Study into the Implications of Smartphone Operating System Security
Study into the Implications of Smartphone Operating System Security
Study into the Implications of Smartphone Operating System Security
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Study</strong> <strong>into</strong> <strong>the</strong> implications <strong>of</strong> <strong>Smartphone</strong> operating system security<br />
The figures from security vendors operating in <strong>the</strong> anti-virus sector rarely rarely give an<br />
indication on actual infection rates, e.g. how many <strong>Smartphone</strong> are actually being infected<br />
by malware. A study by Georgia Tech University in <strong>the</strong> USA that used a machine learning<br />
technique called Multiple Correspondence Analysis (MCA) in an attempt to get to a “ground<br />
truth” about how pervasive mobile malware found “little evidence <strong>of</strong> significant malware<br />
infection in <strong>the</strong> mobile world.” 74<br />
It is Goode Intelligence’s belief that allthough mobile malware is effecting UK <strong>Smartphone</strong><br />
users, <strong>the</strong> numbers <strong>of</strong> UK <strong>Smartphone</strong>’s that have been infected remian low.<br />
Apple iOS<br />
According to Symantec’s Darren Gale “Apple is getting proactive in its vulnerability<br />
management approach”.<br />
Goode Intelligence believes that Apple does <strong>of</strong>fer a comprehensive approach to vulnerability<br />
management that is linked to an effective operating system security update process.<br />
Goode Intelligence discovered 179 unique CVE entries whilst performing a search on ‘Apple<br />
iOS’ on <strong>the</strong> CVE vulnerability database. The latest CVE entry (CVE-2013-0974) was added<br />
on 10 January 2013 and was related to an iOS Safari vulnerability. 75 The first vulnerability<br />
(CVE-2010-1387) was recorded in April 2010 for vulnerability in JavaScriptCore in WebKit<br />
on iOS devices pre-version 4.<br />
Apple has stated that it does not <strong>of</strong>fer any large bounties to security researchers for<br />
disclosing iOS vulnerabilities. O<strong>the</strong>r vendors, including Google, do <strong>of</strong>fer a bounty scheme<br />
whereby cash will be <strong>of</strong>fered in return for disclosing vulnerabilities to <strong>the</strong>m.<br />
To report a security issue or vulnerability to Apple a generic email address, productsecurity@apple.com<br />
is used. The emails can be encrypted using Apple’s product security<br />
PGP key.<br />
Apple product security notifications are sent out via email, using <strong>the</strong> ‘security-announce’<br />
mailing list, or via a RSS feed<br />
To ensure that Apple security advisories are au<strong>the</strong>ntic Apple uses an ‘Apple Product<br />
<strong>Security</strong> PGP key’ to encrypt and sign.<br />
Apple works with <strong>the</strong> formal incident response community to distribute information on<br />
vulnerabilities and is a member <strong>of</strong> FIRST.<br />
Apple lists all <strong>of</strong> its platform (not just iOS) security updates on a central website that can be<br />
found here.<br />
There are no security specific Apple iOS s<strong>of</strong>tware updates but many releases will have fixes<br />
to known security vulnerabilities. For instance, in <strong>the</strong> recent iOS 6.1 release <strong>the</strong>re were<br />
74 RSA Blog: Detecting Mobile Malware - http://blogs.rsa.com/detecting-mobile-malware/<br />
75 You can find <strong>the</strong> CVE entry here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0974<br />
Goode Intelligence © 2013 P a g e | 82 www.goodeintelligence.com
Change language