2019 was a brutal year for mobile security already1, and hopefully no more surprises linger around the corner in the remaining weeks of this year. I recognize now this topic dominated even this same newsletter and, in the best tradition of my ranty content, it featured mostly my own frustrations.
This week US security firm Trail of Bits released iVerify2, a tool to verify the integrity of an iPhone and harden it by guiding users through various configuration steps.
The app costs about 6 euros, and if you can afford it you might find worth trying it out. I am enjoying it. Regardless, its release provides me with a good opportunity to discuss some of its functionality and security recommendations for iPhone users, and explain their rationale.
iVerify leverages Trail of Bits’ commercial “iverify-core” library normally sold to app developers interested to check whether the phone is jailbroken or not. Banking apps, for example, often leverage such frameworks in order to prevent execution on potentially compromised devices. While the fine folks at Trail of Bits are widely respected experts in the field of cyber security, I can not attest to the comprehensiveness of its detection engine without some longer experimentation on the field. It is quite possible iVerify won’t catch the likes of NSO Group in all circumstances, but any clue of a potential compromise helps. Therefore, while you should not blindly trust a green tick labelling your phone as “Secure”, any warning message might be a good reason to worry.
What I found more interesting to discuss instead are the configuration options iVerify suggests in a collection of short step-by-step guides. There are many of them, some about privacy or device theft, and some about iOS security. I am going to concentrate on the latter.
Limit Software Exploits
The recommendations in this category are aimed at offering the best available configuration for your iPhone to reduce as much as possible the attack surface.
1. Enable Automatic Updates
This might seem the most obvious, falling behind on iOS releases can happen. Staying up-to-date with latest software updates turns you immediately into a slighlty harder target to attack. Make sure to have Automatic Updates enabled.
2. Disable AirDrop / Bluetooth / Personal Hotspot
With the aim to reduce my own attack surface, I tend to never use services such as AirDrop. Trail of Bits suggests to disable AirDrop too, particularly in light of past vulnerabilities3. Similarly, Bluetooth and Personal Hotspot are proximity network services that might offer potential entry points for attackers in the vicinities, if the exposed network stacks contain vulnerabilities.
4. Upgrade to A12 CPU or higher
As iVerify rightfully points out, newer iPhone generations come with some important exploit mitigations. Above all Pointer Authentication Codes (PAC), which is only available from the iPhone X series. In the previous newsletter I already addressed6 my concerns around the problematic unavailability of decently secure mobile devices in the lower/mid price range. Mitigations such as PAC, and the more to come in the future, can make a significant difference, but if you want to take advantage of this improvement you would need the financial resources to make a pricey upgrade.
5. Periodically reboot your device
Security measures in iOS increase the difficulty for attackers to maintain persistence over a compromised iPhone, even after a successful exploitation. Rumors I heard, and recent reports7, suggest that some threat groups are turning to opportunistic smash-and-grab attacks precisely to avoid dealing with obtaining a permanent installation of their malware. Periodically rebooting your device can help cleaning up leftovers and perhaps disabling an existing infection that is not able to survive it.
Review for signs of compromise
Recommendations in this section are rather basic, but unfortunately as much that is possible to a user. I discussed the difficulty of inspecting mobile devices for signs of a compromise in a previous newsletter.
8. Remove unknown devices from iCloud
You might have some older devices you no longer use connected to your iCloud account, or you might find devices you do not recognize at all. If your iCloud account was compromised, perhaps through phishing, attackers might connect a separate device to it in order to synchronize data and files you create. Removing8 your own unused devices from your account is also a good practice to exercise.
9. Look for suspicious Apple Profiles
In order to manage fleet of phones, enterprises often deploy Mobile Device Management (MDM) platforms. Through MDM, administrators are able to, among other things, monitor the location of the enrolled phones, enforce specific configurations, or install apps. Some threat groups have been found using social engineering to enroll targeted phones with malicious MDM servers under their control and use them, for example, to deploy malicious apps9. If an iPhone is enrolled with an MDM server, a profile should appear in the Settings. Checking those profiles, as suggested by iVerify, might reveal some you don’t recognize which you are able to remove.
The Network Security section only provides one recommendation to enable a particularly interesting feature iVerify has.
10. Safari Content Blocker
Safari allows developers to create Content Blocker extensions. Apps such as AdGuard leverages this to block advertisement networks and other unwanted web resources. iVerify uses this too, but to automatically redirect unencrypted HTTP visits to HTTPS, if supported by the website. If it doesn’t, iVerify’s Content Block will stop the insecure request and display a warning. You can test this by visiting www.neverssl.com with Safari.
While the general intent is to prevent accidental data leakage, especially over insecure networks (such as open Wi-Fis), this feature will also help mitigating network injection attacks such as those described in Amnesty’s “Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware”5 report. Network injection allows attackers to programmatically hijack insecure HTTP connections to any website and redirect the target to an exploitation server which will attempt to compromise the iPhone through, for example, vulnerabilities in the Safari browser.
By blocking visits to HTTP sites, iVerify should (I’m using caution here, because I have not actually tested this yet) help you prevent these attacks, so long as you use Safari for all your web browsing. Content Blockers have no effect over other browsers you might have installed, such as Firefox or Chrome.