iOS and Android security: A timeline of the highlights and the lowlights


When the trendy cell machine first hit the cabinets, the smartphone market wasn’t a goal for the rampant malware and information theft we see as we speak. Let’s hop into our very personal wayback machine and study iOS and Android safety from inception to now to contemplate what has modified with every platform and with cybersecurity.

SEE: Lunch and study: BYOD guidelines and tasks (Tech Pro Research)

iOS 1

The most vital factor to know concerning the first iteration of the Apple cell platform (launched March 6, 2008) is that there was no app retailer; due to this, there have been no approved third-party functions in growth. It solely took just a few months earlier than unauthorized third-party apps began to seem—these apps had been created by hackers and tinkerers that wished extra from the machine.

Apple responded to this small wave of third-party apps by releasing the primary .1 replace to the platform, which locked down the working system utilizing encryption and certificates signing. Those third-party apps had been now not installable.

Android 1.5

The early days of Android had been similar to that of iOS—it wasn’t till the Cupcake launch (1.5, launched April 27, 2009) that Android unleashed its personal app retailer. In these early days, there was little to no vetting of software program, however the platform had but to grow to be the goal of malicious software program; this may be simply attributed to an absence of viewers (just like iOS).

Although there was a number of buzz surrounding Android, it had but to realize sufficient traction to garner the eye of hackers and different sorts of safety intrusions. Even so, Google enhanced the safety of its fledgling platform with enhancements that included the addition of ProPolice to forestall stack buffer overruns, safe_iop to scale back integer overflows, and chunk consolidation assaults and double free() vulnerabilities to forestall the addition of extensions to OpenBSD dlmalloc.

iOS 2

With iOS 2 (launched July 22, 2008), the iOS App Store lastly arrives, shrugging off these unauthorized third-party apps for good. Even with the App Store in play, jailbreaking communities started to rise, with the aim of unleashing the total potential of the machine.

While that is occurring, Apple introduces security-specific options to the platform: Support for Cisco’s IPSec VPN know-how, WPA2 Enterprise and 802.1x authentication, configuration profiles that enforced safety insurance policies, and even the distant wipe functionality.

Apple found and glued quite a lot of security-specific bugs that affected, together with CFNetwork (CVE-ID: CVE-2008-0050), Kernel (CVE-ID: CVE-2008-0177), Safari (CVE-ID: CVE-2008-1588, CVE-ID: CVE-2008-2303, CVE-ID: CVE-2006-2783, CVE-ID: CVE-2008-2307, CVE-ID: CVE-2008-2317), and WebKit (CVE-ID: CVE-2008-1590, CVE-ID: CVE-2008-1025, CVE-ID: CVE-2008-1026).

Android 2

Android 2 (Eclair) was launched on October 26, 2009. The Android market share was nonetheless below three% on the time, so the goal had but to be painted on the again of Google’s cell platform.

Eclair launched a single interface for securely managing a number of on-line accounts in addition to Microsoft Exchange assist. At the time, there was little or no dialogue concerning the safety of the Android platform. On May 20, 2010, Microsoft Exchange assist in Android added safety insurance policies and Adobe Flash (which has lengthy been thought of a safety difficulty in and of itself).

On December 6, 2010, Google added assist for Near Field Communication (NFC) to Android; it is a know-how that would result in eavesdropping, information corruption/manipulation, interception assaults, and theft.

It wasn’t till January 18, 2011 when Android 2.2 (Froyo) rolled safety updates into the platform. The subsequent safety replace would not be added to Android 2 till November 21, 2011.

SEE: Download: Cybersecurity in an IoT and cell world (TechRepublic)

iOS three

iOS three rolled out on June 17, 2009. The greatest safety addition to the platform was the power for customers to pay $100.00/yr to allow the Find My Phone function, which allowed customers to find their misplaced or stolen cellphone. This early iteration of Find My Phone was simple to bypass—if Location Services was turned off or if a lock display passcode wasn’t created, the function would not work.

The third launch of iOS fastened 46 safety vulnerabilities, together with CoreGraphics (CVE-ID: CVE-2008-3623), Exchange (CVE-ID: CVE-2009-0958), Image I/O (CVE-ID: CVE-2009-0040), International Components for Unicode (CVE-ID: CVE-2009-0153), and IPsec (CVE-ID: CVE-2008-3651, CVE-2008-3652).

Android three

Android three (Honeycomb), launched February 22, 2011, was the primary tablet-only replace to the Android platform. This launch added two crucial safety updates to the platform: The skill to encrypt all consumer information and the disallowing of functions from having write entry to secondary storage (reminiscent of reminiscence playing cards) outdoors of designated utility storage.

iOS four

iOS four (launched June 21, 2010) got here with quite a lot of attention-grabbing safety updates. Users might now allow an extended password as a substitute of a four-digit PIN for the machine lock display. Apple included the power to encrypt e mail attachments so long as the machine was locked by a passcode. The encryption function was prolonged to third-party apps for information encryption.

iOS four added a function that might be a baseline for safety features within the years to come back: Users now had management over whether or not particular person apps had entry to location management.

