A lack of experience on the part of application developers is putting iPhone users at risk of having personal information exposed or destroyed, according to findings from an ethical hacking exercise carried out on more than 10 file-sharing apps using iOS devices.
Bruno Oliveira, senior security consultant at Trustwave, says he recently carried out research on, among others he cannot mention, Easy File Manager, WiFi HD Free and FTPDrive. What he found, says Oliveira, is that through a vulnerable application, it is possible to reach the device's file system - and in a special case, even upload and delete files from it.
He notes that Trustwave security experts saw a 400% increase in mobile malware last year - a finding contained in the company's 2013 Trustwave Global Security Report.
Development gaffe
While the vulnerabilities can be fixed, Oliveira says application developers should do more to curb security vulnerabilities before apps reach the end-user. "The problem stems from a lack of experience from the application designers. Application designers should have penetration testing performed on their applications as part of the development process. Penetration testing helps identify security weaknesses within the applications so that developers can fix those weaknesses before they become available to the public."
The ethical hacking exercise showed it is possible to execute operating system commands on jailbroken iOS devices, or retrieve important files from the system or application.
"By using the vulnerability to upload files to the system, I could upload malicious files and then run commands directly to the system (while the device is jailbroken). I could also access sensitive files from the device's system to download and even delete them in some cases."
Asked what users can do to avoid falling prey to data breaches on their iPhones or iPads, Oliveira says the onus is ultimately on the app developer. "[The application developer needs] to have code reviews and penetration testing performed on their applications before they hit the market."
He says it is also critical for businesses to consider their employees may be using applications with vulnerabilities, exposing companies' valuable information to cyber criminals. "Businesses should hold regular security awareness training for employees so that they can understand security best practices."
Oliveira adds businesses should design a security plan that includes controls to continuously monitor and identify unusual activity on their networks and applications - as well as controls that can isolate a mobile device from the rest of the network - if it is compromised.
According to World Wide Worx MD Arthur Goldstuck, there are about 1.1 million iPhone users in SA. The low penetration is due to the company's premium pricing, he says.
Share