Apple "security reputation in tatters" after iOS and OS X flaws

News by Tim Ring

Apple has run into heavy criticism after research firm FireEye found a flaw that leaves users of its latest iPhones and iPads open to covert 'keylogging' malware - while Apple left out users of its Mac OS X desktops and laptops when it issued a fix to another problem.

The keylogging flaw, revealed by FireEye in a 24 February blog post, means hackers can capture and record every keystroke made by users of any Apple device running the latest iOS 7 operating system, as well as those devices on iOS 6.1. 

This includes the most secure ‘non-jailbroken' devices - last month Trustwave senior security consultant Neal Hindocha found the same problem on jailbroken Apple iOS systems and was due to demonstrate it at this week's RSA security conference in the US.

Meanwhile, on 21 February, Apple rushed out a patch that prevents hackers from accessing supposedly secure communications between iPhone and iPad users and SSL-protected websites –caused by a duplicated line of operating system source code accidently being left in.

But the company has not provided the same fix to users of Mac OS X computers, leaving them exposed to online attackers stealing their passwords or other personal data as they connect to popular websites.

An Apple spokesperson told "We are aware of this issue and already have a software fix that will be released very soon." But this has not been enough to prevent the company being strongly criticised.

Kevin O'Reilly, senior consultant at UK security research firm Context Information Security, said Apple's reputation for security is “in tatters” while Clive Longbottom, service director at IT research firm Quocirca, added that “Apple has answers to give in both cases”.

O'Reilly told via email: “It's been a miserable week for Apple. On the one hand, it seems iPhones and iPads are susceptible to malicious key-logging apps - security measures implemented by Apple to prevent malicious background activity can be bypassed, and key-logging Trojan apps are a real possibility for iOS users today.

“But perhaps even more damaging to Apple's reputation for security is the recent revelation that a simple duplication of a line of source code has slipped through the net of security auditing, with huge implications.”

O'Reilly said this flaw means attackers can “sniff or even modify supposedly secure traffic such as that to online banking websites or similar. To make matters worse, the true extent of the problem is still unfolding, with Mac users being left unprotected and a patch still in the making.”

O'Reilly told us: “Apple has long been buoyed by the public perception that its devices and software are far less susceptible to malware and security flaws; this may not have been entirely accurate but this week as realisation dawns this image has surely been shattered, leaving users questioning the wisdom of their previous faith, and Apple's reputation for security in tatters.”

Clive Longbottom at Quocirca agreed, telling “The SSL issue seems to have been caused by a piece of code - actually, a single line of code - put in place by an Apple developer to make their life easier during testing. This was not removed before moving the code into run-time. This is a case of very poor project management and code testing by Apple.”

Longbottom said the keylogging problem is more of a software design issue, adding: “Apple has answers to give in both cases – effective code testing and basic project management should be a core part of the development of what is such a major system.”

FireEye said in its blog that it has demonstrated the keylogging problem on the latest 7.0.4 version of iOS on a non-jailbroken iPhone 5s, and has verified that the same vulnerability exists in iOS versions 7.0.5, 7.0.6 and 6.1.x.

It described the implications of the bug for users: “Potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app and then conduct background monitoring. The only way for iOS users to avoid the security risk, before Apple fixes the issue, is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring.”

Clive Longbottom said: “BYOD will continue to stress the IT department attempting to safeguard the organisation. Only through careful monitoring of what is happening on an end-to-end basis from device to data centre can IT hope to keep control of what is happening.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews