are safe from all cyber attacks. On the contrary, both iOS and Android are vulnerable to multiple attack vectors, of which apps are only one subcategory. These attacks fall into three categories: rogue access points/base station attacks, network attacks (i.e., network recon scans, man-in-the-middle and SSL stripping techniques) and host attacks (i.e., browser attacks, malicious apps and PDFs, operating system/Kernel attacks).
Malicious apps are only one type of mobile threat, but receive more attention than they should. Serious, targeted attacks that enterprises face today don’t involve apps – they’re done using a different attack method. Network attacks are the most dangerous, as they require absolutely no interaction with the victim, who will get compromised without noticing anything abnormal.
Additional myths are that mobile antivirus, MDM or containerization adequately protect mobile devices. We’ve found time and time again that both iOS and Android devices running these solutions can be compromised.
What should iOS users be most worried about?
The threats that should worry iOS users most are network attacks that occur without them even knowing. Our phones go with us wherever we go, and many people want to always be connected, so they don’t question the security of an airport’s Wi-Fi or other so-called “secured’ networks. Even if users connect to a reputable source, a hacker on the same network can intercept their internet communication by performing a man-in-the-middle attack chained with a browser vulnerability.
These attacks can provide hackers with complete access to personal information including emails, passwords, messages and more.
What are the difficulties in exploring iOS security vs. “breaking” Android?
Apple’s operating system restrictions make it challenging for security solutions to see threats. Both Google and Apple have sandboxes that restrict the extent of your inter-app communication and device-level controls, which limits your protection capabilities.
When building a solution for a mobile device, you don’t have the same visibility you’d have on a PC, limiting security solutions’ effectiveness to detect malicious attacks. Security apps can’t use deep packet inspection, as it requires central operating system capabilities that apps just don’t have, and using a signature-based approach means you don’t have visibility to anything that’s happening in other sandboxes. Mobile devices also present concerns with limited battery life, CPU and memory.
Additionally, some approaches like VPN, tunneling and cloud inspection just don’t work. These days, device protection just can’t be tied to cloud or Wi-Fi connectivity — people need to be protected at all times, not just when they’re online.
What advice would you give to a CISO managing a variety of iOS devices in a large organization?
My number one piece of advice would be to utilize an on-device security solution that prevents against all of the malicious attack vectors I outlined above – including both known and unknown threats (meaning, one that doesn’t rely on signatures). This will provide the additional protection organizations need that traditional MDM, network security and antivirus solutions do not address.
Increasingly, with the shift to BYOD, hackers are targeting employees’ devices outside of the corporate perimeter, seeing them as entry points to the organization. Once they’ve compromised the device and that employee returns to the office, the attacker is then able to access the entire corporate network through the compromised device. Serious endpoint security is key to not just protecting employees’ devices, but the entire organization.