At Black Hat, Apple's security chief gave a rare look into how the company hardens its iOS operating system.
Both government and criminals are adapting to the rapid growth in mobile computing. Government is bringing more mobile devices into its networks, and the criminals are developing attacks to exploit vulnerabilities in those devices.
Much of the growth in both areas has been with devices running the Android operating system because it is open and easily modified, but government increasingly is looking at the Apple iOS because its tighter controls offer a more secure environment.
Dallas De Atley, Apple’s manager of platform security, described some of the features built into the mobile operating system at last week’s Black Hat Briefings in Las Vegas.
“Security is architecture,” De Atley said. “You have to build it in from the beginning, not sprinkle it over the code when you’re done.”
A smart phone or other mobile devices differ from a traditional computers in that they typically are on all of the time and always connected. They are always network-aware, sending and receiving whenever they are powered up. “The device doesn’t completely go to sleep,” De Atley said. He said these factors were taken into account when designing the operating system.
De Atley provided no startling revelations, but the talk was widely anticipated because Apple has not talked publicly in the past about its security.
He described an operating system designed from the kernel up to provide tight control over processes, applications and data, from a secure boot process to the partition and encryption of files. The security begins with the hardware, with signed firmware in the processor controlling the boot process, hardware-based 256-bit AES encryption, and a unique device ID that helps to generate and mange encryption keys for content at various levels of security.
As a result, Apple has raised the bar for exploits and driven much of the criminal activity to Google’s open Android OS, which has seen a steadily increasing number of exploits and malicious applications over the past two years. According to recent estimates from International Data Corp., Android now has 59 percent of the mobile market, which helps to make it an attractive target.
“In our experience, a platform only needs to have 10 percent to become sufficiently worthwhile to malware authors,” the security company AVG Technologies said in its latest threat report.
In government, adoption is tending more toward the iOS operating system, however. Estimates of government market share show a movement away from the RIM BlackBerry. Android now has about 25 percent, with the iPhone at 23 percent and 17 percent using the iPad.
The National Oceanic and Atmospheric Administration and the ATF both are adopting iPhones in place of BlackBerrys, and the Air Force earlier this year awarded a contract worth $9.36 million for 18,000 iPads for use in flight line maintenance. The Veterans Affairs Department has initiated a pilot program to equip clinical staff with iPhones and iPads and eventually could have as many as 100,000 of the devices.
Before the iOS boots, signatures in the code are verified by the processor. Unique identifiers in each device help to protect against downgrade attacks in which fixes or patches are rolled back to re-expose vulnerabilities. Applications on the device have to be digitally signed before the iOS will run them.
“This represents our first line of defense against malware,” De Atley said.
Third-party developers have their own signing certificates and the application is signed again by Apple keys before it can be used. “All the software running on the device is coming from a known location,” he said.
Third-party apps also are compartmentalized, each running in its own container, the location of which is randomly assigned to complicate exploits. Privileges defining what processes an app can access are strictly controlled to avoid elevation, and most applications are suspended when not in use to avoid background processing.
For the time being, at least, raising the bar on iOS security is enough to drive criminals to other operating systems, because the return on investment for compromising mobile devices remains lower than for traditional computers. Even with more sophisticated exploits emerging, one of the primary ways for criminals to make money from smart phones remains premium-rate SMS messaging, said Tony Anscombe, senior security evangelist for AVG Technologies.
That is beginning to change, however. A new type of exploit, the DKFbootkit, takes the malware into the operating system, allowing complete control of the phone and enabling creation of mobile botnets.
“We have seen that the bot on the mobile handset is being used to click ads on a specific URL,” generating revenue for the ad network, Anscombe said. “This is an attack method seen on the PC historically, but we are now seeing it on the mobile platform.”
With the current limited avenues for making money from a compromised smart phone, is a mobile botnet worth having? “I don’t know,” Anscombe said. But as functionality and use grows, he added, such botnets eventually will be harnessed for criminal behavior.