The iPhone Just Lost Its Perfect Security Record — Now What?

For most of the iPhone’s lifespan, it’s been effectively immune to malware. There were theoretical attacks and viruses targeting jailbroken phones, but thanks to the tight controls of the App Store, finding iOS malware in the wild has been nearly impossible. If you didn’t jailbreak your phone and you weren’t targeted by the NSA, you simply didn’t have to worry about catching a virus.

Yesterday, that changed. A security firm called Palo Alto Networks discovered a malware program they’re calling Wirelurker, which sneaks into computers through unauthorized Chinese apps, then attacks iOS devices when they connect over USB. It’s an obscure line of attack (when’s the last time you actually plugged your iPhone into your computer?), confined to China, and so far the effects have been minimal. The actual payload for non-jailbroken phones was just a test balloon, side-loading a comic book app to prove the attack really worked. Jailbroken phones got a nastier payload, infecting payment apps, but that’s to be expected. Last night, Apple blocked the apps, saying “We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.” Less than 24 hours after Palo Alto Networks published its report, Wirelurker appears to be mostly wiped out.

Still, that doesn’t mean Apple is completely in the clear. The vulnerabilities exploited by Wirelurker will be around for much longer, and could pose a serious threat to Apple’s otherwise spotless record. Now that the platform has had its first real virus scare, there’s reason to think it won’t be the last. “From a broad perspective, the ecosystem is still in pretty good shape,” says Ryan Olson, an intelligence director at Palo Alto Networks, “but this is the first door we’ve seen opening into the iOS world.”

The iPhone’s biggest protection against viruses is the App Store. If a piece of software isn’t signed as approved by Apple, it can’t run on an iPhone, which is enough to stop most viruses in their tracks. (Jailbreaking erases these protections, which is why jailbroken phones are more exposed.) But Wirelurker exploited an exception to that rule, built in to allow businesses to install their own software without going through the exhaustive App Store approval process. It’s called “enterprise provisioning,” and it’s basically an official ID that lets third-party apps onto iOS devices.

It’s hard to get one of those IDs — only large, established companies are able to register — but as Wirelurker proved, you can always forge one. When Wirelurker delivered its payload, it used phony credentials to mark the new software as enterprise provisioned. That’s the iOS equivalent of flashing a fake FBI badge to get through airport security. Apple can disable the specific credentials that Wirelurker used, but the next generation of malware may try the same trick again with a better forgery or even hijack real credentials. And since any iPhone can install enterprise software, every iPhone is potentially vulnerable to the trick.

It’s not a loophole that many had thought about, and it could be a tricky one to close. Businesses buy a lot of iPhones for internal use, and allowing businesses to develop custom software has opened up a vast and lucrative market for Apple. But that success also makes it unlikely that Apple will be able to close the enterprise loophole entirely. To do so would mean endangering tens of millions of dollars in business over what can still be viewed as a fairly minor bug.

Still, now that the enterprise attack has gone public, the next exploit may not be so minor. Olson says he’s worried the next wave of attacks will target businesses with legitimate enterprise certificates, using those certificates to spread malware without the company’s knowledge. “I don’t think they’re going to be able to roll out an update and just fix it,” Olson says. “They’ll be able to shut down Wirelurker, but the door is open for enterprise applications to install their own software, and that’s not going away.”

There are still other options for fixing the vulnerability. iOS security researcher Jonathan Zdziarski says he’d like to see a “non-enterprise” mode for iPhones, since only a tiny fraction of devices will ever need the enterprise side-loading features. Apple could also encrypt devices’ pair records, which would give connected computers less of a view into device activity. On the more technical side, Apple could use the iPhone’s secure elementto validate applications, giving apps the same level of security as a user’s banking information. It still remains to be seen how much Apple will want to change as a result of the Wirelurker, but if the company decides to tighten up, there are plenty of ways to do it.

If Apple hasn’t looked at these options before, it’s because it’s never had to. While Android has struggled with waves of malware and piracy, the App Store has kept iOS spotless. Centrally certified software is a genuinely effective way to stop viruses, and with the App Store model in place, there’s no reason Apple couldn’t keep its perfect record. If cracks are showing, it’s only because selling iPhones to businesses was too attractive to pass up. It’s a question of politics rather than code: how much virus risk is Apple willing to tolerate to keep its enterprise business safe?

I Write Things.