iOS and Android security has evolved from nice to have in the platforms’ early days to essential. Here’s an overview of iOS and Android security features, attacks, and patches through the years.
When the modern mobile device first hit the shelves, the smartphone market wasn’t a target for the rampant malware and data theft we see today. Let’s hop into our very own wayback machine and examine iOS and Android security from inception to now to consider what has changed with each platform and with cybersecurity.
The most important thing to know about the first iteration of the Apple mobile platform (released March 6, 2008) is that there was no app store; because of this, there were no authorized third-party applications in development. It only took a few months before unauthorized third-party apps started to appear—these apps were created by hackers and tinkerers that wanted more from the device.
Apple responded to this small wave of third-party apps by releasing the first .1 update to the platform, which locked down the operating system using encryption and certificate signing. Those third-party apps were no longer installable.
The early days of Android were very similar to that of iOS—it wasn’t until the Cupcake release (1.5, released April 27, 2009) that Android unleashed its own app store. In these early days, there was little to no vetting of software, but the platform had yet to become the target of malicious software; this can be easily attributed to a lack of audience (similar to iOS).
Although there was a lot of buzz surrounding Android, it had yet to gain enough traction to garner the attention of hackers and other types of security intrusions. Even so, Google enhanced the security of its fledgling platform with improvements that included the addition of ProPolice to prevent stack buffer overruns, safe_iop to reduce integer overflows, and chunk consolidation attacks and double free() vulnerabilities to prevent the addition of extensions to OpenBSD dlmalloc.
With iOS 2 (released July 22, 2008), the iOS App Store finally arrives, shrugging off those unauthorized third-party apps for good. Even with the App Store in play, jailbreaking communities began to rise, with the goal of unleashing the full potential of the device.
While this is happening, Apple introduces security-specific features to the platform: Support for Cisco’s IPSec VPN technology, WPA2 Enterprise and 802.1x authentication, configuration profiles that enforced security policies, and even the remote wipe capability.
Apple discovered and fixed a number of security-specific bugs that affected, including CFNetwork (CVE-ID: CVE-2008-0050), Kernel (CVE-ID: CVE-2008-0177), Safari (CVE-ID: CVE-2008-1588, CVE-ID: CVE-2008-2303, CVE-ID: CVE-2006-2783, CVE-ID: CVE-2008-2307, CVE-ID: CVE-2008-2317), and WebKit (CVE-ID: CVE-2008-1590, CVE-ID: CVE-2008-1025, CVE-ID: CVE-2008-1026).
Android 2 (Eclair) was released on October 26, 2009. The Android market share was still under 3% at the time, so the target had yet to be painted on the back of Google’s mobile platform.
Eclair introduced a single interface for securely managing multiple online accounts as well as Microsoft Exchange support. At the time, there was very little discussion about the security of the Android platform. On May 20, 2010, Microsoft Exchange support in Android added security policies and Adobe Flash (which has long been considered a security issue in and of itself).
On December 6, 2010, Google added support for Near Field Communication (NFC) to Android; this is a technology that could lead to eavesdropping, data corruption/manipulation, interception attacks, and theft.
It wasn’t until January 18, 2011 when Android 2.2 (Froyo) rolled security updates into the platform. The next security update wouldn’t be added to Android 2 until November 21, 2011.
iOS 3 rolled out on June 17, 2009. The biggest security addition to the platform was the ability for users to pay $100.00/year to enable the Find My Phone feature, which allowed users to locate their lost or stolen phone. This early iteration of Find My Phone was easy to circumvent—if Location Services was turned off or if a lock screen passcode wasn’t created, the feature wouldn’t work.
The third release of iOS fixed 46 security vulnerabilities, including CoreGraphics (CVE-ID: CVE-2008-3623), Exchange (CVE-ID: CVE-2009-0958), Image I/O (CVE-ID: CVE-2009-0040), International Components for Unicode (CVE-ID: CVE-2009-0153), and IPsec (CVE-ID: CVE-2008-3651, CVE-2008-3652).
