The iPhone’s Big Security Flaw

Welcome to the bigtime, iPhone. You’re now subject to the same nasty malware as everyone else. What changed is a Silicon Valley security firm—Palo Alto Networks—came across some malware called Wirelurker, which is focused on iOS devices, according to a report in The Verge.

The attack, for the moment, begins with unauthorized Chinese apps and it attacks when the devices are connected via USB, either for power-charging or data-synch. But the more immediate payments impact is focused on jailbroken phones, which are often found in retail IT environments.

“The actual payload for non-jailbroken phones was just a test balloon, side-loading a comic book app to prove the attack really worked. Jailbroken phones got a nastier payload, infecting payment apps,” the story said, adding that Apple last week blocked the apps: “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.”

The story pointed out that one of Apple’s strongest malware defenses has been it’s rigidly-controlled App Store. “If a piece of software isn’t signed as approved by Apple, it can’t run on an iPhone, which is enough to stop most viruses in their tracks. Jailbreaking erases these protections, which is why jailbroken phones are more exposed. But Wirelurker exploited an exception to that rule, built-in to allow businesses to install their own software without going through the exhaustive App Store approval process. It’s called enterprise provisioning and it’s basically an official ID that lets third-party apps onto iOS devices. It’s hard to get one of those IDs — only large, established companies are able to register — but as Wirelurker proved, you can always forge one. When Wirelurker delivered its payload, it used phony credentials to mark the new software as enterprise provisioned. That’s the iOS equivalent of flashing a fake FBI badge to get through airport security. Apple can disable the specific credentials that Wirelurker used, but the next generation of malware may try the same trick again with a better forgery or even hijack real credentials. And since any iPhone can install enterprise software, every iPhone is potentially vulnerable to the trick.”

The story argued that this loophole will hurt as the popularity of iPhones brings them deeper into enterprise app dev shops. “Allowing businesses to develop custom software has opened up a vast and lucrative market for Apple. But that success also makes it unlikely that Apple will be able to close the enterprise loophole entirely. To do so would mean endangering tens of millions of dollars in business over what can still be viewed as a fairly minor bug,” the story said.