iPhones most 'vulnerable' among smartphones

iPhones most 'vulnerable' among smartphones

Summary: Cybercriminals are more motivated to find loopholes in iOS due to the popularity of Apple smartphones and the strictly controlled app store which do not easily allow the publishing of malicious apps to infect users, according to SourceFire exec.


More software vulnerabilities exist in iOS compared to the other operating systems, and a SourceFire executive said this is due to the iPhone's popularity, and Apple's strictly controlled app store which drives cybercriminals to find vulnerabilities in the operating system instead.

According to SourceFire's "25 Years of Vulnerabilities" study released in early March, which analyzed vulnerabilities from the Common Vulnerabilities and Exposures (CVE) data and National Vulnerability Database (NVD), the majority of mobile phone vulnerabilities have been found in Apple's iPhone. The database provides 25 years of information on vulnerabilities to assess, spanning from 1988.

210 vulnerabilities were found in Apple's smartphone, giving iOS 81 percent of the mobile phone vulnerability market share. This is more than the total number of vulnerabilities in Android-based, Windows-based and BlackBerry-based smartphones combined, at 19 percent.

iPhone takes the mobile phone vulnerability market share over the past 25 years (Source: SourceFire)


In an interview with ZDNet Asia, Yves Younan, senior research engineer at SourceFire's Vulnerabilities Research Team and author of the report, pointed out the finding was "surprising". It was also "interesting" as Apple has had significant CVE growth year over year, despite the operating system implementing more security features in subsequent iterations, he added.

Even though Android devices have topped the mobile phone operating system market share, iPhones are still popular among consumers, which is why cybercriminals are driven to find loopholes in the Apple's operating system, Younan explained.

With Android devices, cybercriminals see less reason to look for vulnerabilities to penetrate smartphones, he added. Android's open platform already easily opens up for third party and malicious apps to be easily created for users to download, he explained.

On the other hand, this cannot be done with the iOS store due to Apple's strict control of apps that are published. This is why cybercriminals are driven to find loopholes in the software system of Apple instead, he added.

As for Windows, the low number of vulnerabilities could be due to the fact it is not a popular operating system yet, Younan pointed out, but declined to comment on vulnerabilities in the BlackBerry operating system.

Enterprises must prepare for, tackle vulnerabilities

It was also found in the report the overall number of vulnerabilities with a high severity rating increased significantly until 2007, when it reached a high of 3,159. Since then, it tapered off and fell to 1760, despite more vulnerabilities being discovered in 2012.

What the study shows is vulnerabilities are here to stay, Younan noted.

Moving forward, enterprises must look at how to deal with them, and mitigate having a cyberattacker exploit the vulnerability, by installing mitigation on operating systems or using security products, he said.

"[Enterprises] should also plan for potential compromises including how they will rebuild and ensure the integrity of the data," Younan added.

Topics: Security, Apps, iPhone, Operating Systems

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm confused

    Vulnerabilities, or exploits?

    Also how do the exploits... Exploit? Is it through browser navigation, messaging, etc, or does it require access to the device?

    Mobile security is a mess. My android has more viruses than a lab rat, yet I've never found anything with my equity scan, and now my iPhone is full of vulnerabilities... But I have no idea how they may be exploited?

    Also what does market share have to do with vulnerabilities?? If windows has less vulnerabilities it is due to the coders not the shoppers? If they sell 100 million more phones, they don't create more vulnerabilities?!
    • Market share is motivation

      for the exploit writers to find and take advantage of vulnerabilities. The higher the market share the more people there are to take advantage of when you sell your exploit on the "hackers market". That is the principle reason there are so much malware for Windows PCs, they have the vast majority of the market (and therefore the most users to exploit).
      • Yes. But

        It doesn't increase vulnerabilities. That was kind of my point; that the article is too vague as to what the exploits actually are. Do they require jailbreaking, physical access to the device, or can they be exploited remotely? With android they have been more open; it's malware usually from 3rd party repos.

        It's the bacteria argument. There are more bacteria on your kitchen sponge than on your toilet seat. Well one toilet seat bacteria may kill you whilst all the sponge bacteria put together may give you a jippy tummy. Same deal here it isn't number but nature. More info is needed.

