Apple recently released iOS 8, several updates, and two iPhone 6 models. There has been plenty of noise around the releases, from the botched 8.0.1 update to the Touch ID fake fingerprint vulnerability to concerns that Apple Pay was pushing mobile PCI scope and unknowingly sharing consumer data.
The ever-changing security posture of iOS, however, has yet to be discussed. Apple released an updated iOS security whitepaper covering Touch ID, the “Secure Enclave,” and everything in between. The paper is a good read for those curious about how hardware plays into the security posture of a device and features of the iOS operating system.
There are a number of security features on iOS 8 that were included to increase the adoption of Touch ID and Apple Pay. The security features are different from previous iOS releases and updates because the operating system is becoming a less restrictive platform.
Often, enterprises criticize Android for being too open and allowing too much interaction among applications via broadcast receivers. With the new iOS 8, we’re seeing more similarities when comparing iOS to Android. As a result, enterprises should be more concerned with the trust-worthiness of devices versus the actual operating systems.
For example, one of the worst cases I’ve seen for key logging and data theft is when users download third-party keyboards that leak or steal data on Android. Many infosec people I’ve spoken to use this simple example to explain why iOS is more secure than Android. While previous iOS versions did not allow third-party keyboards, iOS 8 does.
But the real harbinger of the future, in my view, is the introduction of app extensions in iOS 8. App extensions allow applications to make certain functionalities available to other applications. Proving Apple’s intent to make its ecosystem more integrated, these iOS extensions are different from what we see in Android; the iOS extensions give unrelated applications the ability to interact. (Whether the application you just downloaded really needs access to your SMS messages is another question.)
Another potential trouble spot is the introduction of App Groups, which allows applications from the same developer to share data with one another. While this information sharing is nothing new, it has always been done through either the server side or unsupported, covert channels, usually unbeknownst to the user. What makes the intro of App Groups a concern is that this allows applications, by the same developer, to share the same sandbox. Now the security (or insecurity) of one app could affect the security of another app. Because organizations split application development up into teams and outsourced developers, the security of apps, even when from the same company, is not uniform. This opens up organizations and consumers to greater risk.
[Read about more infosec headaches: Is Enterprise IT Security Ready For iOS 8?]
The lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. Android is beginning to add more enterprise security features to its operating systems, and iOS is beginning to open its kimono, making it easier for developers to create apps. In the future, these two operating systems will continue to look more alike, driving the need for CISOs to focus on securing applications on mobile devices and on data security, rather than focusing on the devices themselves.