Mobile OS Vulnerabilities: The Lurking Culprits In Your Mobile Fleet
A comprehensive knowledge of known mobile OS vulnerabilities is the first and most important step in understanding where, why and how corporate devices could be left open to attack.
Wandera’s research aims to provide mobility professionals with a thorough analysis of CVE recognised vulnerabilities, including their respective presence and severity, over the last 5 years.
(CVE is a comprehensive list of known information security vulnerabilities, aiming to provide a centralised database of cybersecurity issues that is accessible to anyone, anytime.)
Malware. Phishing. Man-in-the-Middle Attacks. Are all prominent mobile threats to your business.
How do these attacks occur in the first place? It is critical organisations understand what can be done ahead of time to prevent incidents happening.
Types of vulnerabilities
1. Denial of Service Vulnerability
What is it?
A Denial of Service (DoS) vulnerability presents within an Apple or Android OS. These attacks are primarily focused on making a resource unavailable for the purpose for which it was designed.
Mobile devices can also be used as ‘bots’ to perpetrate Distributed DoS attacks (DDoS). This means many devices infected with the same malware can be used together to generate a DDoS attack on a separate entity.
Since 2013, instances of DoS vulnerabilities have been highest among iOS against Android operating systems. DoS vulnerabilities peaked in 2015 with over 200 known vulnerabilities affecting iOS.
It’s clear that iOS is more susceptible to DoS vulnerabilities.
Apple had 232 DoS vulnerabilities compared to 56 affecting Android, those 56 vulnerabilities had an average severity score of 9.3/10 compared to 6.9/10.
Android was plagued with, large numbers of internal vulnerabilities, high severity bugs that, along with making the device susceptible to a DoS attack, allowed remote attackers to execute arbitrary code and cause memory corruption, in 2015.
2. Bypass Something
What is it?
A ‘bypass something’ vulnerability, makes a device susceptible to a third party circumventing a layer of protection set up by the user, administrator or OS itself.
Bypass attacks involve a hacker bypassing the security authentication procedure. For example, if a user has a password set up to log into the phone, a ‘bypass something’ vulnerability might allow a hacker to exploit the flaw to gain access to the device.
As of 2017, the playing field levelled with Android and iOS tied at 30 known vulnerabilities each.
Both Apple and Android have made it a focus to limit vulnerabilities that allow hackers to bypass the security processes in place on devices.
Apple saw more instances of ‘bypass something’ vulnerabilities from 2013 through to 2015, but the severity of those instances paled in comparison to those affecting the Android OS.
This is likely because Android allows for significantly more device configuration than iOS, meaning users are more likely to leave their devices exposed to security features being turned off or ‘bypassed’ by malicious third parties remotely.
3. Execute Code
What is it?
An execute code vulnerability is a bug within an OS that gives an attacker the ability to arbitrarily execute code on a device.
This type of vulnerability allows a hacker to remotely execute a certain command on a target device.
Code execution is one of the highest severity vulnerabilities recognized by CVE, as the results of an attack can mean the ‘bricking’ of a device.
Android saw a significant uptick of 155% from 2016, while Apple experienced a similar increase of 117%.
Although both OS’s are consistently being updated, hackers continue to find and exploit vulnerabilities to execute malicious code on both OSs.
Android has the most severe vulnerabilities on average. iOS has hovered between a 7 and 8/10 score, while Android has been, hitting a concerning 9.8/10 severity score on average in 2015.
This extremely high severity score was due to a vulnerability, known as StageFright.
In 2017, severity scores for both Android and iOS levelled out. However, those vulnerabilities affecting Android remain more concerning, hovering around an 8.5 average score.
4. Memory Corruption
What is it?
A memory corruption vulnerability is a programming error in the OS, leaving the memory component of a device open to exploitation by a hacker. The vulnerability lies in the memory location of a device and an attack occurs when the code is modified, violating the safety of the information kept in the memory.
A memory vulnerability is usually an ‘initial way in’ for a hacker and is coupled with a code execution and/or DoS attack.
iOS has long been the leader in instances of memory corruption vulnerabilities. 2015 was the worst year on record, hitting almost 200 known memory corruption vulnerabilities. Due to a specific set of vulnerabilities that affected iOS’s WebKit. While Apple seemed to right itself in 2016, 2017 has saw a significant 86% increase in the number of vulnerabilities affecting iOS.
Android clearly does a superior job in protecting its OS against memory corruption vulnerabilities and has managed to remain low in volume of instances over the years.
While iOS has had a much higher prevalence of memory corruption vulnerabilities, the severity of those vulnerabilities is not as high as those present on the Android OS. For the last three years, Android vulnerabilities have hovered on or above a 9/10 severity rating.
This critical severity rating for Android is due to the specific Memory Corruption vulnerabilities affecting the OS. The vulnerabilities affecting Android enable remote code execution within the context of the Mediaserver process. This is a highly severe vulnerability that gives the hacker a high level of control over the device.
