This has been a bad couple of weeks for mobile phone security as several major iPhone vulnerabilities were revealed this week which allow a malicious external website to compromise your phone when it is viewed, either in Safari or another app that renders HTML (and there are many, many apps that do).
As such, it is imperative that iPhone users apply the latest updates for iOS as soon as possible. The fixed version is iOS 8.4.1, so any iPhones running iOS versions less than 8.4.1 are vulnerable.
[For reference, here is one of the CVEs (Common Vulnerabilities and Exposures) assigned to the iOS vulnerability.]
This comes on the heels of a critical Android vulnerability discovered earlier this month, code-named “Stagefright,” after the media rendering library which contained the bug. The Stagefright vulnerability affects all Android phones going back to version 2.2 — an estimated 95% of all Android users — and allows bad actors to completely take over your phone simply by sending it a malicious text message.
Vulnerable Android phones only have to receive the text message to be compromised — opening or reading the message is not required.
Thankfully for iPhone users, the iOS bug isn’t nearly as dangerous as the Android Stagefright vulnerability and the vertically-integrated Apple was able to quickly push out a security patch to most (though not all) of its users.
Android users, however, aren’t going to be so lucky. As of today (August 20, 2015) the Stagefright vulnerability remains unpatched by Google.
The good news is that Google and Samsung have officially committed to pushing out monthly security updates to some of its phones (LG has also stated unofficially that it will start pushing out monthly security updates to some devices). The announcements, however, do not specify which specific models will receive monthly updates nor do they state how long supported phones will continue to receive the monthly updates after purchase.
It also leaves open the possibility that cheaper, non-flagship phones won’t receive the monthly security updates at all, making security updates a premium service granted only to those who purchase the most expensive models and throwing everyone else to the wolves. This also leaves little recourse for users with older phones other than to purchase a new, potentially expensive phone.
This, no doubt, is good for the bottom line of many cell phone manufacturers and carriers, but is decidedly not consumer friendly.