A hacking contest that makes sport out of serious security bugs paid $117,500 this week for exploits that compromised handheld devices powered by both Apple's iOS and Google's Android mobile operating systems.

The biggest of the three cash prizes was $50,000, paid to "Pinkie Pie," a pseudonymous hacker not yet past his 21st birthday, who already has collected at least two major bug bounties in the past 19 months. His previous hacks exploited vulnerabilities in Google's Chrome browser that gave him complete control of the underlying computer when it did nothing more than visit a booby-trapped website. At the Mobile Pwn2Own 2013 contest that wrapped up this week in Tokyo, he used similar drive-by attacks against Chrome to commandeer both a Nexus 4 and a Samsung Galaxy S4, which both run Android.

Like most modern browsers, Chrome is endowed with security mitigations designed to minimize the damage that can be done when hackers identify buffer overflows and other types of software bugs that are inevitable in just about all complex pieces of software. The security measures—which include "sandboxes" that contain Web content inside a carefully controlled perimeter—significantly increase the amount of work that attackers must put into developing working exploits. Also including address space layout randomization and data execution prevention, the mitigations require hackers to stitch together two or more attacks that exploit multiple vulnerabilities in the targeted device.

"The exploit took advantage of two vulnerabilities—an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape," Pwn2Own officials wrote about the Pinkie Pie hack. "The implications for this vulnerability are the possibility of remote code execution on the affected device."

A successful attack that fetched Pinkie Pie a $60,000 prize in early 2012 targeted at least six different security bugs to break out of the security sandbox fortifying the desktop version of Google's Chrome browser.

Separately, a hacking team from Mitsui Bussan Secure Directions in Japan won $40,000 for two exploits that compromised apps that are installed on all Samsung Galaxy S4 devices. After the S4 browsed a website under the group's control, they were able to access sensitive data stored on the device, including user contacts, bookmarks, browsing history, screenshots, and text messages. Officials with HP, which sponsors the Pwn2Own competition, didn't identify the specific apps that were targeted. The vulnerabilities have been privately reported to Samsung.

Last, a group from China cleared $27,500 for two iPhone hacks that exploited vulnerabilities in the Safari browser. One of the attacks captured login credentials from a device running iOS 7.0.3. Using the authentication cookie remotely stolen from the iPhone, the hackers were able to transfer it to another device and log in to the account. A different Safari vulnerability in iOS 6.1.4 allowed the same group to access photos stored on the device, again when it did nothing more than visit a website. The exploit fetched a lower-priced prize because it didn't involve a sandbox escape. HP officials have a summary of the contest here.

Odds are

This most recent installment of Pwn2Own makes it clear that it's not hard for motivated hackers to identify and exploit vulnerabilities in both Android and iOS devices that have serious consequences for users. Interestingly, there are almost never reports of "in-the-wild" attacks that actively exploit such vulnerabilities. It's hard to say why. My guess is that the cost and difficulty involved is so high that bugs are exploited only in extremely rare cases, say in state-sponsored espionage campaigns. Another likely factor at play is the relative ease of tricking Android users into installing malicious trojans that pose as legitimate apps.

Still, it's worth absorbing the lesson that has emerged from almost every Pwn2Own and Google-sponsored Pwnium competition held in the past seven years. Just because the device or software you use doesn't get the kind of headlines regularly that Oracle's Java, Microsoft's Internet Explorer, and other programs frequently exploited in the wild do, it doesn't mean it's invulnerable. With sufficient incentive, odds are that device or app could be hacked, too.