Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security
January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.
The vulnerabilities can result in the leak of sensitive information.
April: A new attack was revealed which impacts the iOS ecosystem. Dubbed Trustjacking by researchers, the bug is present in the iTunes Wi-Fi sync function of mobile devices and can be exploited to gain persistent control over a victim's device.
After Symantec revealed the exploit to Apple, the iPad and iPhone maker added a mechanism which requires users to enter their passcode when choosing to authorize and trust a computer, effectively removing the main trigger for the attack.
Android on the RAMPage
June: A variant of Rowhammer known as RAMPage is an Android exploit which affects devices from Ice Cream Sandwich (4.0) to the present day. Previous patches have done little to resolve the hardware problem, which can be exploited to DRAM memory and cause information leaks.
The attack is difficult to perform on end-user devices. A fix developed to patch the problem, called GuardION, is yet to be implemented due to potential Android performance issues caused by implementing the system.
Android API breaking bug
August: A vulnerability in the Android operating system's communication management programming allowed rogue, malicious apps to eavesdrop on broadcast information including Wi-Fi network names, BSSID, local IP addresses, DNS server data, and MAC addresses, and also permitted attackers to track smartphone users covertly.
The vulnerability has been patched in modern versions of Android. However, devices running Android versions before 9 Pie cannot not be patched as it would be "API breaking," according to Google.
Severe Android vulnerabilities, off the shelf
August: Researchers uncovered 25 Android smartphone models which, at the time of purchase, contained a slew of vulnerabilities which may expose the user to attack. The team found everything from minimal risk issues to critical vulnerabilities in pre-installed apps and firmware.
The bugs were varied and according to Kryptowire, RiskTool apps, Trojan droppers, and advertising apps were the most common. In total, 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets were discovered.
Vendors affected, including LG, Essential, and Asus, rapidly deployed OTA updates to resolve the security issue.
August: A novel attack technique was found that could be used to eavesdrop on user data, hijack sessions, and crash Android devices. Known as a Man-in-The-Disk (MiTD) attack, the exploit takes advantage of sloppy storage protocols used by mobile applications.
As the technique can be used against countless third-party Android apps, users are vulnerable to attack if they happen to download a vulnerable app.
Blueborne, a year on
September: A vulnerability which is known as Blueborne which impacts the majority of devices which utilize the Bluetooth protocol -- including all manner of smartphones and laptops -- was uncovered in 2017.
In the most extreme cases, the Bluetooth bugs can be used to hijack and gain control of a vulnerable device running the Android, Windows, Linux, and iOS before version 10 systems.
However, a year later, two billion devices are estimated as still vulnerable to exploit through a lack of patches. The researchers say that devices remain unpatched because "users haven't updated them, or because they won't receive updates at all." In the latter case, this is often due to the use of aging, legacy machines which will not be fixed.
CSS code crashes iPhones
September: A researcher found a vulnerability in the WebKit rendering engine -- used by Safari on iPhones and iPads -- which could be exploited with simple, crafted CSS code. If a victim clicked on a link containing the code, the device would crash.
It is possible that the attack is widespread enough to crash any app capable of loading a web page.
Apple is currently investigating the issue.
Exploiting Apple's Mobile Device Management (MDM)
September: Apple's Mobile Device Management (MDM) is used to enroll iOS devices under one management server in enterprise networks. Researchers found a vulnerability in the Device Enrollment Program of the system which, if exploited, can result in a bypass of the authentication step in order to enroll potentially malicious devices in a network.
IT admins have to go through a lengthy amount of steps to mitigate the issue, of which Apple is yet to release a fix for.
iPhone photos compromised
October: A severe bug in Apple iOS VoiceOver permitted threat actors to perform a lock screen bypass and gain access to stored photos without knowing the handset's passcode.
However, the attack chain in question does require a threat actor to have physical access to a target device. A phone call is made and Siri must be asked to turn on Voiceover. At the same time, the camera icon has to be tapped in order to illegitimately gain access to what should be a secure image library.
The vulnerability is present in iOS 12.0.1. However, the bug can be mitigated by removing Siri lock screen access under Settings.