What is it?
An overflow vulnerability is a flaw in OS code that can lead to hacker exploitation and subsequent overwriting of device executable code and data. The vulnerability usually lies in the stack/heap buffers. When this is exploited, the buffer is unable to limit the amount of code generated. The result is erratic device behaviour, crashes and data loss.
iOS is the dominant perpetrator in terms of volume. The only year Android outweighed iOS in number of vulnerabilities was in 2016. Android has started experiencing a steady increase in these types of vulnerabilities since 2015 which is something that should be monitored closely.
iOS experienced its highest level of overflow vulnerabilities in 2015, due to several vulnerabilities that were not only putting the OS at risk for overflow, but for DoS, code execution and memory corruption attacks.
In 2015, when iOS had a record number of overflow vulnerabilities, Android’s approximately 60 vulnerabilities hit an average severity level of 9.7/10.
This increased severity level was again due to StageFright vulnerabilities that plagued Android OS in 2015.
6. Gain Information/ Gain Privilege
What is it?
A gain information or gain privilege vulnerability is one that allows a hacker to exploit a flaw in the OS to gain access to either private information or a heightened permission level on the device. This can be done using a malicious webpage, program or application.
Gain Information – Prevalence
Prior to 2016, iOS held the lead in gain information vulnerabilities but in 2016 Android experienced a massive increase in vulnerabilities affecting its OS.
Android devices are at higher risk of gain information vulnerabilities, due to the allowance of personalized configuration of their OS. Making it easier for hackers to remotely exfiltrate information from these phones.
Gain privilege – Prevalence
The reason for the 2016 spike, of approximately 250 vulnerabilities was largely due to several flaws in the release of a new Android OS that appeared to allow hackers to gain elevated privileges to a device through a crafted app or webpage.
Gain information – Severity
The severity rating of gain information vulnerabilities has historically been higher for Android than for iOS. Finally, Android has been able to curb the severity of the vulnerabilities plaguing its OS.
Gain privileges – Severity
Based on the CVE data, gain privilege vulnerabilities are clearly more severe than the gain information vulnerabilities observed. This is due to the fact that if an app is able to gain privileges on the device it can wreak substantial havoc, delivering malware, exfiltrating data and take full control of the phone.
Android has long had the most severe gain privilege vulnerabilities affecting its OS.
An overall look
The below graph shows all the known vulnerabilities that have affected both Android and Apple mobile OS’s in 2017:
Valuable insights can also be drawn from analysing the total number of mobile vulnerabilities year on year (YOY). The graph demonstrates that mobile vulnerabilities are increasing YOY for both Android and iOS.
Android OS vulnerabilities have ramped up since 2015. Prior to 2016, iOS was dominant in having the most vulnerabilities affecting those using its OS.
Apple has made a point of regularly updating its OS over the years. Since 2012 Apple has released 50 new versions of iOS. In each major release since version 9.0, they’ve managed to significantly reduce the number of known vulnerabilities.
The increase in vulnerabilities you see in the graph below are due to the fact that once a significant release happens, hackers tend to investigate it thoroughly to find all the ways it can possibly be breached.
Since 2012, Android has only released 30 updates to its OS compared to 50 updates from iOS. The number of vulnerabilities per version has clearly suffered as a result. The number of vulnerabilities per OS rarely falls under 200, with version 6.0.1 hitting over 600 affecting it.
The silver lining for Android seems to be the fact that OS version 8.0 has experienced substantially fewer vulnerabilities than any other Android OS version thus far.
Protecting your business
It’s clear that your organisation cannot rely on either Android nor Apple OS’s to protect your mobile devices against all security threats.
How at risk are you?
The table shows how at-risk OS versions are to known vulnerabilities:
The oldest versions of OSs don’t necessarily have the highest number of vulnerabilities affecting them. In fact, some of the latest OS versions have some of the highest threat scores.
The Bottom Line
The only bulletproof safety mechanism is to ensure your fleet’s devices are running the absolute latest version of the relevant operating system. According to CVE, zero vulnerabilities have been discovered in iOS 11 nor Android’s newest OS version 8.0.
Get in touch to find out how we can help secure your business regardless of OS choice.
Mobliciti can help
Mobile OS vulnerabilities leave corporate devices prone to attacks, from the front and the back end.
Security of enterprise mobility should be a top priority for all enterprises. Without Mobile Threat Defence (MTD), malicious apps can compromise your mobile security sharing corporate data across the globe in seconds. With the new GDPR regulations coming into play in May 2018 this is something your business needs to be well aware of. Mobliciti’s MTD protects against unknown malware, zero-day threats, targeted attacks, and prevents infections from undiscovered exploits, therefore helping protect and secure your mobile fleet.