Check iPhone for Malicious code
May 15, 2019 1:12 PM   Subscribe

With the recent news about the WhatsApp hack, I began wondering how I would check/identify if anything was installed on my iPhone without my knowledge/permission. What are the tools/processes to check everything that's installed on your iPhone?
posted by herda05 to Technology (8 answers total) 2 users marked this as a favorite
With IOS and the approach to security it will be very difficult to determine this, however with the nature of the WhatsApp vulnerability you don't need to worry about it unless you have a reason to believe a nationstate is explicitly targeting you.

The walled garden approach of IOS makes it difficult to exploit, especially remotely but it also makes it difficult to employ forensics analysis tools for the average consumer who doesn't have access to hardware that an IOS developer typically has.

Basically if you think a government is out to get *specifically you*, you should be concerned and wipe the phone as well as be on the look out for getting droned.

If you are anyone else, you're incredibly unlikely to be impacted by this specific vulnerability, even though it's pretty sensational.
posted by iamabot at 1:23 PM on May 15 [1 favorite]

It’s Almost Impossible to Tell if Your iPhone Has Been Hacked (Vice, May 14 2019)
A recent vulnerability in WhatsApp shows that there’s little defenders can do to detect and analyze iPhone hacks.
As of today, there is no specific tool that an iPhone user can download to analyze their phone and figure out if it has been compromised. In 2016, Apple took down an app made by Esser that was specifically designed to detect malicious jailbreaks. Moreover, iOS is so locked down that without hacking or jailbreaking it first, even a talented security researcher can do very little analysis on it. That is why security researchers crave expensive iPhone prototypes that have security features disabled, as a Motherboard investigation revealed earlier this year. [...]

Several iOS security researchers who spoke with Motherboard agree that the iPhone is too locked down for its own good. That makes it very hard for even experts to tell if a device has been compromised without jailbreaking it first, a feat that is not feasible for most users anymore. [...]

A security researcher who has extensive experience developing exploits, who asked to remain anonymous because he didn’t want to openly criticize potential customers, said that the fundamental problem is that iOS is “a bug rich environment,” and that Apple’s strategy only works against “hobbyist attackers” but is “quite counterproductive against professional attackers.” [...]

The result is that—for the vast majority of people—the iPhone is still a very secure device. But all software, be it a secure messaging app like WhatsApp, or an operating system like iOS, have vulnerabilities. And when those vulnerabilities are exploited on an iPhone, there's often no way of knowing.
posted by Little Dawn at 1:33 PM on May 15 [1 favorite]

If I start feeling suspicious or weird about how my phone's acting, I deactivate or offload all my 2 factor authentication codes to a cloud-backed up 2fa service like Authy. And then I factory reset the device. And then I rebuild the installs and the 2fa stuff after the reset is done.

Unfortunately, it's not out of the bounds of reason that a sufficiently advanced hack could even avoid getting reset or erased by a factory reset. I tend to consider a hacking of that magnitude something a state-level actor would do, not a private, non-state-level entity could pull off. But it's still possible.

Agree with iamabot and Little Dawn on their quotes and citations. It would be super difficult to do diagnostics without internal Apple tools (an even then!) to make absolutely sure that the phone was not hacked. And I'm not sure if Apple Geniuses would support that use of their tools anyway, even if their tools would be of use in these kinds of forensics.

To be honest, like iamabot said above, part of the equation of risk assessment here is to consider that you are extremely unlikely to deserve the attentions of a state-level actor, and also consider that all your privacy and private information is not necessarily relevant to specific investigations or inquiries by such actors, even if they do have you under a microscope.

If you were a primary target of a state-level investigation, then you'd want to get off grid and get the hell out, and possibly shoot your iPhone or blow it up on the way out (although paradoxically, attention and forensics you might draw by doing that might be to your detriment). And be prepared to stay off grid for a long as you want to not be found out.
posted by kalessin at 5:03 PM on May 15 [1 favorite]

My employer just pushed an app called zIPS to all their company-managed mobile devices. They may be kidding themselves, but their justificatory spiel was that the app detects possible iOS exploits.

Anecdotally - this app kicks the crap out of the battery life of my colleagues' Android devices. It barely moves the needle on the battery of my iPhone 8+. Perhaps that reflects the fact that there's not much that it can do on iOS, whereas it's busily & CPU-intensively intervening all over the 'droid world? I don't know.
posted by rd45 at 3:01 AM on May 16

> Anecdotally - this app kicks the crap out of the battery life of my colleagues' Android devices. It barely moves the needle on the battery of my iPhone 8+. Perhaps that reflects the fact that there's not much that it can do on iOS, whereas it's busily & CPU-intensively intervening all over the 'droid world? I don't know.

At a guess, it's simply not behaving as intrusively on an iPhone as on an Android; scanning stored data and monitoring app and OS behavior is what makes security software a massive resource and power drain on phones and laptops alike.

iOS apps are constrained to using the code that Apple permits (public APIs) in order to be distributed through the iOS App Store, and things like intercepting and modifying other apps' behaviors (essential to most data security software) are explicitly forbidden. Google has similar, although less restrictive, restraints on app behavior appearing in their Android App Store, but since Android devices aren't limited only to only Google's app store, software like zIPS can be legitimately installed by other means, bypassing restrictions.
posted by ardgedee at 7:46 AM on May 16

> Several iOS security researchers who spoke with Motherboard agree that the iPhone is too locked down for its own good.

Oh, there's a typo, they printed "for its own good" when the researchers must have said "for our own good".

For an iOS device, if you haven't tried to jailbreak it, and if you haven't been installing VPN apps or other Managed Device profiles, there's very little in the way of generic security threats. (If a nation state-type of actor might be targeting you you, well, you need better advice than MeFi.)

So: do check Settings -> General -> VPN and Settings -> General -> Profiles. Both should be empty.

Also, Settings -> General -> About should say you're on iOS 12.3.

Beyond that, not much that I can think of.
posted by RedOrGreen at 12:04 PM on May 16 [1 favorite]

Thanks all. My concerns are related to high value corporate data with a fintech. Not nation state, but definitely in the threat realm from organized criminal syndicates. From reading between the lines, there is probably more non-public approaches available, and since Apple has always been a pay to play model, there may be tiers of access/support that can be negotiated directly. We’ll reach out to our Apple rep and start a conversation there.
posted by herda05 at 7:55 PM on May 16 [1 favorite]

High value corporate data in a fintech is more at risk due to people open word docs and things not getting patched than IOS, as a platform, being compromised FWIW.

You have broader, more poorly defended attack surfaces to tackle well before you worry about IOS.

There aren't non public approaches available, the best defense of IOS as an ecosystem is available to you today with common architectures for data and accounts which the device will have access to and MDM, which is what your rep will tell you. You will end up on JAMF and end up using device profiles, which are excellent if not just annoying.

Best of luck, absolutely talk to your rep and have a broader discussion about the other attack surfaces you're presenting as they present much softer targets than the closed operating system of IOS.
posted by iamabot at 9:53 PM on May 16 [3 favorites]

« Older Help a friend out: Topeka, KS edition   |   Do I have a defective character, or is this just a... Newer »

You are not logged in, either login or create an account to post comments