Apple’s Secure iOS Enclave, Too Secure To Secure
The very secrecy of Apple with the overall infrastructure of iOS devices, especially the iPhone is both its strength and weakness when it comes to security and privacy. Hackercombat.com reported yesterday that the WhatsApp Spyware is wreaking havoc for 1.5 billion WhatsApp users on both iOS and Android platforms. The openness of Android was blamed for the proliferation of malware for a decade now, but the same trait gives Google an easier time to make quick adjustments to its Google Play Protect, Android’s built-in antimalware system.
With the demise of Blackberry devices as the official government smartphone, vulnerable iOS devices took over. An installed old version of WhatsApp instance on an iPhone basically turns the device into a prolific cyber espionage device. Apple has boasted that their iOS devices, more particularly the iPhone uses a secure enclave, it is a locked-down device out-of-the-box. The problem there is it is too locked down to a point that there is no way for users to determine that their device is already spying on their activities of using the iPhone.
“To exacerbate the situation, payloads are often tested and perfected for weeks or more before deployment, thus ensuring a high chance of exploitation, and, inversely, a low chance of detection—especially in the case of ‘0 click’ attacks requiring no user interaction,” said Jonathan Levin, iOS independent researcher.
This is due to the lack of documentation of how the secure enclave actually work against the interest of users to scan the device for infections. In fact, Apple has banned any form of antivirus app in the App Store, and even if that becomes a possibility in the future, the architecture stops any apps from touching the secure enclave that Apple created. The WhatsApp spyware episode is an eye-opener for the industry, with Android being a much easier platform to have mitigation methods from the get-go, until Google issues a patch.
“The simple reality is there are so many 0-day exploits for iOS. And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones,” explained Stefan Esser, a cybersecurity researcher.
All an iOS device user can do is to launch the App Store, hoping that the vulnerable app has an update from the developer. There is no mitigation method a user can do in order to prevent cyber espionage, as iOS devices prohibit low-level access to the device. Users cannot even download a specialized app to “monitor” the operations of the phone and issue a status report, as such app requires low-level access to the hardware that the iOS devices prohibit.
“These security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology. Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted. Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders,” emphasized Claudio Guarnieri, Amnesty International’s Technologist.