This launch fastened a whopping 65 vulnerabilities, together with Application Sandbox (CVE-ID: CVE-2010-1751), CFNetork (CVE-ID: CVE-2010-1752), ImageIO (CVE-ID: CVE-2010-0041), LibSystem (CVE-ID: CVE-2009-0689), and libxml (CVE-ID: CVE-2009-2414, CVE-2009-2416).

Image: iStock/natalimis

Android four

When Android four (Ice Cream Sandwich) was launched (October 18, 2011), it was thought it launched some moderately attention-grabbing safety holes. These “holes” got here by means of new options, which included: Facial recognition unlock, Android Beam, capturing screenshots, and e mail copy/paste. Oddly sufficient, some reporters thought of these options amongst those who would result in eminent information theft. For instance, there was concern that Facial Unlock would permit anybody with an identical facial construction or perhaps a photograph of the machine’s proprietor might unlock a tool. Android Beam was considered a simple approach for unencrypted data to be uncovered to theft.

It wasn’t till Android four.2 (Jelly Bean) that critical safety enhancements would make their approach into Android by means of Security-Enhanced Linux (SELinux). SELinux (created by the NSA and Red Hat) is a kernel safety module that gives a mechanism to assist entry management safety insurance policies. This addition introduced an unmatched degree of safety to the Android platform. It wasn’t till Android four.four (KitKat) that SELinux can be switched to Enforcing mode. KitKat launched Verified boot, which offers clear integrity checking of block gadgets.

iOS 5

Apple added in iOS 5 (launched June 6, 2011) what it known as Unsecured Call with little fanfare or clarification; this function turned out to be a warning when a consumer was on an unencrypted mobile community. When Unsecured Calls arrived, the consumer might ignore a name or instantly finish a name.

Also included with iOS 5 was a brand new function known as Find My Friends, which allowed customers to share their location with pals. This was thought of by many individuals to be a safety difficulty.

iOS 5 fastened 96 safety vulnerabilities, together with CalDAV (CVE-2011-3253), Calendar (CVE-2011-3254), CFNetwork (CVE-2011-3255), CoreFoundation (CVE-2011-0259), and CoreGraphics (CVE-2011-3256).

Android 5

Android 5 (Lollipop, launched November 12, 2014) was thought of one of many platform’s greatest enhancements to this point. Replacing the default Dalvik compiler with Jit launched critical efficiency will increase. However, Lollipop would discover itself below a superb highlight, shining down on vital safety considerations.

First and foremost was the Accessibility Clickjacking assault that exploited flaws in Android’s accessibility and draw-over-apps options. With this vulnerability, attackers might presumably hijack gadgets.

The Smart Locking function allowed customers to pair their smartphone with a appropriate Bluetooth or NFC machine, such that when the paired machine was close to, the cellphone would stay unlocked. Many individuals thought of this yet one more safety vulnerability.

Lollipop shifted machine encryption from being an choice to the default, and made SELinux Enforcing Mode obligatory for all apps on the machine.

In addition, Google added the “kill switch” possibility, which allowed customers to carry out a distant full manufacturing facility reset.

iOS 6

Apple added in iOS 6 (launched June 11, 2012) a brand new privateness part that gave customers the power to allow or disable entry to contacts, calendars, reminders, images, and social media accounts on a per-app foundation. In the brand new privateness window, Apple included a Bluetooth Sharing possibility. Another security-minded function was the power to restrict advert monitoring on a tool.

iOS 6 fastened a large 197 safety vulnerabilities, together with CFNetwork (CVE-2012-3724), quite a few patches to CoreGraphics, CoreMedia (CVE-2012-3722), DHCP (CVE-2012-3725), and ImageIO (CVE-2011-1167).

Android 6

Android 6 (Marshmallow, launched October 5, 2015) wasn’t proof against the platform’s quite a few safety points. In August 2016, it was found that just about 80% of Android telephones with Qualcomm chips suffered from what can be labeled because the Quadrooter vulnerabilities (CVE-2016-2503, 2504, 2059, 5340). These vulnerabilities required malicious apps to be downloaded to a tool (most frequently from a third-party app retailer, and never the Google Play Store) and will commandeer the gadgets after tricking customers to escalate permissions for the app in query. Qualcomm launched the patches by way of handset producers.

With the discharge of Android 6, Google revealed its first Android Security Bulletin to doc the vulnerabilities and patches ascribed to the platform. Google launched the Security Patch Level system, which might routinely replace safety patches on a tool. Users might go to Settings | About Phone and see what Android safety patch degree was on their machine.

