For the second time in less than two weeks, a major security breach shows that app publishers cannot rely exclusively on the security mechanisms of iOS and the iPhone. (Read about the previous iOS security incident).
This time Google security researchers have uncovered five exploit chains that allow for the automatic hacking (jailbreaking) of iPhones (iOS10 to iOS12.4) via a series of malicious websites. With thousands of estimated visits each week, these websites have reportedly been disseminating malware for years. The latest incident proves, once again, that mobile devices should not be trusted by default and that additional security measures - such as mobile app protection software - are indispensable for protecting sensitive app-processed data and preserving overall app integrity. Security sensitive applications should thus operate from a Zero Trust standpoint and consider both device and back-end as potentially malicious.
The five exploit chains uncovered by Google’s Threat Analysis Group (TAG) automatically jailbroke the devices of unsuspecting users visiting hacked websites. Once devices were infiltrated, malware was installed in order to steal files, upload live location data, gain access to the user’s keychain, databases, etc. It could also enable the monitoring of communication with the server that may be used for future attacks as well. Runtime tampering with other processes enables the malware to modify behaviour or intercept data of any running application.
Even the newest iPhones - which are generally considered more secure - were found to be vulnerable to this modality of attack, as Google’s Project Zero shows.
However, there are a number of measures that can ensure your iOS applications remain protected against such attacks:
Only mobile app protection software, such as iXGuard, can provide your applications with comprehensive app security containing the measures listed above. In light of the recently reported security breaches, it is becoming imperative for publishers of all apps performing sensitive transactions and processing personal data, to take the necessary steps to adequately secure them. The latest incident is just another reminder of how much the built-in security mechanisms of iOS cannot be overestimated. Learn more about iOS application security.