The security of all computers is dependent on three things:
- The Hardware
- The Operating System
- The Apps
When it comes to the iPhone, Apple does a great job of making sure the hardware is secure. The Secure Enclave is the best in the industry and Apple spends a lot of money testing their hardware. The good news for Apple users is that Apple controls all of the hardware because the make all of it.
The next piece is the operating system. iOS has a great security reputation and pretty much forces all of the security patches into user’s devices whether they want them or not.
So what is left?
Yes, it is the apps. Depending on the user and the phone, you could have 50 or a hundred or more apps on your phone. That’s where the trouble starts.
Security researchers at Wandera evaluated about 30,000 popular apps found in the app store. They noticed that data was being transmitted unencrypted because app security was turned off.
This seemed odd to the researchers since Apple’s app security framework, called App Transport Security or ATS, is turned on by default. It comes included as part of Apple’s Swift development platform, so it is no additional work for the developers to use it.
The researchers found that 20,000 of the 30,000 apps had ATS turned off.
Their best guess is that the developers thought, maybe, that encryption would reduce the app’s performance, but on most phones that is not true.
For the last few versions of iOS, Apple even made it possible for developers to only use ATS when they were transferring sensitive information, but apparently, app developers don’t care.
I think it is fair to say that the state of app security is similar to the state of web site security ten years ago (or older).
The challenge for the end user is that they really have no easy way to tell which apps are secure and which ones are not without being a security expert, which is not reasonable.
Unfortunately, I do not have a silver bullet. I tend to minimize the number of apps that I have installed as one way to reduce my attack surface. Maybe not the best answer, but the best one that I have. Source: Dark Reading.