Before we proceed with the different types of vulnerabilities on Android and iOS, this section introduces you to Android and iOS as operating systems and covers various fundamental concepts that need to be understood in order to gain experience in mobile application security.
|
Year |
Android |
iOS |
|---|---|---|
|
2007/2008 |
1.0 |
iPhone OS 1 |
|
iPhone OS 2 | ||
|
2009 |
1.1 |
iPhone OS 3 |
|
1.5 (Cupcake) | ||
|
2.0 (Eclair) | ||
|
2.0.1(Eclair) | ||
|
2010 |
2.1 (Eclair) |
iOS 4 |
|
2.2 (Froyo) | ||
|
2.3-2.3.2(Gingerbread) | ||
|
2011 |
2.3.4-2.3.7 (Gingerbread) |
iOS 5 |
|
3.0 (HoneyComb) | ||
|
3.1 (HoneyComb) | ||
|
3.2 (HoneyComb) | ||
|
4.0-4.0.2 (Ice Cream Sandwich) | ||
|
4.0.3-4.0.4 (Ice Cream Sandwich) | ||
|
2012 |
4.1 (Jelly Bean) |
iOS 6 |
|
4.2 (Jelly Bean) | ||
|
2013 |
4.3 (Jelly bean) |
iOS 7 |
|
4.4 (KitKat) | ||
|
2014 |
5.0 (Lollipop) |
iOS 8 |
|
5.1 (Lollipop) | ||
|
2015 |
iOS 9 (beta) |
The preceding table comprises the operating system releases year after year.
An interesting research conducted by Hewlett Packard (HP), a software giant that tested more than 2000 mobile applications from 600+ companies, has reported the following statistics (for more details, visit http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-1057ENW.pdf):
97% of applications tested access at least one private information source of those applications
86% of applications failed to use simple binary hardening protections against modern-day attacks
75% of applications do not use proper encryption techniques when storing data on a mobile device
71% of the vulnerabilities resided on the web server
18% of applications sent usernames and password over HTTP, while another 18% implemented SSL/HTTPS incorrectly
So, the key vulnerabilities to mobile applications arise due to the lack of security awareness, usability versus security trade-off by developers, excessive application permissions, and lack of privacy concerns. Couple this with a lack of sufficient application documentation, and it leads to vulnerabilities that developers are not aware of.
Note
Usability versus security trade-off
For every developer, it is difficult to provide an application with high security and high usability. Making any application secure and usable takes a lot of effort and analytical thinking.
Mobile application vulnerabilities are broadly categorized into the following categories:
Insecure transmission of data: Either the application does not enforce any kind of encryption for the data in transit on the transport layer, or the implemented encryption is insecure.
Insecure data storage: Apps store the data in a plaintext or obfuscated format or hardcoded keys in the mobile device. An example e-mail exchange server configuration on an Android device using the e-mail client stores the username and password in the plaintext format, which is easy to reverse by any attacker if the device is rooted.
Lack of binary protections: Apps do not enforce any anti-reversing, debugging techniques.
Client-side vulnerabilities: Apps do not sanitize data provided by the client side leading to multiple client-side injection attacks, such as cross-site scripting, JavaScript injection, and so on.
Hard-coded passwords/keys: Apps designed in such way that hardcoded passwords or private keys are stored on the device.
Leakage of private information: Apps unintentionally leaking private information; this could be the use of a particular framework and obscurity assumptions by the developers.
Note
Rooting/jail-breaking
Rooting/jail-breaking refers to the process of removing the limitations imposed by the operating system on devices through the use of exploit tools. It enables users to gain complete control of the device operating system.
In July 2015, a security company called Zimperium announced that it has discovered a high risk vulnerability Stagefright (Android bug) inside the Android operating system. They deemed it as a unicorn in the world of Android risk, and it was practically demonstrated in one of the hacking conferences in the US on August 5, 2015. More information can be found at https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/, and a public exploit is available at https://www.exploit-db.com/exploits/38124/.
This has made Google release security patches for all Android operating systems, which is believed to be 95% of Android devices, an estimated 950 million users. The vulnerability is exploited through a particular library, which can let attackers take control of an Android device by sending specifically crafted multimedia services, such as MMS.
If we take a look at the Superuser and other similar application downloads from Play Store, there are around 10 million to 50 million downloads. It can be assumed that more than 50% of Android smartphones are rooted.
The following graph shows Android vulnerabilities from 2009 till January 2016. There are currently 184 reported vulnerabilities for Android's Google operating system (chart taken from http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224).
More features that are introduced to the operating system in the form of applications act as additional entry points that allow cyber attackers or security researchers to circumvent and bypass the controls that were put in place.
On June 18, 2015, a password stealing vulnerability, also known as XARA (Cross Application Resource Attack), outlined for iOS and OS X cracked the Keychain services on jail broken and non-jail broken devices. The vulnerability is similar to the cross-site request forgery attack in web applications. In spite of Apple's isolation protection and its App Store's security vetting, it was possible to circumvent the security controls mechanism. It clearly provided the need to protect the cross-app mechanism between the operating system and the app developer. Apple rolled out a security update week after the XARA research. More information can be found at http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/.
The following graph shows the iOS vulnerabilities from 2007 until January 2016. There are around 805 reported vulnerabilities for Apple IPhone OS (http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49).
As we can see, year after year, the vulnerabilities kept on increasing. A majority of the vulnerabilities reported are denial-of-service (DoS) attacks. This vulnerability makes the application unresponsive.
Primarily, the vulnerabilities arise due to insecure libraries or overwriting with plenty of buffer in the stacks.