NSO Spyware: Apple devices still safe for most users

NSO Pegasus Spyware: Apple devices still safe for most users

No matter how hard effort the companies puts in to improve security, there is always a scope for oversight

On Sunday (July 18), French non-profit Forbidden Stories and Amnesty International's Security Lab along with 17 major news publications revealed that several government agencies spied on journalists, human activists around the world.

It also revealed that between 2018 and 2019,  more than 300 individuals not just journalists, activists, business owners, opposition members, but also two serving union ministers were targeted with Pegasus spyware in India.

It is believed that government agencies hired Israel-based NSO Group to supply spyware to infect targets' mobile phones and track their communication details and location. 

They used zero-day vulnerabilities in iMessage, WhatsApp, and other messenger apps to successfully infiltrate both Apple's iPhone and several branded Android phones.

[Note: Zero-day vulnerability is a computer-software loophole wherein a solution is yet to be found. If left unattended, hackers can exploit it to modify programs, steal data from PCs. mobiles or a network]

They just select the target to make calls on these apps and drop the payload without the victim ever knowing Pegasus spyware has just been installed on the phone.

Must read | Explained | How does Pegasus spyware work?

Taking note of the severity of the issue, Apple has reacted sharply against private spy agencies for misusing technology to infringe on the personal privacy of people. It added that the company has scaled up security measures to protect its users from spyware and maintains that its devices are safe for most users. 

“Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data,” Ivan Krstić, head of Apple Security Engineering and Architecture said in a statement.

Though the latest report indicates both iOS and Android are vulnerable to spyware, the former is safer than the latter Even cybersecurity experts concur with it.

Compared to Google's Android, Apple has established a safe iOS ecosystem for its customers. It has a robust screening process for all apps that enter the App Store. It does not allow any other route to install apps on its devices.

"iOS gives fewer permissions to apps compared to Android. And it alerts you from time to time if any app is using unnecessary permissions. The best part is iOS doesn't allow third-party apps. Also if any app needs a photo for a profile pic or any other purpose, it only gives permission for that photo only but android is giving complete access to your gallery. iOS is very strict about the use of its GPS and some other sensitive hardware like a microphone etc. on the other hand, Android is very friendly for developers. Allowing third-party/untrusted apps is making android more insecure. In iOS, only jailbroken iPhones allow untrusted apps," said Rajshekhar Rajaharia, an independent security researcher

In recent months, Apple, with the App Tracking Transparency initiative has made it mandatory for app developers to disclose what and how much user information is collected and for what purpose it is being used. Additionally, Apple device owners have the option to completely put a  stop to the tracking and collection of data.

Must read | Apple launches easy-to-understand privacy labels for all apps

No matter how hard the companies try to improve security, there is always a scope for oversight among security engineers whenever they release new software.

In a bid to mitigate such issues, Apple conducts several bug bounty events inviting several private ethical hackers to find security loopholes in the software and hardware.

Apple also hosts Security Research Device Programme, where it offers specially modified iPhones dubbed as Security Research Device (SRD) to top ethical hackers, software bounty hunters, and tech enthusiasts to detect bugs in the iOS.

Must read | Apple to offer special iPhones to top hackers to detect iOS bugs

With such plans, whenever a zero-day vulnerability is detected, Apple has been able to deliver security patches in a quick time. This measure curbs hackers from conducting a widespread attacks on users around the world.

Google too has similar programs, but not effective compared to Apple. As pointed by Rajaharia earlier, it can take a leaf out of the Cupertino company's security playbook to block the side-loading of apps to Android phones.

Even now, Android phone users can download APK (Android Application Package) from third-party websites and this is a big security risk. There is a high chance of users unknowingly venture into the compromised websites and get tricked into installing malware-induced apps.

Also, we see reports of Google taking hundreds of apps every year from the Play Store for misusing permission granted by users to track financial details and also trick users to subscribe to premium services and deduct money illegally.

DH reached out to Google for a response on the NSO Group spyware case but the tech giant did not offer a comment.

Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.

Get a round-up of the day's top stories in your inbox

Check out all newsletters

Get a round-up of the day's top stories in your inbox