X

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Bypassing passcodes, malware-laden apps, and inherent design flaws exposing almost all known mobile devices made up part of the security problems found in iOS and Android.
By Charlie Osborne, Contributing Writer
screenshot-2018-11-27-at-19-01-04.png
1 of 10 Charlie Osborne/ZDNET

Meltdown, Spectre

January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.

The vulnerabilities can result in the leak of sensitive information.

While patches were quickly issued to resolve the flaw in any device utilizing a CPU, performance is often impacted. Hardware fixes have also been implemented for future processors.

screenshot-2018-11-27-at-18-47-45.png
2 of 10 Charlie Osborne/ZDNET

iOS Trustjacking

April: A new attack was revealed which impacts the iOS ecosystem. Dubbed Trustjacking by researchers, the bug is present in the iTunes Wi-Fi sync function of mobile devices and can be exploited to gain persistent control over a victim's device.

After Symantec revealed the exploit to Apple, the iPad and iPhone maker added a mechanism which requires users to enter their passcode when choosing to authorize and trust a computer, effectively removing the main trigger for the attack.

screenshot-2018-11-27-at-18-30-15.png
3 of 10 Charlie Osborne/ZDNET

Android on the RAMPage

June: A variant of Rowhammer known as RAMPage is an Android exploit which affects devices from Ice Cream Sandwich (4.0) to the present day. Previous patches have done little to resolve the hardware problem, which can be exploited to DRAM memory and cause information leaks.

The attack is difficult to perform on end-user devices. A fix developed to patch the problem, called GuardION, is yet to be implemented due to potential Android performance issues caused by implementing the system.

screenshot-2018-11-27-at-17-02-23.png
4 of 10 Charlie Osborne/ZDNET

Android API breaking bug

August: A vulnerability in the Android operating system's communication management programming allowed rogue, malicious apps to eavesdrop on broadcast information including Wi-Fi network names, BSSID, local IP addresses, DNS server data, and MAC addresses, and also permitted attackers to track smartphone users covertly.

The vulnerability has been patched in modern versions of Android. However, devices running Android versions before 9 Pie cannot not be patched as it would be "API breaking," according to Google.

screenshot-2018-11-27-at-17-07-21.png
5 of 10 Charlie Osborne/ZDNET

Severe Android vulnerabilities, off the shelf

August: Researchers uncovered 25 Android smartphone models which, at the time of purchase, contained a slew of vulnerabilities which may expose the user to attack. The team found everything from minimal risk issues to critical vulnerabilities in pre-installed apps and firmware.

The bugs were varied and according to Kryptowire, RiskTool apps, Trojan droppers, and advertising apps were the most common. In total, 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets were discovered.

Vendors affected, including LG, Essential, and Asus, rapidly deployed OTA updates to resolve the security issue.

screenshot-2018-11-27-at-17-33-46.png
6 of 10 Charlie Osborne/ZDNET

The Man-in-The-Disk

August: A novel attack technique was found that could be used to eavesdrop on user data, hijack sessions, and crash Android devices. Known as a Man-in-The-Disk (MiTD) attack, the exploit takes advantage of sloppy storage protocols used by mobile applications.

As the technique can be used against countless third-party Android apps, users are vulnerable to attack if they happen to download a vulnerable app.

screenshot-2018-11-27-at-19-07-07.png
7 of 10 Charlie Osborne/ZDNET

Blueborne, a year on

September: A vulnerability which is known as Blueborne which impacts the majority of devices which utilize the Bluetooth protocol -- including all manner of smartphones and laptops -- was uncovered in 2017.

In the most extreme cases, the Bluetooth bugs can be used to hijack and gain control of a vulnerable device running the Android, Windows, Linux, and iOS before version 10 systems.

However, a year later, two billion devices are estimated as still vulnerable to exploit through a lack of patches. The researchers say that devices remain unpatched because "users haven't updated them, or because they won't receive updates at all." In the latter case, this is often due to the use of aging, legacy machines which will not be fixed.

screenshot-2018-11-27-at-17-21-05.png
8 of 10 Charlie Osborne/ZDNET

CSS code crashes iPhones

September: A researcher found a vulnerability in the WebKit rendering engine -- used by Safari on iPhones and iPads -- which could be exploited with simple, crafted CSS code. If a victim clicked on a link containing the code, the device would crash.

It is possible that the attack is widespread enough to crash any app capable of loading a web page.

Apple is currently investigating the issue.

screenshot-2018-11-27-at-17-47-19.png
9 of 10 Charlie Osborne/ZDNET

Exploiting Apple's Mobile Device Management (MDM)

September: Apple's Mobile Device Management (MDM) is used to enroll iOS devices under one management server in enterprise networks. Researchers found a vulnerability in the Device Enrollment Program of the system which, if exploited, can result in a bypass of the authentication step in order to enroll potentially malicious devices in a network.

IT admins have to go through a lengthy amount of steps to mitigate the issue, of which Apple is yet to release a fix for.

screenshot-2018-11-27-at-17-20-03.png
10 of 10 Charlie Osborne/ZDNET

iPhone photos compromised

October: A severe bug in Apple iOS VoiceOver permitted threat actors to perform a lock screen bypass and gain access to stored photos without knowing the handset's passcode.

However, the attack chain in question does require a threat actor to have physical access to a target device. A phone call is made and Siri must be asked to turn on Voiceover. At the same time, the camera icon has to be tapped in order to illegitimately gain access to what should be a secure image library.

The vulnerability is present in iOS 12.0.1. However, the bug can be mitigated by removing Siri lock screen access under Settings.

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes
Holiday lights in Central Park background

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes

21 Photos
Winter backgrounds for your next virtual meeting
Wooden lodge in pine forest with heavy snow reflection on Lake O'hara at Yoho national park

Related Galleries

Winter backgrounds for your next virtual meeting

21 Photos
Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes
3D Rendering Christmas interior

Related Galleries

Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes

21 Photos
Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos