Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Threat Report Says 1 in 50 iOS Apps Could Leak Data

A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

Zimperium, a firm that provides next-gen machine learning endpoint protection for mobile devices, published its Global Threat Report Q2-2017 (PDF) on Friday.

During the second quarter — April 1 to June 30, 2017 — Zimperium’s telemetry detected three specific threat categories to the mobile ecosystem. It describes them as device threats and risks (such as unpatched vulnerabilities), network threats (threats delivered via the cell network), and app threats (malware, spyware, adware and leaky apps on devices).

The threat from vulnerabilities in the iOS and Android operating systems has grown dramatically over the last few years. In 2014, there were fewer than 200 CVEs registered. By 2016, this had rocketed to around 600. This year (2017) there have already been more CVEs registered than for the whole of 2016.

iOS Apps Could Leak DataIt is not the operating systems becoming less secure — it is more likely that both attackers and researchers are paying greater attention because of the increasing use of both iOS and Android in the corporate environment. “Cyber criminals are more likely to take the path of least resistance,” notes the report, “and enterprise data is most vulnerable via mobile devices since most of time spent is away from secure networks, on public Wi-Fi and on apps that IT and security do not control or administer.” It adds that “U.S. consumers now spend over 5 hours per day on mobile devices.”

Unpatched vulnerabilities are as much a threat to mobile devices as they are to traditional devices. Unsurprisingly, given the fragmented nature of the Android market, Zimperium found that 94% of Android devices are using an outdated version of the OS. More surprising, however, is that 23% of iOS devices are also outdated. Despite the more timely and simple update process for iOS, Zimperium found that 1 in 5 Apple devices had not been updated 45 days after the update was readily available.

“The most concerning risks associated with iOS devices were malicious configuration profiles and ‘leaky apps’,” says Zimperium. These could ultimately allow a remote connection to control the device or siphon data without the user’s knowledge.

The most serious of the network threats comes from man-in-the-middle (MITM) attacks. Zimperium’s telemetry shows that 5% of all devices detected an attacker’s reconnaissance scan, and that 80% of these subsequently received a MITM attack. “This is the most severe type of network attack,” says the report, “since it is usually invisible to a user. Unless a user has a mobile threat defense app that can detect the attack on his/her device in real-time (e.g., zIPS), their wireless connection can be rerouted to a proxy and their data may be compromised.”

While the threat of malicious apps and malware on the Android ecosystem is well-known and chronicled, Zimperium found that the iOS ecosphere should not be considered secure. Zimperium’s machine-learning anomaly detection engine scanned 50,000 iOS applications present on enterprise users’ iOS devices.

While it found that only 1% of the Apple devices had malware present, it found that nearly 1 in 5 devices had apps able to retrieve private information like passwords and the device’s Unique Device Identifier, UDID. It also found that approximately 3% of the apps were using weak encryption or hashing algorithms — like MD2 — and are not considered secure to pass private, payment data or in-app purchases.

Zimperium found seven specific iOS app threats: malware; keychain sharing; MD2 encryption; private frameworks; private info URL; UDID reading; and the ability to read private information during a public USB recharge. It found that 2.2% of the analyzed apps have at least one of these issues. “This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties,” says Zimperium.

Zimperium has raised $60 million through several rounds of funding since the company was founded in 2010.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.