What are today's most striking iOS security myths? Why do they still persist?
The biggest iOS security myth I've seen is that, because of Apple's "walled garden" approach and curation of its App Store, iOS devices are safe from all cyber attacks. On the contrary, both iOS and Android are vulnerable to multiple attack vectors, of which apps are only one subcategory. These attacks fall into three categories: rogue access points/base station attacks, network attacks (i.e., network recon scans, man-in-the-middle and SSL stripping techniques) and host attacks (i.e., browser attacks, malicious apps and PDFs, operating system/Kernel attacks).
Malicious apps are only one type of mobile threat, but receive more attention than they should. Serious, targeted attacks that enterprises face today donít involve apps - theyíre done using a different attack method. Network attacks are the most dangerous, as they require absolutely no interaction with the victim, who will get compromised without noticing anything abnormal.
Additional myths are that mobile antivirus, MDM or containerization adequately protect mobile devices. Weíve found time and time again that both iOS and Android devices running these solutions can be compromised.
What should iOS users be most worried about?
The threats that should worry iOS users most are network attacks that occur without them even knowing. Our phones go with us wherever we go, and many people want to always be connected, so they donít question the security of an airportís Wi-Fi or other so-called Ďsecuredí networks. Even if users connect to a reputable source, a hacker on the same network can intercept their internet communication by performing a man-in-the-middle attack chained with a browser vulnerability.
These attacks can provide hackers with complete access to personal information including emails, passwords, messages and more.
What are the difficulties in exploring iOS security vs. "breaking" Android?
Appleís operating system restrictions make it challenging for security solutions to see threats. Both Google and Apple have sandboxes that restrict the extent of your inter-app communication and device-level controls, which limits your protection capabilities.
When building a solution for a mobile device, you donít have the same visibility youíd have on a PC, limiting security solutionsí effectiveness to detect malicious attacks. Security apps canít use deep packet inspection, as it requires central operating system capabilities that apps just donít have, and using a signature-based approach means you donít have visibility to anything thatís happening in other sandboxes. Mobile devices also present concerns with limited battery life, CPU and memory.
Additionally, some approaches like VPN, tunneling and cloud inspection just donít work. These days, device protection just canít be tied to cloud or Wi-Fi connectivity -- people need to be protected at all times, not just when theyíre online.
What advice would you give to a CISO managing a variety of iOS devices in a large organization?
My number one piece of advice would be to utilize an on-device security solution that prevents against all of the malicious attack vectors I outlined above - including both known and unknown threats (meaning, one that doesn't rely on signatures). This will provide the additional protection organizations need that traditional MDM, network security and antivirus solutions do not address.