An Explosive Spyware Report Shows the Limits of iOS Security

In fact, the Amnesty International researchers say they actually had an easier time finding and investigating indicators of compromise on Apple devices targeted with Pegasus malware than on those running stock Android.

“In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former,” the group wrote in a lengthy technical analysis of its findings on Pegasus. “As a result, most recent cases of confirmed Pegasus infections have involved iPhones.”

Some of the focus on Apple also stems from the company’s own emphasis on privacy and security in its product design and marketing.

“Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply,” says Johns Hopkins University cryptographer Matthew Green.

Even with its more open approach, though, Google faces similar criticisms about the visibility security researchers can get into its mobile operating system.

“Android and iOS have different types of logs. It’s really hard to compare them,” says Zuk Avraham, CEO of the analysis group ZecOps and a longtime advocate of access to mobile system information. “Each one has an advantage, but they are both equally not sufficient and enable threat actors to hide.”

Apple and Google both appear hesitant to reveal more of the digital forensic sausage-making, though. And while most independent security researchers advocate for the shift, some also acknowledge that increased access to system telemetry would aid bad actors as well.

“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers,” a Google spokesperson said in a statement to WIRED. “We continually balance these different needs.”

Ivan Krstić, head of Apple security engineering and architecture, said in a statement that “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

The trick is to strike the right balance between offering more system indicators without inadvertently making attackers’ jobs too much easier. “There is a lot that Apple could be doing in a very safe way to allow observation and imaging of iOS devices in order to catch this type of bad behavior, yet that does not seem to be treated as a priority,” says iOS security researcher Will Strafach. “I am sure they have fair policy reasons for this, but it’s something I don’t agree with and would love to see changes in this thinking.”

Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes, says he agrees that more insight into iOS would benefit user defenses. But he adds that allowing special, trusted monitoring software would come with real risks. He points out that there are already suspicious and potentially unwanted programs on macOS that antivirus can’t fully remove because the operating system endows them with this special type of system trust, potentially in error. The same problem of rogue system analysis tools would almost inevitably crop up on iOS as well.