Apple has lifted some of its earlier restrictions but maintains a vigorous vetting process for its apps. Developers submitting apps for the company’s App Store must pay $100 annually for a developer’s license and may be subject to additional questions about their identity. Assuming a developer passes that initial screening, his or her app then requires Apple’s approval to appear in its App Store. More likely the company would find and snuff out a malicious app before it had a chance to do any damage, Miller says.
There are fewer barriers, in this context, when targeting PCs. “An attacker [could instead] write Windows malware, and the only thing they really have to worry about is antivirus blocking it,” Miller says. “If Apple figures out what the [malware developer] is up to, the company revokes that person’s developer’s license, and in addition to not successfully infecting any smartphones, they’re out $100. If an attacker has a limited amount of time and money, it makes more sense for them to continue attacking PCs.”
If an attacker opts instead to mimic “drive-by” malware that has been successful in infecting PCs via Web browsing, success is likely to be limited by the way many smartphones and tablets are designed. Apple’s devices, in particular, have several features to keep malware from spreading, Miller says. One such feature Apple has added to more recent versions of iOS—called “sandboxing”—partitions different parts of the mobile device so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device. “An attacker would need one vulnerability to get onto the phone and then a second one to break out of the sandbox,” he adds.
The Android way
Despite Apple’s popularity and high profile, more than 470 million Android handsets were sold in 2012. By 2017 this number is expected to grow to more than 1 billion, giving the platform a 67-percent share of the smartphone market, according to research firm Canalys. The researchers project Apple will own about 14 percent of the market in 2017.
“Android is a very secure operating system—if you keep it up to date,” Miller says. “This is not always possible, especially if device makers don’t support the most current versions of the operating system.”
As people start using their smartphones and tablets instead of their PCs to do online banking and purchasing, mobile devices become more appealing targets for attackers, Miller acknowledges. Likewise if PCs become more secure, attackers are likely to direct their efforts toward mobile.
One of the best protections against mobile malware and attacks is to keep all smartphone and tablet software up to date. It is important to be vigilant and question any app making strange or superfluous requests to access data on your device. “It’s very easy to write an app for Android, for example, that asks for tons of permissions, such as sending text messages even when the app doesn’t need to do this,” Miller says.
The Electronic Privacy Information Center (EPIC) recently filed a complaint (pdf) with the U.S. Federal Trade Commission over an Android smartphone app conceived by Samsung and Jay-Z to promote the performer’s latest album. The complaint claims, among other things, that Samsung “collected data unnecessary to the functioning of the Magna Carta App.” The app requested permission to access the phone’s call log as well as modify or delete contents of the phone’s USB storage.
Before adding any app, look at the permissions it is requesting. Your device will be much more secure if you resist the urge to install suspicious software.