Android 3 (Honeycomb), released February 22, 2011, was the first tablet-only update to the Android platform. This release added two very important security updates to the platform: The ability to encrypt all user data and the disallowing of applications from having write access to secondary storage (such as memory cards) outside of designated application storage.
iOS 4 (released June 21, 2010) came with a number of interesting security updates. Users could now enable a long password instead of a four-digit PIN for the device lock screen. Apple included the ability to encrypt email attachments as long as the device was locked by a passcode. The encryption feature was extended to third-party apps for data encryption.
iOS 4 added a feature that would be a baseline for security features in the years to come: Users now had control over whether individual apps had access to location control.
This release fixed a whopping 65 vulnerabilities, including Application Sandbox (CVE-ID: CVE-2010-1751), CFNetork (CVE-ID: CVE-2010-1752), ImageIO (CVE-ID: CVE-2010-0041), LibSystem (CVE-ID: CVE-2009-0689), and libxml (CVE-ID: CVE-2009-2414, CVE-2009-2416).
When Android 4 (Ice Cream Sandwich) was released (October 18, 2011), it was thought it introduced some rather interesting security holes. These “holes” came by way of new features, which included: Facial recognition unlock, Android Beam, capturing screenshots, and email copy/paste. Oddly enough, some reporters considered these features among those that would bring about eminent data theft. For example, there was concern that Facial Unlock would allow anyone with a similar facial structure or even a photo of the device’s owner could unlock a device. Android Beam was thought to be an easy way for unencrypted information to be exposed to theft.
It wasn’t until Android 4.2 (Jelly Bean) that serious security enhancements would make their way into Android by way of Security-Enhanced Linux (SELinux). SELinux (created by the NSA and Red Hat) is a kernel security module that provides a mechanism to support access control security policies. This addition brought an unrivaled level of security to the Android platform. It wasn’t until Android 4.4 (KitKat) that SELinux would be switched to Enforcing mode. KitKat introduced Verified boot, which provides transparent integrity checking of block devices.
Apple added in iOS 5 (released June 6, 2011) what it called Unsecured Call with little fanfare or explanation; this feature turned out to be a warning when a user was on an unencrypted cellular network. When Unsecured Calls arrived, the user could ignore a call or immediately end a call.
Also included with iOS 5 was a new feature called Find My Friends, which allowed users to share their location with friends. This was considered by many people to be a security issue.
iOS 5 fixed 96 security vulnerabilities, including CalDAV (CVE-2011-3253), Calendar (CVE-2011-3254), CFNetwork (CVE-2011-3255), CoreFoundation (CVE-2011-0259), and CoreGraphics (CVE-2011-3256).
Android 5 (Lollipop, released November 12, 2014) was considered one of the platform’s biggest improvements to date. Replacing the default Dalvik compiler with Jit introduced serious performance increases. However, Lollipop would find itself under a brilliant spotlight, shining down on critical security concerns.
First and foremost was the Accessibility Clickjacking attack that exploited flaws in Android’s accessibility and draw-over-apps features. With this vulnerability, attackers could possibly hijack devices.
The Smart Locking feature allowed users to pair their smartphone with a compatible Bluetooth or NFC device, such that when the paired device was near, the phone would remain unlocked. Many people considered this yet another security vulnerability.
Lollipop shifted device encryption from being an option to the default, and made SELinux Enforcing Mode mandatory for all apps on the device.
In addition, Google added the “kill switch” option, which allowed users to perform a remote full factory reset.
Apple added in iOS 6 (released June 11, 2012) a new privacy section that gave users the ability to enable or disable access to contacts, calendars, reminders, photos, and social media accounts on a per-app basis. In the new privacy window, Apple included a Bluetooth Sharing option. Another security-minded feature was the ability to limit ad tracking on a device.
iOS 6 fixed a massive 197 security vulnerabilities, including CFNetwork (CVE-2012-3724), numerous patches to CoreGraphics, CoreMedia (CVE-2012-3722), DHCP (CVE-2012-3725), and ImageIO (CVE-2011-1167).
Android 6 (Marshmallow, released October 5, 2015) wasn’t immune to the platform’s numerous security issues. In August 2016, it was discovered that nearly 80% of Android phones with Qualcomm chips suffered from what would be labeled as the Quadrooter vulnerabilities (CVE-2016-2503, 2504, 2059, 5340). These vulnerabilities required malicious apps to be downloaded to a device (most often from a third-party app store, and not the Google Play Store) and could commandeer the devices after tricking users to escalate permissions for the app in question. Qualcomm released the patches via handset manufacturers.
