Private I: A Slice of Apple: Users with Old iOS Versions

Many Android phones remain stuck on the OS that shipped with the handset, unless you put forth significant effort to update it yourself.

Many Android phones remain stuck on the OS that shipped with the handset, unless you put forth significant effort to update it yourself.

In the rush to critique Google for its inability to patch older and some current versions of Android at all or promptly--a rush I was absolutely part of--it's good to not ignore the baggage we're carrying around as well. Google was rightly criticized for the tradeoffs it made starting with the release of Android 1.0 to allow handset makers and cellular carriers to control, more or less, what went onto Android handsets.

This included alternate user interfaces and bloatware, but also prevented a quick path for security updates and software flaws. The only exceptions are Google-released flagship phone models for which the company controls the destiny, and phones sold with or rooted to run CyanogenMod, a venture-capital-backed Android fork designed to put the OS's updates and behavior in the hands of a device's owner.

But Apple is leaving its users behind in iOS, too, although less rapidly than it was just a couple of years ago. The reason Google gets the opprobrium isn't bias so much as the number of devices affected and the rapidity of change. This gives crackers smaller windows of access to exploit flaws that are likely less valuable. But bluntly, developing malware for Android has a better chance of paying out and continuing to pay out, than malware for iOS.

Let a thousand versions bloom

"Fragmentation" has been the watchword of critics of Google's approach, and a word I've often used. It mostly affects developers, who with some releases and features have had to do an inordinate amount of work compared to monolithic iOS to get their apps to work correctly on the majority of active Android devices. But it's also relevant to security.

Google's statistics about Android devices checking into its Google Play Store show that only about 18 percent are running a version of Android 5; the majority run a 4.x release. When the Stagefright exploit was revealed more than two weeks ago, the estimate was that even though the exploit had been disclosed to Google and patched in its internal code base, over 95 percent of phones were vulnerable to a simple MMS-based attack. Carriers have worked at the network level and with MMS settings they can change remotely to reduce the risk. But from 20 to 50 percent of Android phones will never receive a patch. (Android owners should read this advice from our Greenbot colleagues about reducing risk.)

Contrast that with the news of an attack in the wild that's fairly serious and affects iOS devices, but you may not have heard of. It's a variation of the previously discovered Masque Attack, which I wrote about last November. This exploit allows an app to be replaced with one that has certain identical attributes, but originally required a user to trust an enterprise certificate, or carry out another step to accept an app.

Earlier this year, FireEye found that malicious substitute apps could be downloaded and installed without the user having to tap Trust. Last week, research firm FireEye announced they'd found 11 iOS apps in the Hacking Team data breach that were designed to exploit Masque Attack. These apps didn't require a jailbroken phone, even.

I'll be honest: even though this is part of my bread and butter, I didn't hear about last week's announcement for a few days--because iOS 8.1.3 closed some holes and 8.4 some others, so it didn't cause a blip online. In response to researchers who found some related problems in June that relied on the Mac and iOS App Store, Apple repaired some exploits and had said it was researching the rest. Ostensibly, critical fixes will appear in iOS 8 releases to come, and full fixes in iOS 9. Versions before iOS 8 haven't been patched.

Why are Apple critics shouting fragmentation and a lack of support for older devices? Why aren't we seeing malware in abundance for vulnerable hardware that could be exploited by well-documented flaws? Because most iOS users are running iOS 8.

Why was iOS 6 afraid of iOS 7?

Somewhere from 10 to 20 percent of devices are running iOS 7 or an earlier version. (MixPanel pegs it at 10 percent, while David Smith's tracking of usage related to his Audiobooks app puts it around 20. Over a billion iOS devices have been sold since the first iPhone, but it's impossible to know how many remain in use unless Apple were to provide figures. I suspect at least 30 percent, if not many more, have joined the choir invisible, and that somewhere in the 700 million range are in use.

So 70 to 140 million users of systems that predate iOS 8 (and most iOS 8 users have upgraded to 8.4) seems like a large audience to exploit, even though a significant portion are using older devices. However, there are somewhere in the 1.5 billion range of Android devices in use, and vendors still sell hardware that runs versions prior to Android 5--that's about 1.2 billion previous version Android users, of which a good portion are phones. Faced with 70 million potential victims or over a billion, after an exploit just affected 95 percent of all Android phones in use, which would a malware developer seek to find flaws in?

It would be exceedingly smart and polite of Apple to maintain a patch tree for critical flaws that propagated back a version even if it were only for devices that are incapable of being upgraded to a newer iOS release. It hasn't done so in the interests of keeping the pressure on people to run the latest and greatest, which has an impact on folks buying new apps and using new paid services. And old hardware is dying every day, making the universe of devices to exploit ever smaller.

With iOS 9, the window will stretch back further than at any time in the iOS release history for compatible devices--back to 2011 for the iPhone 4s and iPad 2 (and 2012 for the iPod touch 5th generation). And some leaks about iOS 9 make it sound as though the release will be optimized for older devices, chewing fewer processor cycles for features they can't well support or support at all.

Malware developers try to pluck low-hanging, plump fruit, because they make their money or reap other rewards by selling their exploits or access to them to criminals and sometimes governments. Apple's choices do leave a significant number of users of older versions of iOS at risk, but simultaneously make them slim pickings compared to other options.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGooglesecuritycyanogenmodmalware

More about AppleFireEyeGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place