        If there are 200 exploits that let my iPhone give up all it's data without my say so just by browsing the web/receiving a text, I'll flush the blooming thing down the loo myself. If there are 200 exploits that can give an app advanced privileges on a jail broken device, I don't care as It's not jail broken.

        Same wit my android; a million or so malicious apps? Well I only get them from the play store and so far norton has never found a secret app ninja.
        • At the pown 2 own contest

          the devices are not jailbroken or rooted, but are fully patched and up to date. I believe that downloading is not allowed, but going to a "rigged" website is. In other words, the user does not do anything active to get infected, it must be passive. All of the handsets fall. The more a piece of software does (be useful) the more vulnerabilities it has. That doesn't mean there are exploits for all or even most of them.
          • PWN2OWN is Not About OS Vulnerabilities!

            It's about Browser Malware Vulnerabilities, not OS related Rootkits or Viruses. Every browser out now has gone to Sandboxing, like Google already had going from the start in Chrome Browser. On top of these Application/Runtime Security measures and Linux (being like BSD Unix based) Android now has NSA's Fully Security Enhanced OS Kernel (Level 6 Security) in SE Jelly Bean Android OS. First to meet this level of OS Security of all OS Platforms out today. Thanks no doubt to being Open Source!!!

            On Apple's iOS..... Apps now run sandboxed. Only after copying Android and Blackberry Operating System sandboxed services, runtime framework security. This has been why in the past Apple had to pay such close attention to vetting all Apps that are installed running like programs on Windows directly on top of the OS. Now Apple has finally enclosed even System Apps in a sandboxed runtime. App Developers could still take full advantage of any OS vulnerabilities to the OS Kernel itself though.
            Rather than like Android where Apps and Services have always run in a VM or sandboxed away from the OS.

            Even other Framework Services and W3C Web Widgets run in a sandbox on Android All totally isolated into virtual machine environments. So although they remain vulnerable to new holes in Apps or Malware Exploits, Google is also now vetting Android Apps too. Much like they are vetting videos on YouTube for Copyright Violations now. In fact Enterprise Level Apps are all continuously vetted through IBM's through dual remote security checks, like your Credit Card Transactions online!!!

            Remember the NSA wanted to originally write an SE kernel Apple's BSD based Kernel and Blackbery's OS kernel. But both Blackberry and Apple refused them Source Code Access for those Modification purposes. That's why DOD/NSA via GSA has only been acquiring Android Devices so far over other OS's the last two years. Though Apple, Microsoft and Blackberry have been working to raise the security of their Operating Systems to NSA Level 6, Android remains the only mobile OS to meet these complete OS kernel requirements to date.

            The DoD, NSA, GSA already has it's own Android App Market in place and sum 10 projects utilizing Motorola, SAMSUNG and General Dynamics Android Designed Mobile Devices (Tablets/Smartphones/etc) over the last two years. They also already have their own SE Linux Server Secure Hypertunneled Global Network (fully encrypted) up now! .....and only one project each running on SiPad and Blackberry 10 with a Windows 8 Tablet project in the works only recently!!!

            Again.... Apple misses the boat (at least with the Army, Navy, Air Force and Marines) trying to only imitate the NSA's own work on Open Source Linux. Google Android remains the only viable Security Enhanced Mobile Kernel on the Planet so far!!!
      • What?!

        Well, it may surprise you that Macs are actually more unsecure compared to Windows. I'm sure Jobs....er um...Tim can confirm that. Fact is Apple, Google, etc are rookies in these areas. RIM and Microsoft are more seasoned enterprise security companies even though Blackberries are no longer appealing and Windows Phone is not being properly marketed for all its features and enhanced security capabilities that are usually compromised by stupid plug-ins such as Java, etc. I am an ethical hacker and I know that it is easier to hack a Mac than an up-to-date Windows PC.
    • To be technical:

      Most "exploits", which is what they all are, really, take advantage of the one component that can't be engineered around. The user.

      Fool them into installing your "Fun New Game" and your in.

      Or, take advantage of another feature that App writers think "users" want, time and effort saving abilities for programs to download and run code as macros/scripts or Java or XML or what have you to "make the user experience more exciting". We, the "users", "demanded" such "helpful" features, you see.

