Subscribe

iOS users open to data breaches

A general lack of security expertise on the part of developers compromises the data of individual users and companies alike.

Bonnie Tubbs
By Bonnie Tubbs, ITWeb telecoms editor.
Johannesburg, 25 Nov 2013

Take precautions

While Apple's latest flagship iPhone has the additional feature of fingerprint security, security firm McAfee previously outlined in a white paper the top 10 tips it deemed important when it comes to iPhone users at large keeping their data safe:
Tip 1: Enable passcode lock on your iPhone
Tip 2: Disable features that could be accessed without entering the passcode
Tip 3: Overcoming privacy issues due to the inherent design of the iPhone
Tip 4: Erase all the data before return, repair, or resale of your iPhone
Tip 5: Regularly update your iPhone's firmware
Tip 6: Think before you jailbreak your iPhone
Tip 7: Enable Safari's privacy and security settings on the iPhone
Tip 8: Using Bluetooth, WiFi, and e-mail securely
Tip 9: Enable restrictions
Tip 10: Enable 'find my iPhone

A lack of experience on the part of application developers is putting iPhone users at risk of having personal information exposed or destroyed, according to findings from an ethical hacking exercise carried out on more than 10 file-sharing apps using iOS devices.

Bruno Oliveira, senior security consultant at Trustwave, says he recently carried out research on, among others he cannot mention, Easy File Manager, WiFi HD Free and FTPDrive. What he found, says Oliveira, is that through a vulnerable application, it is possible to reach the device's file system - and in a special case, even upload and delete files from it.

He notes that Trustwave security experts saw a 400% increase in mobile malware last year - a finding contained in the company's 2013 Trustwave Global Security Report.

Development gaffe

While the vulnerabilities can be fixed, Oliveira says application developers should do more to curb security vulnerabilities before apps reach the end-user. "The problem stems from a lack of experience from the application designers. Application designers should have penetration testing performed on their applications as part of the development process. Penetration testing helps identify security weaknesses within the applications so that developers can fix those weaknesses before they become available to the public."

The ethical hacking exercise showed it is possible to execute operating system commands on jailbroken iOS devices, or retrieve important files from the system or application.

"By using the vulnerability to upload files to the system, I could upload malicious files and then run commands directly to the system (while the device is jailbroken). I could also access sensitive files from the device's system to download and even delete them in some cases."

Asked what users can do to avoid falling prey to data breaches on their iPhones or iPads, Oliveira says the onus is ultimately on the app developer. "[The application developer needs] to have code reviews and penetration testing performed on their applications before they hit the market."

End-users and companies could be at risk of having sensitive information accessed, due to a lack of measures by application developers.
End-users and companies could be at risk of having sensitive information accessed, due to a lack of measures by application developers.

He says it is also critical for businesses to consider their employees may be using applications with vulnerabilities, exposing companies' valuable information to cyber criminals. "Businesses should hold regular security awareness training for employees so that they can understand security best practices."

Oliveira adds businesses should design a security plan that includes controls to continuously monitor and identify unusual activity on their networks and applications - as well as controls that can isolate a mobile device from the rest of the network - if it is compromised.

According to World Wide Worx MD Arthur Goldstuck, there are about 1.1 million iPhone users in SA. The low penetration is due to the company's premium pricing, he says.

Share