A little over a month ago,
Apple
‘s
iPhone
celebrated its tenth birthday. The
iPhone
has been one of the biggest commercial success stories ever, but it has also been a great success from a security point of view: malware targeting its
iOS
operating system remains extremely rare.
iPhone is 10 years old today. After 10 years, not a single serious malware case. It’s not just luck; we need to congratulate Apple on this.
— Mikko Hypponen (@mikko)
June 28, 2017
Malware for
iOS
is not completely non-existent: for example, at VB2014 a group of
FireEye
researchers presented a
paper
in which they demonstrated how the
iOS
Developer Enterprise Program could be used to install malware; something which was used shortly afterwards by
WireLurker
. However, in the rare cases
iOS
malware is found, it often requires the phone to be jailbroken;
AdThief
is a good example of that.
Apple
dedicates a lot of resources to making its operating systems secure, but the main reason for the lack of malware is likely to be its tightly controlled
App Store
, which protects users against the biggest threat: themselves. Whether it is through opening malicious links sent via email or by installing free versions of paid-for apps, it is almost always a human mistake (understandable as they often are) that leads to an infection.
The
App Store
makes it almost impossible for such a mistake to lead to malware being installed. For this reason,
iPhones
are often recommended to those whose threat models include powerful adversaries, for example journalists and activists.
I was thus disappointed to learn that
Apple
has
removed
all VPN apps from its Chinese
App Store
. Though many VPN apps have issues themselves, they do offer extra protection against various threats – and not just the threat of the government finding out you’re doing something they don’t approve of.
I am aware that it is easy for me to criticize
Apple
: the company says it had no choice but to comply with Chinese law. Failing to do so could have jeopardized the company’s Chinese market and thus could potentially have led to the job losses of thousands of
Apple
employees. The total removal of the
iPhone
from China wouldn’t necessarily have made users better off.
Still, I would have liked for
Apple
to have taken a strong principled stand, like it did when the US government asked it to
unlock
the
iPhone
used by the San Bernardino shooter. Sadly, the company will soon have another opportunity to take such a stand: this weekend, Russian president Vladimir Putin
signed
a law that bans the use of VPNs in Russia.
Leave a Reply