Connect with us

Hi, what are you looking for?


Mobile & Wireless

Threat Report Says 1 in 50 iOS Apps Could Leak Data

A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

Zimperium, a firm that provides next-gen machine learning endpoint protection for mobile devices, published its Global Threat Report Q2-2017 (PDF) on Friday.

During the second quarter — April 1 to June 30, 2017 — Zimperium’s telemetry detected three specific threat categories to the mobile ecosystem. It describes them as device threats and risks (such as unpatched vulnerabilities), network threats (threats delivered via the cell network), and app threats (malware, spyware, adware and leaky apps on devices).

The threat from vulnerabilities in the iOS and Android operating systems has grown dramatically over the last few years. In 2014, there were fewer than 200 CVEs registered. By 2016, this had rocketed to around 600. This year (2017) there have already been more CVEs registered than for the whole of 2016.

iOS Apps Could Leak DataIt is not the operating systems becoming less secure — it is more likely that both attackers and researchers are paying greater attention because of the increasing use of both iOS and Android in the corporate environment. “Cyber criminals are more likely to take the path of least resistance,” notes the report, “and enterprise data is most vulnerable via mobile devices since most of time spent is away from secure networks, on public Wi-Fi and on apps that IT and security do not control or administer.” It adds that “U.S. consumers now spend over 5 hours per day on mobile devices.”

Unpatched vulnerabilities are as much a threat to mobile devices as they are to traditional devices. Unsurprisingly, given the fragmented nature of the Android market, Zimperium found that 94% of Android devices are using an outdated version of the OS. More surprising, however, is that 23% of iOS devices are also outdated. Despite the more timely and simple update process for iOS, Zimperium found that 1 in 5 Apple devices had not been updated 45 days after the update was readily available.

“The most concerning risks associated with iOS devices were malicious configuration profiles and ‘leaky apps’,” says Zimperium. These could ultimately allow a remote connection to control the device or siphon data without the user’s knowledge.

The most serious of the network threats comes from man-in-the-middle (MITM) attacks. Zimperium’s telemetry shows that 5% of all devices detected an attacker’s reconnaissance scan, and that 80% of these subsequently received a MITM attack. “This is the most severe type of network attack,” says the report, “since it is usually invisible to a user. Unless a user has a mobile threat defense app that can detect the attack on his/her device in real-time (e.g., zIPS), their wireless connection can be rerouted to a proxy and their data may be compromised.”

Advertisement. Scroll to continue reading.

While the threat of malicious apps and malware on the Android ecosystem is well-known and chronicled, Zimperium found that the iOS ecosphere should not be considered secure. Zimperium’s machine-learning anomaly detection engine scanned 50,000 iOS applications present on enterprise users’ iOS devices.

While it found that only 1% of the Apple devices had malware present, it found that nearly 1 in 5 devices had apps able to retrieve private information like passwords and the device’s Unique Device Identifier, UDID. It also found that approximately 3% of the apps were using weak encryption or hashing algorithms — like MD2 — and are not considered secure to pass private, payment data or in-app purchases.

Zimperium found seven specific iOS app threats: malware; keychain sharing; MD2 encryption; private frameworks; private info URL; UDID reading; and the ability to read private information during a public USB recharge. It found that 2.2% of the analyzed apps have at least one of these issues. “This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties,” says Zimperium.

Zimperium has raised $60 million through several rounds of funding since the company was founded in 2010.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.