SEE: How cybercriminals are utilizing Android safety bulletins to plan assaults (TechRepublic)

iOS 7

iOS 7 (launched June 10, 2013) had quite a lot of safety enhancements, although it wasn’t with out points. One of the largest vulnerabilities on the iOS platform to this point was the notorious “go to fail” SSL difficulty. It was suspected that Apple deliberately bypassed the SSL digital signature verify, giving the US authorities a backdoor into the platform.

Soon after that discovery, it was discovered that e mail attachments weren’t being encrypted, even when a passcode was enabled for the machine. The repair for this bug did not roll out till iOS 7.1.2.

A brand new function known as Activation Lock was added to Find My Phone. With this function enabled, a tool proprietor’s Apple ID credentials have to be entered earlier than anybody might disable Find My Phone, erase a tool, or reactivate a tool.

Touch ID was launched to work at the side of the newly launched fingerprint sensor. Unfortunately, a gaggle going by Chaos Computer Club managed to bypass Touch ID a mere day after its launch.

iOS 7 fastened 80 safety points, together with Certificate Trust Policy, CoreGraphics (CVE-2013-1025), CoreMedia (CVE-2013-1019), and Data Protection (CVE-2013-0957).

SEE: Video: GCS 2017 panel: Are we spending cybersecurity in the best locations? (TechRepublic)

Android 7

Android’s safety points have began to wane a bit with the seventh iteration of the platform (launched August 22, 2016. One of the largest enhancements was rising variety of customers had been truly making use of updates on their gadgets. Unfortunately, it was found that lower than three% of Android telephones had been operating the newest model of the platform.

It helped that Google launched quite a lot of vital safety features to Android within the seventh iteration, together with: Direct boot, which splits information into two teams: Device Encrypted Storage and Credential Encrypted Storage; stronger, file-based encryption; nice enhancements on the MediaServer, which is the system that enabled the notorious Stagefright assault; fastened weak sharing permissions between apps; always-on VPN; and a piece mode icon on Android for Work gadgets that permits customers to disable all work-related apps as soon as they’re off the clock. The new seamless replace function goes a good distance to assist enhance safety, as customers can obtain the newest platform replace and maintain off making use of it till the following boot.

iOS eight

iOS eight (launched June 2, 2014) got here with an attention-grabbing new function that makes use of a randomly spoofed MAC handle as a substitute of the machine’s precise handle when scanning on a wi-fi community for close by gadgets. This function prevents retail shops from monitoring a a buyer as they store with out asking for consumer permission.

iOS eight added DuckDuckGo as a official search supplier so customers might reliably search the web with out being tracked.

This launch fastened 56 safety points, together with 802.1X (CVE-2014-4364), Accounts (CVE-2014-4423), Accessibility (CVE-2014-4368), and Accounts Framework (CVE-2014-4357).

iOS 9

In iOS 9 (launched June eight, 2015), Apple added a moderately controversial function known as Content Blockers (aka advert blockers), which can be utilized to cover or block net web page elements reminiscent of cookies, photographs, assets, and pop-ups.

The customary passcode to unlock a tool was migrated from the default 4 characters to a safer six characters. If a consumer works with OS X El Capitan, she will allow two-factor authentication for her Apple ID.

Apple launched App Transport Security (ATS) to assist encourage builders to go for HTTPS over customary HTTP and TLS 1.2.

Another crucial safety function is Kernel Patch Protection (KPP), a low-level operate that periodically checks the integrity of the working system kernel.

iOS 9 fastened 105 safety points, together with Apple Pay (CVE-2015-5916), AppleKeyStore (CVE-2015-5850), Application Store (CVE-2015-5856), and Audio (CVE-2015-5862).

SEE: Learn iOS 10 Development with Swift three & Xcode eight: Build 14 Apps (TechRepublic Academy)

iOS 10

iOS 10 (launched June 13, 2016) is taken into account by many individuals to be probably the most vital replace to come back to the platform in years. One of an important enhancements was to patch the KPP in opposition to recognized exploits. With this in place, the platform has grow to be more and more tough to crack.

Apple has made modifications that have an effect on the way in which builders work together with the App Store. As of iOS 10, Apple now requires all apps to be signed by certificates which are remotely checked by Apple’s personal servers; this new system permits Apple to rapidly revoke any certificates of recognized malicious apps.

iOS 10 does one thing crucial for customers: When a consumer logs right into a wi-fi community that does not require a password, they are going to be given a warning that the community in query provides no safety and may expose a consumer’s information to community visitors.

What’s subsequent?

It’s clear that Apple and Google should place safety entrance and middle in upcoming releases. Data integrity and safety has grow to be tantamount to a profitable cell expertise, so each firms should proceed the evolution of their platforms with safety in thoughts.

Also see

Leave a Reply