Frequent security updates on iOS/iPadOS and need for anti-virus software

There are no AntiVirus scanning products for iOS/iPadOS. Due to the sandboxed security architecture, an AV process is unable to scan the filesystem.

Providing that you have not attempted to jailbreak your device - or have bypassed protections by side-loading third-Apps, then it is highly unlikely that your device will have been infected malware. However, as with all computer systems, there are still vulnerabilities and exploits to which you remain vulnerable.

Be wary of an often repeated myth that Apple devices are immune to malware; those that perpetuate this fallacy, perhaps with good intention, do not necessarily comprehend the broader threat landscape. Apple expend considerable resources in developing and issuing regular software security updates and patches for its products; if the myth had any substance, regular security updates would be unnecessary.

Providing that your iPad has been kept up-to-date with system software updates, you should not be overly concerned for your iPad being directly compromised by malware. For older devices, no longer benefiting from regular security updates, the risk of an unpatched vulnerability being exploited increases. Regardless of the installed version of iPadOS, there are useful mitigations that can be used to significantly reduce your exposure to risk.

If you have given your personal details to a malicious website, this may be the cause of attempted fraud. If necessary, change account passwords (including your AppleID Password) if you suspect that they may have been compromised. If you have cause to believe that your AppleID has been compromised, follow the advice outlined here:

If you think your Apple ID has been compromised - Apple Support

If you have exposed your Credit Card details, you may wish to contact the Card Issuer - who may cancel and reissue your Card as a precaution.

Threat Mitigation

Other than malicious websites that will attempt to capture information that you willingly enter, the majority of threats to which you will be invariably exposed will surface via web pages or embedded links within email or other messaging platforms. Browser-based attacks can be largely and successfully mitigated by installing a good Content and Ad-blocking product. One of the most respected within the Apple App Store - designed for iPad, iPhone and Mac - is 1Blocker for Safari.

https://apps.apple.com/gb/app/1blocker-for-safari/id1365531024

1Blocker is highly configurable - and crucially does not rely upon an external proxy-service of dubious provenance, often utilised by so-called AntiVirus products intended for iOS/iPadOS. Instead, all processing by 1Blocker takes place on your device - and contrary to expectations, Safari will run faster and more efficiently.

Unwanted content is not simply filtered after download (a technique used by basic/inferior products), but instead undesirable embedded content is blocked from download. The 1Blocker product has also recently introduced its new “Firewall” functions - that are explicitly designed to block “trackers”. Being implemented at the network-layer, this additional protection works across all Apps. Recent updates to 1Blocker has introduced additional network extensions, extending protection to other Apps.

A further to improve protection from exploits is to use a security focussed DNS Service in preference to automatic DNS settings. This can either be set on a per-device basis in Settings, or can be set-up on your home Router - and in so doing extends the benefit of this specific protection to other devices on your local network. I suggest using one of the following DNS services - for which IPv4 and IPv6 server addresses are listed:

Quad9 (recommended)

9.9.9.9

149.112.112.112

2620:fe::fe

2620:fe::9

OpenDNS

208.67.222.222

208.67.220.220

2620:119:35::35

2620:119:53::53

Cloudflare

1.1.1.1

1.0.0.1

2606:4700:4700::1111

2606:4700:4700::1001

Security focused DNS providers intentionally "sink hole" known bad or malicious websites and resources - this providing an additional layer of protection beyond that provided by your device and its Operating System. These DNS services will, when used alongside 1Blocker or other reputable Content Blocker, provide defence in depth.

There are advanced techniques to further “harden” iOS/iPadOS (such as using DoH, DoT and DNSSEC). Apple has introduced its new Private Relay to its iCloud+ subscribers - in part employing ODoH (a variant of DoH) as an element of this new functionality. If you have subscribed to iCloud+, and have a device capable of running iOS/iPadOS 15.x or later, this feature is included. 

NventiveGuy wrote:

Thanks for replying. I do understand sandboxing.

I used to write programming manuals for HP.

I understand a software-defect fix is different from a security update.

Ah, which part of HP? This because IIRC HP didn’t have anything close to the design and implementation of iOS, in terms of the security design and implementation. Not with their HP-UX, and not with the NSK stuff from Tandem, nor the various stuff that arrived via Compaq either. Nor with the HP efforts around reselling Windows.

