Six ways your iPhone or iPad could get p0wn3d: What to watch out for and how to stay safe

You may have heard that iPhones and iPads are safe from viruses and malware. But that doesn't mean you can't get hurt by hackers.
Written by David Gewirtz, Senior Contributing Editor

Earlier this week, a reader asked me on Twitter, "What type of security/virus app do you recommend for iPad Pro?" I gave her a tl;dr answer that fits in Twitter's 140 character limit with 135 characters to spare: "none."

It's true. You don't need to run an antivirus app on your iPad or iPhone. But just because you're using an iOS device, that doesn't mean you're automatically safe and secure.

Based on how iOS was designed, your iPhone and iPad has, for all intents and purposes, been inoculated against "catching" a virus or malware. But that doesn't mean you're automatically safe.

Think about this way. While most of us have been inoculated against many terrible viruses that were prevalent in years past, our health is not guaranteed to be perfect. You might not be able to get sick from smallpox, but unless you're Joey Chestnut, if you wolf down a pile of hot dogs, odds are you'll be worshiping at the porcelain altar sometime soon.

In other words, no protection mechanism engineered by Apple or anyone else can fully protect us from our own stupidity.

Let's start with a basic, 30-second lesson about what malware and viruses are on computing devices. They're chunks of computer code that generally dig into your computer's system somewhere and then run behind the scenes, doing anything from logging keystrokes, to opening back doors, to searching for data, to participating in denial of service attacks.

Malware works because it's able to run on the victim machine, doing whatever the hackers design it to do. One type of malware is often called a virus because many malware strains have been able to move from machine to machine, infecting more and more devices

Malware (mostly) can't run on an iOS device. There are two technical reasons for this. The first is that the only path for app installation (mostly) is via Apple's App Store. The company checks every application it distributes, for, among other things, any form of malware.

Second, all applications are (mostly) sandboxed on iOS. What sandboxing means is that applications cannot communicate with each other (mostly) and can't (mostly) modify files, other applications, or the system itself.

This is not the case on Windows, MacOS, or Android. These operating systems allow programs outside their walled gardens, and so malware can propagate. This is, in part, why Microsoft just released Windows 10 S. The idea for Windows 10 S is to vastly reduce the number of applications that can run, and sandbox them so they can't be hacked. This is a good idea, except most Windows users are used to running whatever they want. Windows 10 S is off to a rocky start.

The iPhone and iPad's sandboxing have a much stronger track record. That's because users have become used to sandboxing. As soon as apps became available for the iPhone, they were locked in their own little execution space, and prevented from touching other apps. So while Windows users are pushing back (and few developers are offering Windows sandboxed apps), iOS users just happily use the millions of apps that are in the iOS App Store.

If you've been reading along, you may have noticed that I said "mostly" in a number of places when discussing the iOS security model. That's because there are ways to break out of that sandboxed protection. Here are six unsafe practices to watch out for.

#1 Unvetted developer releases

Developers can write and install their own applications and, for a limited number of users, those apps don't have to go through the App Store until they're widely distributed.

Developers need to test their apps, so they can run their test code on their own devices and on a limited number of volunteer tester machines.

There are enterprise implications of this, because if you have an in-house custom app that you don't distribute through the app store, a rogue programmer inside your organization could introduce limited-functionality malware without Apple's App Store vetting.

#2 Sideloading apps

Another way iOS users can bypass the sandboxed protections is by attempting to "sideload" apps. This is particularly prevalent on Android, but some iOS users also try to load apps from non-Apple stores.

One way hackers distribute malware is by tricking users to download free versions of apps that users would otherwise have to pay for. Apple does issue regular updates, so these exploits tend to live only very short lives.

#3 Jailbreaking

There's also jailbreaking, which is the practice of removing all the protections from the operating system in order to do something not permitted by the vendor.

This is a pretty fiddly process, and, as you might imagine, each OS upgrade plugs any holes that would allow for jailbreaking. Even so, iOS versions all the way up to the current iOS 10 have all been jailbroken.

Sadly, this is not a practice limited to just a few users. While it's almost impossible to get a full accounting of jailbreaking usage, Jay Freeman (aka "saurik," the creator of the Cydia alternate iOS app store) claims more than 30 million iOS devices have been jailbroken. Jailbreaking your phone is dangerous and stupid. Don't do it.

#4 Phishing and other web-based scams

As you've seen so far, while you don't need to install an antivirus app on your iPhone, it's still possible to hurt yourself. Using an iOS device also doesn't protect you against phishing attacks in which a scammer tries to get you to log into a fake (but real-looking) web page.

New to iOS 11? Change these privacy and security settings right now

Your browser and email client will both try to protect you from scammers, but phishing is still very prevalent. Make sure you know what you're logging into.

#5 Wi-Fi man-in-the-middle attacks

iOS will also not natively protect your Wi-Fi connection. If you're at a coffee shop or in an airport and connect to public Wi-Fi, it's entirely possible your transmission might get intercepted.

To protect against man-in-the-middle attacks, either don't surf any site that needs a login or requires sensitive information, or use a VPN. I wrote a good tutorial about VPNs over on our sister site CNET a few months ago. Go read that to learn more about Wi-Fi security and VPNs.

#6 Fake antivirus apps on the App Store

Finally, let me be clear. If you see an antivirus app on the iOS App Store, don't install it.

Since viruses don't propagate on iOS devices and an app can't scan other apps (which is what antivirus programs do), any antivirus program you see promoted is likely to be suspect. You might even want to report it to Apple, so they can check it out and -- probably -- remove it from the app store.

Good luck and stay safe out there.

Editorial standards