Security Experts:

Threat Report Says 1 in 50 iOS Apps Could Leak Data

A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

Zimperium, a firm that provides next-gen machine learning endpoint protection for mobile devices, published its Global Threat Report Q2-2017 (PDF) on Friday.

During the second quarter -- April 1 to June 30, 2017 -- Zimperium's telemetry detected three specific threat categories to the mobile ecosystem. It describes them as device threats and risks (such as unpatched vulnerabilities), network threats (threats delivered via the cell network), and app threats (malware, spyware, adware and leaky apps on devices).

The threat from vulnerabilities in the iOS and Android operating systems has grown dramatically over the last few years. In 2014, there were fewer than 200 CVEs registered. By 2016, this had rocketed to around 600. This year (2017) there have already been more CVEs registered than for the whole of 2016.

iOS Apps Could Leak DataIt is not the operating systems becoming less secure -- it is more likely that both attackers and researchers are paying greater attention because of the increasing use of both iOS and Android in the corporate environment. "Cyber criminals are more likely to take the path of least resistance," notes the report, "and enterprise data is most vulnerable via mobile devices since most of time spent is away from secure networks, on public Wi-Fi and on apps that IT and security do not control or administer." It adds that "U.S. consumers now spend over 5 hours per day on mobile devices."

Unpatched vulnerabilities are as much a threat to mobile devices as they are to traditional devices. Unsurprisingly, given the fragmented nature of the Android market, Zimperium found that 94% of Android devices are using an outdated version of the OS. More surprising, however, is that 23% of iOS devices are also outdated. Despite the more timely and simple update process for iOS, Zimperium found that 1 in 5 Apple devices had not been updated 45 days after the update was readily available.

"The most concerning risks associated with iOS devices were malicious configuration profiles and 'leaky apps'," says Zimperium. These could ultimately allow a remote connection to control the device or siphon data without the user's knowledge.

The most serious of the network threats comes from man-in-the-middle (MITM) attacks. Zimperium's telemetry shows that 5% of all devices detected an attacker's reconnaissance scan, and that 80% of these subsequently received a MITM attack. "This is the most severe type of network attack," says the report, "since it is usually invisible to a user. Unless a user has a mobile threat defense app that can detect the attack on his/her device in real-time (e.g., zIPS), their wireless connection can be rerouted to a proxy and their data may be compromised."

While the threat of malicious apps and malware on the Android ecosystem is well-known and chronicled, Zimperium found that the iOS ecosphere should not be considered secure. Zimperium's machine-learning anomaly detection engine scanned 50,000 iOS applications present on enterprise users' iOS devices.

While it found that only 1% of the Apple devices had malware present, it found that nearly 1 in 5 devices had apps able to retrieve private information like passwords and the device's Unique Device Identifier, UDID. It also found that approximately 3% of the apps were using weak encryption or hashing algorithms -- like MD2 -- and are not considered secure to pass private, payment data or in-app purchases.

Zimperium found seven specific iOS app threats: malware; keychain sharing; MD2 encryption; private frameworks; private info URL; UDID reading; and the ability to read private information during a public USB recharge. It found that 2.2% of the analyzed apps have at least one of these issues. "This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties," says Zimperium.

Zimperium has raised $60 million through several rounds of funding since the company was founded in 2010.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.