On thinking about it, NSK is probably the closest of the HP operating systems to the design on iOS / iPadOS / macOS in some ways, but for a completely different target, on very different hardware, and with a completely different implementation.

If you’re coming at this from Microsoft Windows and outside of maybe Windows S Mode, the iOS platform design is very different from Windows, and in some very fundamental ways.

Details: Apple Platform Security - Apple Support

Why do we need security updates if security breaches are not possible?

Security breaches are absolutely possible. And have happened. Based on available information, the iOS breaches are rare, and targeted. And the iOS exploits involved are comparatively expensive.

Pretty much everything gets targeted eventually too, including (for instance) HP printers:

https://www.bleepingcomputer.com/news/security/hundreds-of-hp-printer-models-vulnerable-to-remote-code-execution/

Couldn’t someone write some Swift code and stick it in a JPG or TIFF file?

To what end? Are you considering polyglot files here (such as Gifar files), or something else?

Or are you thinking of some other sort of type confusion?

Here is a write-up on one of the Messages on iOS exploits from a while back, with the details of the “weird machine” constructed inside an iOS image interpreter:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

This particular exploit is just spectacular clever.

Also see how Blast Door and Lockdown Mode work.

I know it wouldn’t normally be given the same execution permissions and access

to device resources, but why are security updates needed? There must be

some code that gets through the barriers of the system, right?

Whether the cause is mishandled data, or a timing issue, or some other sort of bug, the details of the vulnerabilities and the fixes vary.

I don’t like to argue, but do like to fully understand situations.

Yes, and one solution is to add more trusted code from a third-party, code that itself can contain issues and vulnerabilities, and code which will be blocked from accessing iOS and other installed apps by the sandbox, to what end?

Add-on security apps can insert themselves into network traffic, whether to monitor traffic, or potentially block traffic, or to log and potentially resell collected data can vary. But they can’t scan.

As for what can happen here, one of the better-known add-on apps for macOS was caught reselling personally-identified web browsing and web purchasing data. They weren’t fined for collecting and selling that data, they were fined for not disclosing the sale.

I was thinking I would Export data from an app, delete the data it’s stored

in iCloud, and then Import it back into the app after I did a Reset/Erase.

I have more faith in the Export/Import methods than in the general

iCloud storage & Restore methods. Especially if they translate the data

into CSV formats.

CSV looks simple, but too often degenerates into disagreements around the definition. (For details, have a look at how much can be involved with libcsv, for instance.) And CSV not going to be particularly useful here.

Here is how to archive iCloud data:

• Archive or make copies of the information you store in iCloud - Apple Support

As for the 46 apps mentioned earlier, Amazon is probably confused, and reporting everything they’ve seen without regard to what’s been updated or upgraded. For questions about that count, check with Amazon. Or deauthorize everything, and re-add what you are presently using. Maybe change the Amazon credentials, too.

And in general, yes, there are security patches. If you have something not getting security patches, be concerned. Why concerned? Some of the older network gear I was working with quietly fell off of vendor support, and some of that vendor’s older gear was then exploited. There are many IoT and embedded and apparently-innocuous devices that are or can be vulnerable. Or exploited. Networking, firewalls, cameras, TVs, all sorts of gear.

NventiveGuy wrote:

One last thing…

No one mentioned using data encryption 

to increase security. Is it not a way to 

increase the security of my system & data? 

Your iPhone/iPad is already using data encryption, so no encrypting data that is already encrypted will pose no benefit. The key to the encryption is the device passcode. That is why if you forget your Passcode, the device must be erased, no exceptions.

• Encryption and Data Protection overview - Apple Support (LB)
• Hardware security overview - Apple Support (LB)

There is quite a bit of information to read and MrHoffman is a great source. At least you now know why AntiVirus is ineffective as it is not possible to scan the files and there is not even access to the System Files where a virus could be installed as the System is sealed on a Read Only partition of your drive using Secure Boot that won't even allow it to be tampered with.

Anti-virus software will not do you any good on an iOS device. The iPhone and iPad are sandboxed, so anti-virus does not have the ability to scan all areas of the devices. If your device has not been jailbroken, a virus cannot be added to your device.

Apple updates security as different things are discovered, and most have not been found in the wild, just located when testing devices.

