iPad, iPhone's kernel-up security could be a better bet for gov

At Black Hat, Apple's security chief gave a rare look into how the company hardens its iOS operating system.

Both government and criminals are adapting to the rapid growth in mobile computing. Government is bringing more mobile devices into its networks, and the criminals are developing attacks to exploit vulnerabilities in those devices.

Much of the growth in both areas has been with devices running the Android operating system because it is open and easily modified, but government increasingly is looking at the Apple iOS because its tighter controls offer a more secure environment.

Dallas De Atley, Apple’s manager of platform security, described some of the features built into the mobile operating system at last week’s Black Hat Briefings in Las Vegas.


Related coverage:

Mobile security guide catches up with smart phones, BYOD

Managing mobile security: There's no such thing as a free app


“Security is architecture,” De Atley said. “You have to build it in from the beginning, not sprinkle it over the code when you’re done.”

A smart phone or other mobile devices differ from a traditional computers in that they typically are on all of the time and always connected. They are always network-aware, sending and receiving whenever they are powered up. “The device doesn’t completely go to sleep,” De Atley said. He said these factors were taken into account when designing the operating system.

De Atley provided no startling revelations, but the talk was widely anticipated because Apple has not talked publicly in the past about its security.

He described an operating system designed from the kernel up to provide tight control over processes, applications and data, from a secure boot process to the partition and encryption of files. The security begins with the hardware, with signed firmware in the processor controlling the boot process, hardware-based 256-bit AES encryption, and a unique device ID that helps to generate and mange encryption keys for content at various levels of security.

As a result, Apple has raised the bar for exploits and driven much of the criminal activity to Google’s open Android OS, which has seen a steadily increasing number of exploits and malicious applications over the past two years. According to recent estimates from International Data Corp., Android now has 59 percent of the mobile market, which helps to make it an attractive target.

“In our experience, a platform only needs to have 10 percent to become sufficiently worthwhile to malware authors,” the security company AVG Technologies said in its latest threat report.

In government, adoption is tending more toward the iOS operating system, however. Estimates of government market share show a movement away from the RIM BlackBerry. Android now has about 25 percent, with the iPhone at 23 percent and 17 percent using the iPad.

The National Oceanic and Atmospheric Administration and the ATF both are adopting iPhones in place of BlackBerrys, and the Air Force earlier this year awarded a contract worth $9.36 million for 18,000 iPads for use in flight line maintenance. The Veterans Affairs Department has initiated a pilot program to equip clinical staff with iPhones and iPads and eventually could have as many as 100,000 of the devices.

Before the iOS boots, signatures in the code are verified by the processor. Unique identifiers in each device help to protect against downgrade attacks in which fixes or patches are rolled back to re-expose vulnerabilities. Applications on the device have to be digitally signed before the iOS will run them.

“This represents our first line of defense against malware,” De Atley said.

Third-party developers have their own signing certificates and the application is signed again by Apple keys before it can be used. “All the software running on the device is coming from a known location,” he said.

Third-party apps also are compartmentalized, each running in its own container, the location of which is randomly assigned to complicate exploits. Privileges defining what processes an app can access are strictly controlled to avoid elevation, and most applications are suspended when not in use to avoid background processing.

For the time being, at least, raising the bar on iOS security is enough to drive criminals to other operating systems, because the return on investment for compromising mobile devices remains lower than for traditional computers. Even with more sophisticated exploits emerging, one of the primary ways for criminals to make money from smart phones remains premium-rate SMS messaging, said Tony Anscombe, senior security evangelist for AVG Technologies.

That is beginning to change, however. A new type of exploit, the DKFbootkit, takes the malware into the operating system, allowing complete control of the phone and enabling creation of mobile botnets.

“We have seen that the bot on the mobile handset is being used to click ads on a specific URL,” generating revenue for the ad network, Anscombe said. “This is an attack method seen on the PC historically, but we are now seeing it on the mobile platform.”

With the current limited avenues for making money from a compromised smart phone, is a mobile botnet worth having? “I don’t know,” Anscombe said. But as functionality and use grows, he added, such botnets eventually will be harnessed for criminal behavior.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.