      These do not require any wierd code tricks, buffer overrun or memory overwriting failures to operate. They take advantage of Flash ads that can do all sorts of things in order to "play a sound", "cause a visible object to move around the screen" or "play a video". Or, run a Java applet you don't even see.

      Ever hear of "Word Macro Viruses"?

      I don't know of many viruses that take advantage of the shortsighted old memory saving trick of allowing the possibility of "buffer overrun" in TCP/IP traffic in this day and age. Such holes should have been plugged long ago and shame on anyone still using such badly written code.

      More than enough damage can be done taking advantage of the "user" and all the "helpful" features that have been made available to "users".
  • Another security study

    Security companies don't stop making report after report, but always with a lack of clear evidence supporting their claims.
    It used to be android, now they are going after iOS. I suppose as iOS is gaining tractions inside enterprises, they are going after it now - it's where the smell of money is stronger.
    • Good point... Here are some suggestions.

      Yeah, perhaps. But the thing about Apple is that they patch the vulnerabilities when they're discovered, usually in a iOS Update.

      In the past 6 months, iOS has had 3 updates. Some people are still stuck on old versions of Android, because Samsung, HTC, Motorola, or whomever manufactured the device no longer supports it. This is more of an issue for those Android Customers than it is for iOS customers, I believe.

      Also, in a corporate environment, if platform standards are in-place, rogue apps can be removed by company administrators if administration teams require software tools like those from "Good Technology" or BoxTone.

      I was made aware of this when a network administrator at my company said I should install Norton Antivirus on my Android... It slowed the Android down. He said Norton wasn't needed on Apple.
      donald duck 313
      • Apple updates

        Apple is one of the slowest vendors to fix problems.
        Often they release updates that introduces new problems eg. exchange server calendar issues and wifi issues.
        When this happens and users want to rollback updates they cannot do it.
        Downgrading iOS is next to impossible.
  • Ironic

    Macs were never targeted, not because they were impenetrable, but because they were a niche market; iPhones are the big dog in mobile and now have the bulls-eye on their back.
    beau parisi
    • Ironic?

      First, Your entire argument is fallacious and falls apart due to the inaccuracy of the very first statement.
      Second, there is nothing "ironic" about it, even if it were true, which again, it is not.
  • Finally!

    A reason to consider WP8.

    "As for Windows, the low number of vulnerabilities could be due to the fact it is not a popular operating system yet"
    • Re: Finally!

      Also, considering this study uses data dated back to 25 years and on, I would guess the "Windows" vulnerabilities are mainly for previous releases (Windows CE/Mobile)
    • As long as you are adding words

      "As for Windows, the low number of vulnerabilities could be due to the fact it is not a popular operating system yet and never will be."
    • Re: A reason to consider WP8.

      But it runs the same kernel as the malware-infested Windows 8!
  • The entire article is illogical.

    The writer argues that the iPhone is more "vulnerable" yet clearly states that Android is far, far easier to exploit, making it the much more Vulnerable. This is a matter of using the wrong term for the intended meaning which is that the iPhone is the more "desirable" target, not the more Vulnerable one.

    The dating of the study is questionable too, as they are counting 'vulnerabilities' from 1988 to now with the highest number of 'vulnerabilities' coming only one year after the initial release of the iPhone and falling since.

    No, in all honesty the conclusions of this article simply don't make sense.
    • Typical Anti-Apple spin

      I see this constantly. All trying to turn a positive into a negative. I don't know what is behind it all, stock manipulation, competitor's dollars, or simply a way to get attention, who knows?
    • Re: yet clearly states that Android is far, far easier to exploit

      Where does it say that? I went through the entire article, but could not find any such statement. Perhaps you could point it out?

      Or is this just typical anti-Android spin?
    • iOS is the most dangerous platform behind MACs and Windows

      My friend, Android is much safer, you see what the apps can do....forget that with stealing iOS apps ;-)
      bit [dot] ly/RYzOPP

      "Apple iOS Apps Leak More Personal Info Than Android"
      "40% of iOS apps invade your privacy without permission, reveals app before getting pulled"