iOS and Android security in the spotlight in 2016

2015 was a year for the record books in information and cyber security. Dozens of new vulnerabilities were uncovered, and government organisations, businesses and individuals continued to find themselves victims of high-profile data breaches.

As we settle into the new year, we don’t expect this trend to slow down. We foresee more security issues on the horizon that must be addressed in order to ensure privacy for companies and consumers in the year ahead. Here are our predictions on what’s coming in 2016:

iOS: Not as secure as once thought

While Android might get more attention from the press due to its frequent security issues, we expect flaws for iOS to hit headlines in the new year, in a big way. We believe a vulnerability similar to the magnitude and severity of Stagefright, the massive vulnerability that critically exposed almost every Android device, will emerge on iOS, proving no operating system is safe from motivated attackers.

We’ll also see another remotely exploitable attack targeted at iOS, similar to 2015’s AirDrop vulnerability. The AirDrop vulnerability allowed hackers to send and install malware on any device within range even if the user made an effort to block the incoming file.

Expect more iOS kernel exploits and jailbreaks for iOS 9.2 and 9.3, as well.

Android: Still insecure

Android users still have plenty of things to worry about as Google rolls out updates. The open-nature of Android OS has proved to be the software's weakest link, making it increasingly challenging for carriers to issue software updates and patch security issues. As with the AirDrop issue in iOS, we expect Android to suffer from at least one remotely exploitable issue similar to the SwiftKey Keyboard vulnerability discovered and publicised in 2015.

Additionally, while Google promised monthly security updates for Android in August 2015, those updates have not always made it from Google all the way to users’ handsets smoothly, given the fact that update availability is dependent on individual carriers. We don’t expect things to improve much in 2016. Devices older than 4.4 are now officially unsupported, leaving somewhere between 35 per cent to 70 per cent of all Android devices vulnerable.

We predict that additional exploits will take advantage of shared address space ASLR weakness to gain system privileges. Android will also suffer from more kernel exploits as SELinux is adopted.

Bug bounties will drive publicly disclosed vulnerabilities

More vulnerabilities will be disclosed due to widespread adoption and increasing frequency of bug bounty programs. These programs generally involve companies exposing code (for software, a web site or a mobile app, for example) allowing white hat hackers and security researchers to discover and report potentially harmful bugs and vulnerabilities.

As part of these programs, researchers must document and share enough information for the organisation to be able to reproduce the vulnerability. The overall goal of these programs is to uncover and resolve these security flaws before the general public has a chance to uncover, take advantage and exploit them.

Client-side attacks grow

Network perimeters are continuously fortified with new security measures, and as such hackers look for the weakest link within the computer network and will evade perimeter security leveraging end-users (employees, partners, etc.) as a conduit to perform a data breach and compromise an organi

ation. Client-side attacks, which require user-interaction such as clicking a link, or opening a document or email, will increase in 2016. We also expect Chrome and even some PDF readers to experience major vulnerabilities in the new year.

Additional client-side attacks will include usage of media formats to exploit vulnerabilities in media processing libraries such as libstagefright. These formats are likely to be triggered via the email client, browser, multimedia message or via instant message.

Mobile in the workplace grows, so do threats

It’s no surprise that mobile device usage in the workplace will continue to grow in 2016. Enterprise mobility programs seek to increase productivity from employees but cause enormous complexity, security and policy concerns.

As companies will continue to implement these programs to protect employee smartphones and tablets, the fragmentation of devices, OSs, applications and geographies will continue to force an already overburdened IT group to manage hundreds of policies as we introduce new devices into the workplace. Additionally, the launch of smartwatches created by Apple and Samsung will only exacerbate the issue further and create a new attack vectors for hackers.

It’s become apparent that security is an issue that no organisation or individual with sensitive data and private information can choose to ignore. Whether it’s ongoing security issues with Android devices and new iOS vulnerabilities, or attacks targeting end-users, there’s no clear sign of security issues slowing down anytime soon.

Nikias Bassen, Principal Mobile Security Researcher at Zimperium