With the release of Android 6, Google published its first Android Security Bulletin to document the vulnerabilities and patches ascribed to the platform. Google introduced the Security Patch Level system, which would automatically update security patches on a device. Users could go to Settings | About Phone and see what Android security patch level was on their device.
iOS 7 (released June 10, 2013) had a number of security improvements, though it wasn’t without issues. One of the biggest vulnerabilities on the iOS platform to date was the infamous “go to fail” SSL issue. It was suspected that Apple intentionally bypassed the SSL digital signature check, giving the US government a backdoor into the platform.
Soon after that discovery, it was found that email attachments were not being encrypted, even when a passcode was enabled for the device. The fix for this bug didn’t roll out until iOS 7.1.2.
A new feature called Activation Lock was added to Find My Phone. With this feature enabled, a device owner’s Apple ID credentials must be entered before anyone could disable Find My Phone, erase a device, or reactivate a device.
Touch ID was introduced to work in conjunction with the newly released fingerprint sensor. Unfortunately, a group going by Chaos Computer Club managed to circumvent Touch ID a mere day after its release.
iOS 7 fixed 80 security issues, including Certificate Trust Policy, CoreGraphics (CVE-2013-1025), CoreMedia (CVE-2013-1019), and Data Protection (CVE-2013-0957).
Android’s security issues have started to wane a bit with the 7th iteration of the platform (released August 22, 2016. One of the biggest improvements was that a growing number of users were actually applying updates on their devices. Unfortunately, it was discovered that less than 3% of Android phones were running the latest version of the platform.
It helped that Google introduced a number of important security features to Android in the 7th iteration, including: Direct boot, which splits data into two groups: Device Encrypted Storage and Credential Encrypted Storage; stronger, file-based encryption; great improvements on the MediaServer, which is the system that enabled the infamous Stagefright attack; fixed weak sharing permissions between apps; always-on VPN; and a work mode icon on Android for Work devices that allows users to disable all work-related apps once they are off the clock. The new seamless update feature goes a long way to help improve security, as users can download the most recent platform update and hold off applying it until the next boot.
iOS 8 (released June 2, 2014) came with an interesting new feature that uses a randomly spoofed MAC address instead of the device’s actual hardware address when scanning on a wireless network for nearby devices. This feature prevents retail stores from tracking a a customer as they shop without asking for user permission.
iOS 8 added DuckDuckGo as a legitimate search provider so users could reliably search the internet without being tracked.
This release fixed 56 security issues, including 802.1X (CVE-2014-4364), Accounts (CVE-2014-4423), Accessibility (CVE-2014-4368), and Accounts Framework (CVE-2014-4357).
In iOS 9 (released June 8, 2015), Apple added a rather controversial feature called Content Blockers (aka ad blockers), which can be used to hide or block web page components such as cookies, images, resources, and pop-ups.
The standard passcode to unlock a device was migrated from the default four characters to a more secure six characters. If a user works with OS X El Capitan, she can enable two-factor authentication for her Apple ID.
Apple introduced App Transport Security (ATS) to help encourage developers to opt for HTTPSover standard HTTP and TLS 1.2.
Another very important security feature is Kernel Patch Protection (KPP), a low-level function that periodically checks the integrity of the operating system kernel.
iOS 9 fixed 105 security issues, including Apple Pay (CVE-2015-5916), AppleKeyStore (CVE-2015-5850), Application Store (CVE-2015-5856), and Audio (CVE-2015-5862).
iOS 10 (released June 13, 2016) is considered by many people to be the most significant update to come to the platform in years. One of the most important improvements was to patch the KPP against known exploits. With this in place, the platform has become increasingly difficult to crack.
Apple has made changes that affect the way developers interact with the App Store. As of iOS 10, Apple now requires all apps to be signed by certificates that are remotely checked by Apple’s own servers; this new system allows Apple to quickly revoke any certificate of known malicious apps.
iOS 10 does something very important for users: When a user logs into a wireless network that doesn’t require a password, they will be given a warning that the network in question offers no security and can expose a user’s data to network traffic.
It’s clear that Apple and Google must place security front and center in upcoming releases. Data integrity and security has become tantamount to a successful mobile experience, so both companies must continue the evolution of their platforms with security in mind.