An Explosive Spyware Report Shows the Limits of iOS Security

In fact, the Amnesty International researchers say they actually had an easier time finding indicators of compromise and investigating Apple devices targeted with Pegasus malware than those running stock Android.

“In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former,” the group wrote in a lengthy technical analysis of its findings on Pegasus. “As a result, most recent cases of confirmed Pegasus infections have involved iPhones.”

Some focus on Apple also stems from the company’s own emphasis on privacy and security in its product design and marketing.

“Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply,” says Johns Hopkins University cryptographer Matthew Green.

Even with its more open approach, though, Google faces similar criticisms about the visibility security researchers can get into its mobile operating system.

“Android and iOS have different types of logs. It’s really hard to compare them,” says Zuk Avraham, CEO of the analysis group ZecOps and a longtime advocate of access to mobile system information. “Each one has an advantage, but they are both equally not sufficient and enable threat actors to hide.”

Apple and Google both appear hesitant to reveal more of the digital forensic sausage-making, though. And while most independent security researchers advocate for the shift, some also acknowledge that increased access to system telemetry would aid bad actors as well.

“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers,” a Google spokesperson said in a statement to WIRED. “We continually balance these different needs.”

Ivan Krstić, head of Apple security engineering and architecture, said in a statement that, “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

The trick is to strike the right balance between offering more system indicators without inadvertently making attackers’ jobs too much easier.

Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes, says he agrees that more insight into iOS would benefit user defenses. But he adds that allowing special, trusted monitoring software would come with real risks. He points out that there are already suspicious and potentially unwanted programs on macOS that antivirus can’t fully remove because the operating system endows them with this special type of system trust, potentially in error. The same problem of rogue system analysis tools would almost inevitably crop up on iOS as well.

“We also see nation-state malware all the time on desktop systems that gets discovered after several years of undetected deployment,” Reed adds. “And that’s on systems where there are already many different security solutions available. Many eyes looking for this malware is better than few. I just worry about what we’d have to trade for that visibility.”

The Pegasus Project, as the consortium of researchers call the new findings, underscore the reality that Apple and Google are unlikely to solve the threat posed by private spyware vendors alone. The scale and reach of the potential Pegasus targeting indicates that a global ban on private spyware may be necessary.

www.wired.com

Leave a Reply