Will WebKit Be iOS' Achilles' Heel?
Jun 17, 2011 5:00 AM PT
Apple recently issued a new beta version of its forthcoming Mac OS X 10.6.8 update to developers, reported to contain fixes for the Mac Defender malware and its variants.
Cupertino and the Mac Defender clan have been trading shots since May, with the authors of the malware circumventing Apple's efforts to stomp out their attacks.
Meanwhile, Apple is moving even further into the mobile space -- which is what Steve Jobs pretty much spelled out at WWDC, once again talking about the post-PC world.
Further, IHS iSuppli states Apple became the world's largest OEM semiconductor buyer in 2010, on the backs of strong demand for the iPhone and iPad.
Lately, security experts have been warning that hackers and malware authors are now training their sights on the mobile device market. Google's Android Market has been hit by at least three malware attacks since April, for example. Further, McAfee Labs has warned that Android became the second most popular environment for mobile malware behind Symbian in the first quarter of this year.
Both Google and Apple use the open source WebKit layout engine in their Chrome and Safari browsers, respectively.
Could hackers who create malware for Android expand their code to hit iOS too?
The Perils of WebKit
Android and iOS are based on WebKit, but it's not likely that the vulnerabilities in WebKit could be used to exploit multiple mobile platforms, Neil Daswani, chief technology officer and cofounder of Dasient, told MacNewsWorld.
They'd have to rewrite the code first, Daswani said.
Still, many mobile app developers are familiar with more than one platform, and that may open up new opportunities not yet realized for malware authors.
A survey conducted by Piper Jaffray at the Apple World Wide Developer Conference, held in San Francisco in the first week of June, found that 47 percent of iOS devs polled support Android. Further, 36 percent of the respondents also create BlackBerry apps.
"Over time, both iOS and Android will be attacked more, especially as mobile phones are used for commerce and payments," Daswani warned.
"The threat of malware infections is significant because they're all interlinked through their use of WebKit," Daswani said. "The mobile and portable space is the future of e-commerce, and since the target is big enough, malware authors will look for multiple channels for attack. WebKit may just happen to be a convenient entry portal."
What Is WebKit?
WebKit is an open source layout engine that lets Web browsers render Web pages.
It was derived by Apple from the Konqueror browser's HHTML software library for use as the engine for the Safari browser.
WebKit has been further developed by members of the KDE Project, Nokia, Google, Bitstream and other companies and organizations.
Never Say Never
It may prove difficult to write malware for one WebKit-based mobile platform and retarget it to another.
"The type of malware targeting WebKit is exploit code, and each platform implements things a little differently," Kurt Baumgartner, senior malware researcher at Kaspersky Lab, told MacNewsWorld.
"WebKit has been pwned multiple times and we haven't seen the crossover yet," Baumgartner said.
For example, the Pwn2own contest at the CanSecWest conference this year was won by a team exploiting a WebKit vulnerability in Mac OS X, while another team exploited a different WebKit vulnerability on the BlackBerry Torch, Baumgartner said.
Packaged shell code for any platform is typically available off the shelf, but "spyware and other payloads cannot be transferred from Android to iOS without rewriting the code base," Dasient's Daswani said.
For example, the latest round of Mac Defender fake malware now attacking the Mac OS X platform is being distributed by the same gang that had "a lot of success" with a similar attack on the Windows platform, but the payload for both target platforms is different, Daswani pointed out.
However, hackers have been ingenious in developing new methods of attack, and security providers tend to be forced to play catch-up, as the recent attacks on security companies' back-end servers showed.
In other words, we can't be sure that malware authors won't be able to figure out how to launch cross-platform attacks relatively easily.
Hackers Have No Identity Issues
Still, whether or not it's easy to port attacks from one mobile platform to another may make no difference to criminal gangs of hackers.
For example, F-Secure recently discovered a new Facebook attack that's spreading both Windows and Mac malware.
"It's not about technology, it's about economics," Sean Sullivan, a security adviser for F-Secure, told MacNewsWorld.
"Making money from scareware isn't really a security or technology challenge, it's an economic challenge," Sullivan added.
The Sound of Money
Criminals will focus first on whichever platform has the larger market share and then, when they've established a successful business model, they target other OS platforms, F-Secure's Sullivan said.
"The effort is the same on the back end, and it only requires somebody to develop the malware on the front end," Sullivan explained.
"There is a growing number of criminals and affiliates, and they're competitive. They'll focus on everything in order to maximize their success," Sullivan stated.