As Apple still reels from the sting of leaked celebrity nudes, the company hopes to up the security and privacy ante with a passel of new security features in iOS 8. However, enterprises may find that they still must work hard to secure data traversing across devices using the new mobile operating system.
Released this week for general downloads, iOS 8 brings to devices enhanced security capabilities such as the option for complex passcodes, always-on VPN for WiFi connectivity, improved control over privacy configurations, and bolstered capabilities around the TouchID biometric authentication feature on newer iPhones, for which APIs have been released to let third-party developers build use of the fingerprint reader into their applications.
This last feature could be a big win for enterprises should they put the work into folding fingerprint reading into their custom mobile apps.
"Use Touch ID as a testing ground for biometric app authentication," recommends Ojas Rege, vice president of strategy for MobileIron. "Define the role and use cases for biometrics in your broader enterprise authentication strategy."
However, some experts say not to get too cocky about the security of biometrics as a single factor of authentication. There are so many ways to spoof fingerprints and fool fingerprint scanners, including the old gummy bear trick discovered in 2010, says Paul Martini, CEO of iBoss Network Security, who warns that overconfidence in biometrics could make for riskier apps.
"If you turn that feature on and have very high confidence that the fingerprint is going to make it even more secure over a password, what if something like that gummy bear thing comes up? All of sudden you almost prefer the password or a code," he says. "I'm hoping people will use a combination of authenticators, but knowing Apple, it's a convenience thing so probably they're just going to go with the fingerprint."
In addition to security features, Apple is working hard to make consumers feel safe about the privacy of the information they store on their devices.
"Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay," wrote Apple CEO Tim Cook in an open letter to customers.
Apple reworked the encryption mechanism in iOS 8 so that the company does not have the power to bypass a user's passcode anymore. The company has no access to the user's encryption key and therefore no way to extract data on the device to hand over to authorities, be it personal or private corporate data. It also introduced an anti-tracking feature that randomizes MAC addresses to reduce the ability for owners of WiFi networks to track users. While that is a boon for user privacy in some respect, that feature could prove a big headache for enterprises, says Martini.
"That stands out from an infrastructure and security perspective because a lot of network access control systems are probably going to have weird issues as a result," he says. "Fundamentally the way they're designed depends on fixed MAC addresses. The industry has to prepare for this."
But the real work for enterprises hardening the iOS 8 risk profile will likely revolve around the operating system's latest non-security features. Apple has emphasized the ability of sharing documents and workflows seamlessly across devices using features like AirDrop and Handoff. However, the added level of convenience amplifies the risk of data loss and unauthorized movement of data to unapproved devices and users.
"New data-sharing mechanisms could also result in unexpected vectors of data loss," writes Rege. "Enterprises will not want corporate data to suddenly appear on unmanaged devices or in unauthorized apps. This problem is not solved by taking away these features but rather by providing the guardrails for enterprise developers to use these features effectively."