Tuesday, March 1, 2011

No iPhone is Safe. Surge of Exploits Raises Questions.

I'm no fan of Apple. Their proprietary bullshit and overpriced, last-gen hardware irks me to say the least. However, as a penetration tester, the common Apple lie always gets me. "Apple products can't get viruses". Don't make me fucking laugh. The truth is that Macs are just as vulnerable to exploits as any other OS, any penetration tester knows this simple truth. However, you can still hear the same old rhetoric from an Apple fanboy, that Apple products are just simply invulnerable to attacks. The only reason Macs haven't been targeted like Windows and Linux is simply because of market share. If Macs were to gain a larger market share it would get ruined by the amount of new exploits and viruses. Nothing has been more proof of that than iOS, who has gained a considerable amount of market share in the mobile OS division. iOS runs OSX in the backend and (here's the kicker) exploit-db now has 13 exploits ,all released in around 3 days ,that details many exploits for iOS systems. Luckily,  they are not OS exploits but, program exploits.

Why is iOS so exploitable? We can simply look the how Apple is run for that. Apple not only locks down their firmware but, releases updates on their horrid update schedule. Bad update schedule equals better exploitability. Next, most people have absolutely no control on the actual security of the device unless they have jailbroken it. If you can't turn off insecure services on the device, you aren't secure. I hate that Apple treats their customers like babies and, in turn, treats their customers data in an insecure fashion. Lastly, the developers for the platform tend to write insecure code. Developers usually are start-up companies who have little to no security training and, therefore, will write bad code.

I can only hope that most of this get resolved quickly but, that is up to the discretion of the app developers. Now that iOS is popular, it is possible that we will see a wave of new default service exploits and not just app exploits.At least it will give us all some sort of stability on the whole thing as it will force Apple to actually patch their software.