Back in July I wrote a post about how the various mobile platforms ranked as far as recorded OS vulnerabilities. I think most of us were surprised to see iOS as number one. After all, we’re constantly told how insecure Android is. Of course, we’re also always told that iOS is the best platform. For those that don’t remember, and don’t want to click the link, BlackBerry has had 15 across it’s entire range of products and services, Google’s Android (yes, just the phone OS) has 54, and Apple’s golden child iOS (again, this is just the phone OS) has an astounding 518! Is iOS as safe as we’re told? Well at nearly ten fold the vulnerabilities as Android, the answer is a resounding no!
But it’s all about the apps right? That’s certainly what Apple would have you believe. Of course they may be changing the tune of their song soon. Checkmarx and AppSec Labs, has released a report in which they tested hundreds of apps from the Google Play Store and the Apple App Store for vulnerabilities. And once again, the oldest OS on the block, iOS, was a clear loser.
Let’s look at some interesting findings from the report. Apps were tested for security vulnerabilities and then these vulnerabilities were rated for severity. Of the iOS app vulnerabilities, 40% were ranked critical or high severity. Android came in with 36% of their vulnerabilities ranking as critical or high severity. Granted, it’s a small difference, but it is a difference, and when combined with the ridiculous amount of recorded vulnerabilities in the actual operating system of iOS, it starts getting frightening. Well, frightening if you’re an iPhone user. The most common vulnerability found amongst all the apps, accounting for 27% if the vulnerabilities was leakage of personal information. Next up at 23% had to do with authentication and authorization issues.
But of course, just because there are vulnerabilities it doesn’t mean that they’re being exploited does it? Of course not.
Just this week, a very popular app, InstaAgent has been pulled from both Google Play and the Apple App Store. The App had been collecting people’s sign in information, storing it in plain text, and sending this information to an unknown server. Not only that, the app was posting to people’s timelines on it’s own. The app was extremely popular on both app stores and had even reached the top spot on the Apple App Store. In keeping with the common theme, Google pulled the app from Google Play immediately once the threat was disovered. Apple however, did not. The app is gone now, but Apple was very slow in responding.
Perhaps their batteries had died?