Zero Day Exploits For Apple iPhone iOS Surge, Lowering Their Valuation And Costing Less Than No-Interaction Android Hacking Techniques

Apple iPhone, which runs on a proprietary, closed-source, and heavily locked-down version of the iOS mobile operating system, is now apparently more vulnerable to remotely executable security and privacy exploits than Android. For the first time, hacking techniques that can remotely cripple iPhone’s defenses without user interaction cost less than those required to break into an Android smartphone.

The strong belief that Apple’s iPhone’s or iOS’s security is impenetrable, could be shaken, at least in the short-term. Underground marketplaces that trade in secret but successfully exploitable flaws and vulnerabilities in iOS, the OS that runs exclusively on Apple iPhones, appears to have indicated the changing perception. For the first time, any secret hacking tool capable of remotely taking control of an Android smartphone without user interaction commands a higher price than its iPhone equivalent.

Zerodium First Reduces Then Suspends Buying iOS Security Exploits Due to Abundance of Flaws?

Zerodium, which buys and sells so-called zero-day exploits that take advantage of secret software vulnerabilities, announced that it has temporarily suspended purchasing new iOS Local Privilege Escalation, Safari Remote Code Execution, or sandbox exploits, for the next few months. Additionally, the company published an updated price list for the security vulnerabilities for iOS and Android smartphone OS.

We will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors.
Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future.

— Zerodium (@Zerodium) May 13, 2020

The suspension comes after the company reportedly started receiving a high number of submissions for exploits within the Apple iOS. The company claimed it will still be accepting iOS one-click chains (e.g. via Safari) without persistence. However, the prices for the same have been significantly reduced, and interestingly, the prices for iOS security flaws now sits below those within Android OS.

iOS Security is fucked. Only PAC and non-persistence are holding it from going to zero…but we're seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let's hope iOS 14 will be better.https://t.co/39Kd3OQwy1

— Chaouki Bekrar (@cBekrar) May 13, 2020

Zerodium’s CEO Chaouki Bekrar had a rather strong choice of words to describe the current state of iOS security. He claimed that only Pointer Authentication Code and non-persistence exploits are keeping the iOS security afloat. He additionally claimed that there are still enough exploits in these categories. Needless to add, such claims should be concerning for Apple which prides itself on the highly impenetrable security layers within the iOS.

Coming to the pricing list of security vulnerabilities, Zerodium now offers up to $2.5 million for a zero-click hacking technique that fully and silently takes over an Android phone with no interaction from the target user. In simple words,any exploit that does not require any user interaction within an Android OS commands the high price. Incidentally, this is still a rare occurrence. Still, any similar vulnerability within an Apple iOS has a price that’s $500,000 less than Android.

Speaking about the changing scenario, Zerodium’s founder Chaouki Bekrar wrote, “During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some of them. Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time-consuming to develop full chains of exploits for Android and it’s even harder to develop zero-click exploits not requiring any user interaction.”

Is Apple iOS for iPhones Less Secure Than Android?

It is rather strange to see the offer price for security exploits within Apple iOS commanding a lesser price than those within Android OS. Moreover, it is also a fact that Android, backed by Google and largely driven by the company’s services, has improved significantly in the past few iterations. Android is now far more secure than before. Additionally, Google is constantly improving the security with algorithms that being trained by AI and data.

https://twitter.com/cybsploit/status/1260342360095043587

Apple’s iOS is still considered very secure. The company has a rigorous vetting process for its curated Apple App Store. Hence experts insist that the claims by Zerodium’s could be exaggerated. They indicate that hackers, malicious code writers, and others might be refocusing on Apple’s iOS. Moreover, with the current situation, hackers might have more time to try harder to penetrate iOS security.