Mythbusters: The iOS Platform is Secure

The iOS platform has always had a reputation as the secure mobile OS. But if you’re relying on iOS alone to keep your data and employees safe, you’re not providing mobile security. We debunk the myth that iOS is secure by sharing 3 risk areas you’re overlooking, even in an iOS-only environment. And, we share what it really takes to secure your enterprise data from mobile threats.

Today, Android enjoys an over 85% share of the worldwide mobile OS market. But in large enterprises, Appthority’s research has shown that iOS, because it is assumed to be safer, is the dominant player. In fact, we see that 82% of the devices in our customer environments run on iOS.

Still that leaves 18% of devices across all of our customers that are not iOS – devices that are operating outside of Apple’s closed ecosystem. None of our customers, in fact, have iOS only environments. So, if your mobile policy is BYOD or you aren’t enforcing iOS for all devices, you have Android devices operating in your environment.

Mobile platforms – whether iOS or Android – are inherently insecure. You have to ask, what kind of mobile risks are getting through into my enterprise?

More to the point, however, mobile platforms – whether iOS or Android – are inherently insecure.  While it’s true that iOS benefits from Apple’s closed ecosystem and stronger app vetting, these are not enough to keep security threats out of your environment altogether. The biggest thing you have to wonder is – what kind of mobile risks are getting through into my enterprise?  Let’s take a look across all mobile threat vectors.

3 risk areas in iOS-only environments

Mobile app vulnerabilities and over-sharing

App developers are increasingly leveraging 3rd party code, in the form of libraries, SDKs, ad networks, and more to speed up app development and incorporate functionality. This is a common trend across both iOS and Android, and we’ve seen that the average app has over 50% 3rd party code. Many developers write apps for both the Apple and Google markets, so mistakes and vulnerabilities introduced in apps for one OS are often carried to apps they develop on the other OS. This is one reason that, when it comes to mobile app vulnerabilities, like data exfiltration, unencrypted data transmission, and insecure back-end data storage, iOS is still risky. And the risk is high – we’ve found app vulnerabilities, like HospitalGown, which exposed 43 terabytes of sensitive enterprise data due to hardcoded developer credentials.

In addition to vulnerabilities within mobile apps, we live in a sharing economy – where app users will readily share access to their address books, calendars, and even credentials with other apps, often without thinking.  This makes sensitive personal and corporate information easier for bad actors to locate and use in phishing attacks that can lead to even larger data breaches.

Device-level and OS vulnerabilities

From a device perspective, iOS is relatively secure if users are running the latest version. Each iOS update includes vulnerability patches and security upgrades. Other than expensive and highly targeted zero-day attacks, the app sandboxing in iOS does an adequate job of preventing attacks to the overall device.

However, the OS doesn’t monitor devices for jailbreaks (most often seen when employees willingly modify their devices to install 3rd party apps) or other device risks. EMMs can do a basic job of detecting jailbroken devices but need a Mobile Threat Defense solution to provide the additional security layer to also detect OS vulnerabilities, configuration changes and behavioral anomalies.

Network threats – like MiTM

From a network security perspective, iOS and Android devices are both subject to Man-in-The-Middle (MiTM) attacks when employees use unsecured wifi connections. While your choice of OS doesn’t safeguard against these threats, MiTM attacks can be prevented altogether with proper, proactive app security. For example, if apps leverage proper encryption, and, better yet, certificate pinning, access to data in transit and MiTM risks can be completely avoided.  Unfortunately, most app developers do not use proper encryption. For example, with incomplete enforcement of its App Transport Security Requirement, Apple has only been able to get 16% of the apps on iTunes to comply with its ATS data encryption best practice.  

While iOS and the Apple ecosystem may provide some safeguards against mobile threats, do they prevent all mobile risks to your enterprise? No.  

3 Must-have mobile security capabilities

There are 3 key things you need to do to secure your enterprise data from mobile threats that iOS (or Android) will never do for you on the security front.

  1. Analyze your environment for security risks. To secure your enterprise data from mobile risks, you have to know what’s lurking out there. It’s vital that you continuously scan your environment for mobile threats as new ones arise every day.  Smart IT and Security teams will implement solutions that can provide deep analysis of mobile apps, devices, and networks to identify the risk and vulnerabilities that can threaten the security of their enterprise data.
  2. Score and prioritize threats. In any enterprise environment, you’re going to start finding threats as soon as you look. But where should you focus? Be sure that the solution you put in place provides a scoring system – that you can customize to your specific corporate and compliance needs – so that you can identify and address the threats that matter most.
  3. Take corrective action through your EMM. When you find vulnerabilities in mobile apps that are installed on dozens or hundreds of devices in your network, it’s a daunting reality.  But with proper integration between a security solution and your EMM, you’ll have the capability to automate and manage the entire remediation process at scale and ensure that risks have been mitigated.

As you can see, mobile security issues go well beyond the OS’s ability to protect an enterprise. You’ll want a Mobile Threat Defense solution for true visibility, threat detection, prioritization, and protection.

So hopefully you no longer think that saying “The iOS platform is secure” is a viable mobile security strategy. No matter how you slice it, a mobile OS alone can’t ensure that your enterprise data is protected from mobile threats.

Watch and share the video on this mythbuster: https://youtu.be/Re5I_-kjpCA 

 



*** This is a Security Bloggers Network syndicated blog from Mobile Threat Blog Posts | Appthority authored by Domingo Guerra. Read the original post at: https://www.appthority.com/mobile-threat-center/blog/mythbusters-ios-platform-secure/