Another Apple update was issued this week—iOS 15.0.2—for a vulnerability that was already being used to attack iPhones. It comes after multiple “emergency” updates from Apple this year; sometimes several in one month. The barrage of iOS updates have often been for serious vulnerabilities that were being utilised by attackers in the wild.
Apple has a strong reputation for privacy and security, and has had much success in pushing its privacy focused ethos. The iPhone maker’s closed “walled garden” ecosystem encompassing the hardware and software contrasts to Google Android’s more open one.
But the huge number of iOS security fixes in 2021 is leading many people to ask: is Apple’s iPhone less secure than it used to be?
“Part of the perception that there are more Apple vulnerabilities now is because we are starting from a low number historically,” says Sean Wright, SME security lead at Immersive Labs.
He says the most important thing is that iPhone issues are being fixed, “often quite quickly.” In addition, Wright points out, issues exploited by the time of the patch—such as the vulnerability utilised by the Pegasus spyware—have been targeted at a specific subset of people, “so the vast majority of ordinary users are unaffected.”
More researchers looking for iPhone vulnerabilities
Apple doesn’t have anywhere near as many users as Android, but it’s growing. In tandem, criminals are targeting Apple’s iOS platform more: An increased attack surface means additional opportunities to compromise iPhone users.
But at the same time, it could be that more researchers are hunting for vulnerabilities in Apple’s iOS. “I think it’s a swarm effect,” says security consultant Daniel Card. He cites the example of Microsoft Exchange: “No one was looking, then someone looked, and a bug was found. Then everyone went looking.”
Yet many people find Apple’s bug reporting process frustrating. Some researchers say they have reported iOS bugs that have been fixed without crediting them: Security researcher Denis Tokarev says he reported a second vulnerability that was fixed in iOS 15.0.2, which he initially wasn’t credited for.
Tokarev later received an email from Apple acknowledging the vulnerability.
More scrutiny on Apple is a good thing
Wright thinks more scrutiny on Apple, with researchers finding more holes, is a good thing. “I’d much rather know about a flaw than have that knowledge concentrated solely in the hands of attackers.”
Yet at the same time, because Apple does its own security, the onus and control is taken away from the user. Android is full of vulnerabilities in both apps and software, but users can deploy their own security on the device.
As Forbes’ Zak Doffman says in this week’s Straight Talking Cyber: “Apple is a bit of a …….