Users plagued by iOS app security issues, according to new research
News roundup: Researchers uncovered a large number of iOS app security risks. Plus, Viacom exposed its critical data through a misconfigured AWS S3 bucket, and more.
A new report shows despite Apple iOS' reputation as a secure mobile operating system, users are at risk more often than it seems.
San Francisco-based mobile security software company Zimperium published its Global Threat Report from the second quarter of 2017 and highlighted iOS app security issues plaguing Apple users, finding that one in 50 iOS applications could potentially leak data to third parties.
"Enterprises have no way to detect this type of risk unless they are scanning apps for security or privacy issues," the report stated, noting that 1,101 out of 50,000 iOS apps the researchers scanned had at least one security or privacy issue.
"Through deep analysis, Zimperium researchers found the 1,101 apps downloaded over 50 million times. Companies and individuals should be concerned if these iOS apps are on their devices and inside of their networks."
Zimperium looked at the iOS app security risks and threats detected on zIPS-protected devices between April 1 and June 30, 2017. It categorized what it found as device threats and risks, network threats and app threats.
When studying device threats and risks, the researchers found that, so far in 2017, there have been more registered common vulnerabilities and exposures on both Android and iOS devices than in all of 2016.
"While not all vulnerabilities are severe, there were still hundreds that enabled remote code execution (such as Stagefright and Pegasus) that forced the business world to pay attention to mobile device security," the report stated.
Zimperium also found that over 23% of iOS devices were not running the latest version of the operating system, which is somewhat unexpected, since Apple controls the update process itself. Despite that, the report also stated that the number of iOS devices with mobile malware was extremely low, at just 1%. However, Zimperium found that iOS devices "have a greater percentage of suspicious profiles, apps using weak encryption and potentially retrieving private information from devices.
"The most concerning risks associated with iOS devices were malicious configuration profiles and 'leaky apps,'" the report stated. "These profiles can allow third parties to maintain persistence on a device, decrypt traffic, synchronize calendars and contacts, track the device's location and could allow a remote connection to control the device or siphon data from the device without the user's knowledge."
Additional findings include man-in-the-middle attacks that were detected on 80% of the scanned devices, as well as the seven most severe iOS app security issues: malware, keychain sharing, MD2 encryption, private frameworks, private info URL, reading UDID and stored info being retrieved during public USB recharges.
In other news:
- Following the initial breach report, new developments revealed CCleaner malware is worse than originally thought. Security company Morphisec and networking giant Cisco found and revealed CCleaner, a Windows tool set from Avast, had been taken over by hackers who installed backdoors on the software. The companies confirmed over 700,000 computers have been affected and now have backdoors on them. A few days after the reveal, Cisco Talos, the company's security division, analyzed the command-and-control (C2) server to which the infected versions of CCleaner connects. "In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader," the Talos team wrote in a blog post. "Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads." According to Cisco Talos' findings, Intel, Google, Microsoft, VMware and Cisco were among the targeted companies.
- Media company Viacom Inc. is the latest major organization to expose sensitive information to the public due to a misconfigured AWS Simple Storage Service cloud storage bucket. According to Chris Vickery, director of cyber-risk research at UpGuard, based in Mountain View, Calif., Viacom exposed a wide array of internal resources, credentials and critical data. "Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire's many subsidiaries and dozens of brands," UpGuard explained in a blog post. "Perhaps most damaging among the exposed data are Viacom's secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate's cloud-based servers in the hands of hackers." The exposure, the research firm noted, could enable hackers to perform any number of damaging attacks through Viacom's infrastructure.
- The U.S. District Court for Washington, D.C., has dismissed two lawsuits filed in regard to the 2017 data breach of the Office of Personnel Management (OPM). One of the lawsuits was filed by the American Federation of Government Employees, a federal workers union, alleging that the data breaches occurred as a result of gross negligence by federal officials. The second suit was filed by another union, the National Treasury Employee Union. It targeted the OPM's acting director and alleged constitutional violations of the victims' right to information privacy. This week, the court dismissed both lawsuits because neither plaintiff "has pled sufficient facts to demonstrate that they have standing." In 2015, the OPM revealed two data breaches that exposed over 20 million people, mostly U.S. federal employees, in which hackers stole their sensitive information.