You are worrying yourself needlessly. There are NO known viruses, which can attack an iPhone. NONE. ZIP. There really isn't any company on the planet who is more concerned about your digital safety than Apple is. Update your iPhone when updates come out. Don't click on links from anyone you don't know. Just be smart about your digital footprint and you'll be just fine. So, there is no need to anti-virus software on iPhone, when there are no viruses which can affect you.

We get frequent security updates because this way we can be better safe than sorry and protected for the future before these vulnerabilities become widespread. Not because iPhones are insecure. Because of these frequent updates that patch vulnerabilities is in part why we don’t need anti-virus protection. I don’t think an iPhone has ever been hacked in the wild. These vulnerabilities are very sophisticated and far ahead of us currently. Anti-virus software will slow your device and internet speeds down, and cause connectivity issues.

NventiveGuy wrote:

Why do we need security updates if security breaches are not possible?

Because security is an arms race, not a wall that you build once that keeps everyone out forever.

Couldn’t someone write some Swift code and stick it in a JPG or TIFF file?

I know it wouldn’t normally be given the same execution permissions and access

to device resources, but why are security updates needed? There must be

some code that gets through the barriers of the system, right?

Apple’s security updates are essentially updating Apple’s built in “antivirus”, although that name is meaningless, because there has never been an iOS virus, under the strict definition of code that self-replicates and travels over networks to infect other devices.

Finding vulnerabilities in Apple systems is a highly lucrative activity, because Apple (and Google, Microsoft, etc) pays $millions in bounties to anyone who reports a verifiable vulnerability. The vast majority of these are not found “in the wild”, but Apple fixes them anyway to be safe.

NventiveGuy wrote:

…And I’ve come to believe that we shouldn’t put anything 

online that we don’t want to risk being stolen. 

I recall nearly a whole country’s citizenry whose

data was breached by some big hacks.

The United States, probably among others.

…What I’m looking for are solutions: 

-how would I react if that happens. 

That’s an exceedingly open-ended question. Anywhere from grumbling about a transient disruption to unmitigated panic, depending on your risks, the data, and the details of the breach and the adversary. Etc.

-what losses would I sustain. 

That depends on your risks, the data, and the breach.

What to do? Usual recommendations include unique passwords, two-factor authentication, backups, etc.

I One last thing…

No one mentioned using data encryption 

to increase security. Is it not a way to 

increase the security of my system & data? 

iPhone, iPad, and Mac all automatically encrypt stored data.

Read the platform Security document, linked earlier.

Look particularly for the “keybag” info for some interesting implementation details.

Virus, Trojan horse, and worm have largely faded from technical use, as they make distinctions that aren’t all that useful, and as more than a few exploits are blended. Or the exploits target the users and not the hardware.

NventiveGuy wrote:

So what if I accidentally clicked on such a link? What could happen?

In the aforementioned Amazon situation, they sent me a link to

login to my WellsFargo app. I did it after verifying WF’s domain name

in the URL. But later I kicked myself for doing that. WF said that

the URL was legit, but I still didn’t think it was proper.

One time I clicked on a “From:” field in an email, and

it turned out to be a graphic with malware! That was on Windows.

Long story short, it killed my $1000 Surface Pro.

That’s why I left Windows.

You're going to drive yourself crazy here. iPhone and iOS are nothing like a Windows based Surface laptop. Stop playing "what-ifs." Even if you clicked a link, it couldn't download a virus. As long as you don't provide anything personal in a link you may click, you can't get a virus. YOU CAN'T GET A VIRUS. PERIOD. If you don't notice a security update for a few days, NOTHING WILL HAPPEN. Just update when you do see you have an update available.

So please stop trying to spook yourself. Living in fear, simply isn't healthy.

The real threat is not some autonomous software that markets their products with scare tactics, it’s the user.

When a user responds to a phishing message (email, text, etc.) and enters their usernames and passwords, no matter what; they are not protected.

When I switched from Windows to the Mac in early 2007, I took a chance (a risk) by not installing any antivirus software.

Do you know what I learned after 18½ years? 🧐

You can’t believe advertisers.

They have a business model that works on fear, uncertainty and deception.

Good luck! 👋🏼😉

I remember a time when an individual told me (to my face) that he had access to my computer (back when I was a Windows user).

I told him that my computer was unplugged.

He turned around and walked away.