Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

1 of 10
  • Meltdown, Spectre

    Meltdown, Spectre

    January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.

    The vulnerabilities can result in the leak of sensitive information.

    While patches were quickly issued to resolve the flaw in any device utilizing a CPU, performance is often impacted. Hardware fixes have also been implemented for future processors.

    Caption by: Charlie Osborne

  • iOS Trustjacking

    iOS Trustjacking

    April: A new attack was revealed which impacts the iOS ecosystem. Dubbed Trustjacking by researchers, the bug is present in the iTunes Wi-Fi sync function of mobile devices and can be exploited to gain persistent control over a victim's device.

    After Symantec revealed the exploit to Apple, the iPad and iPhone maker added a mechanism which requires users to enter their passcode when choosing to authorize and trust a computer, effectively removing the main trigger for the attack.

    Caption by: Charlie Osborne

  • Android on the RAMPage

    Android on the RAMPage

    June: A variant of Rowhammer known as RAMPage is an Android exploit which affects devices from Ice Cream Sandwich (4.0) to the present day. Previous patches have done little to resolve the hardware problem, which can be exploited to DRAM memory and cause information leaks.

    The attack is difficult to perform on end-user devices. A fix developed to patch the problem, called GuardION, is yet to be implemented due to potential Android performance issues caused by implementing the system.

    Caption by: Charlie Osborne

  • Android API breaking bug

    Android API breaking bug

    August: A vulnerability in the Android operating system's communication management programming allowed rogue, malicious apps to eavesdrop on broadcast information including Wi-Fi network names, BSSID, local IP addresses, DNS server data, and MAC addresses, and also permitted attackers to track smartphone users covertly.

    The vulnerability has been patched in modern versions of Android. However, devices running Android versions before 9 Pie cannot not be patched as it would be "API breaking," according to Google.

    Caption by: Charlie Osborne

  • Severe Android vulnerabilities, off the shelf

    Severe Android vulnerabilities, off the shelf

    August: Researchers uncovered 25 Android smartphone models which, at the time of purchase, contained a slew of vulnerabilities which may expose the user to attack. The team found everything from minimal risk issues to critical vulnerabilities in pre-installed apps and firmware.

    The bugs were varied and according to Kryptowire, RiskTool apps, Trojan droppers, and advertising apps were the most common. In total, 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets were discovered.

    Vendors affected, including LG, Essential, and Asus, rapidly deployed OTA updates to resolve the security issue.

    Caption by: Charlie Osborne

  • The Man-in-The-Disk

    The Man-in-The-Disk

    August: A novel attack technique was found that could be used to eavesdrop on user data, hijack sessions, and crash Android devices. Known as a Man-in-The-Disk (MiTD) attack, the exploit takes advantage of sloppy storage protocols used by mobile applications.

    As the technique can be used against countless third-party Android apps, users are vulnerable to attack if they happen to download a vulnerable app.

    Caption by: Charlie Osborne

  • Blueborne, a year on

    Blueborne, a year on

    September: A vulnerability which is known as Blueborne which impacts the majority of devices which utilize the Bluetooth protocol -- including all manner of smartphones and laptops -- was uncovered in 2017.

    In the most extreme cases, the Bluetooth bugs can be used to hijack and gain control of a vulnerable device running the Android, Windows, Linux, and iOS before version 10 systems.

    However, a year later, two billion devices are estimated as still vulnerable to exploit through a lack of patches. The researchers say that devices remain unpatched because "users haven't updated them, or because they won't receive updates at all." In the latter case, this is often due to the use of aging, legacy machines which will not be fixed.

    Caption by: Charlie Osborne

  • CSS code crashes iPhones

    CSS code crashes iPhones

    September: A researcher found a vulnerability in the WebKit rendering engine -- used by Safari on iPhones and iPads -- which could be exploited with simple, crafted CSS code. If a victim clicked on a link containing the code, the device would crash.

    It is possible that the attack is widespread enough to crash any app capable of loading a web page.

    Apple is currently investigating the issue.

    Caption by: Charlie Osborne

  • Exploiting Apple's Mobile Device Management (MDM)

    Exploiting Apple's Mobile Device Management (MDM)

    September: Apple's Mobile Device Management (MDM) is used to enroll iOS devices under one management server in enterprise networks. Researchers found a vulnerability in the Device Enrollment Program of the system which, if exploited, can result in a bypass of the authentication step in order to enroll potentially malicious devices in a network.

    IT admins have to go through a lengthy amount of steps to mitigate the issue, of which Apple is yet to release a fix for.

    Caption by: Charlie Osborne

  • iPhone photos compromised

    iPhone photos compromised

    October: A severe bug in Apple iOS VoiceOver permitted threat actors to perform a lock screen bypass and gain access to stored photos without knowing the handset's passcode.

    However, the attack chain in question does require a threat actor to have physical access to a target device. A phone call is made and Siri must be asked to turn on Voiceover. At the same time, the camera icon has to be tapped in order to illegitimately gain access to what should be a secure image library.

    The vulnerability is present in iOS 12.0.1. However, the bug can be mitigated by removing Siri lock screen access under Settings.

    Caption by: Charlie Osborne

1 of 10

Bypassing passcodes, malware-laden apps, and inherent design flaws exposing almost all known mobile devices made up part of the security problems found in iOS and Android.

Read More Read Less

Meltdown, Spectre

January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.

The vulnerabilities can result in the leak of sensitive information.

While patches were quickly issued to resolve the flaw in any device utilizing a CPU, performance is often impacted. Hardware fixes have also been implemented for future processors.

Caption by: Charlie Osborne

1 of 10

Related Topics:

Security Mobility Security TV Data Management CXO Data Centers

Related Galleries

    • 1 of 3