iOS 8 arrives. Security consequences?

Apple has announced new versions of its operating system. OS X and iOS become closer, gradually merging into a single environment. How well is it protected?

Apple made big news yesterday on WWDC14 announcing new versions of both of its fabulous operating systems – OS X and iOS. Such announcements are always a big deal and a major event, of course, but this time it’s not just about new operating systems. Aside from those,  Apple made a couple of announcements with potentially big ramifications and repercussions ahead. Some are directly related to security.

Well, first of all, hello, Mac OS X Yosemite, hello iOS 8. Earlier, these platforms had been evolving more or less independently, but now it seems as though they are on a collision course with more and more interpenetrating features and apps. For instance, here comes Continuity, a feature that lets you seamlessly start a task on a mobile device, and finish doing it on a Mac (composing an e-mail, for instance). Sure thing this privilege isn’t going to be available to a Mac owner with an Android phone or an iPhone owner with a Windows PC.

Also, Apple finally “mounted coattails” of Google and Microsoft, providing its iCloud service with a fully-fledged file hosting capabilities similar to Google Drive, Microsoft’s OneDrive or Dropbox: iCloud Drive. It allows storage of any type of file, and to access it “on any device”, which actually isn’t exactly true: iCloud is unavailable for Android users. Besides, iCloud Drive, like many other functions of newer operating systems, will only be available to the users of the new hardware due to be shipped this Autumn.

800_1

Effectively, this means that Apple is going to create a unified “Apple-only” environment to bring in more users. This also means that all of these devices – Macs, iPhones, iPads and iPods – are going to be protected essentially by their Apple ID alone.

This authorization system is quite robust, or at least doesn’t look any worse than anything else (description is available via the previous link). In essence, Apple provides new users with a free email, which requires a password, of course.

Then this single password provides access to almost anything Apple: iTunes and App Store purchases, browser history, documents and – as soon as iCloud Drive is up – to all of its contents too. Users have to input their Apple ID passwords quite often – it is necessary to buy anything at Apple’s stores or to update apps. In other words, a lot depends on this password, and it’s up to the user to make it secure, a task not often performed well by users.

This constitutes a weaker spot for possible attackers, especially since users can get access to their iCloud mail via the browser on a Windows PC, for instance.

Another extremely interesting announcement is the new SDK for iOS 8, containing over 4,000 new APIs. “iOS 8 allows developers to further customize the user experience with major extensibility features like Notification Center widgets and third-party keyboards; and introduces robust frameworks such as HealthKit and HomeKit. iOS 8 also includes Metal, a new graphics technology that maximizes the performance of the A7 chip and Swift, a powerful new programming language,” Apple’s press release reads. It further elaborates on new features and frameworks, such as HealthKit (which is supposed to “revolutionize how the health industry interacts with people”), home automation oriented HomeKit, Metal, new graphic technology for gaming, and Swift – new programming language for creating apps for both iOS and OS X.

Beta of the SDK is available to iOS and OS X Developer Program members at developer.apple.com.

800_2

Well, for starters this means new level of openness for iOS: a wider availability for developers. The concept of “wider availability” (at least the one that suggests that development tools are made more “accessible”) is always bit of a debated matter.

As ZDNet columinst Stilgherrian put it, “By opening up inter-app communications in iOS, including communication with apps that control external network devices, and by providing more ways for the user to interact on the lock screen — that is, when the iDevice is still meant to be locked — Apple is massively increasing what information security practitioners call the attack surface.”

Stillgherrian (which looks like a sort of Apple-sceptic) suggests that new tools will “over-encourage” new, “suddenly-inspired” developers, which possibly means that there is going to be a huge influx of new apps built by newcomers, who don’t give a lot of thought to the security of their software.

Also, “the increase in personal data that will be captured by new home and medical devices will make iOS devices an ever more attractive target”, Stilgherrian said.

These reservations are somewhat justified, or at least the second one is. Apple has to deal with an avalanche of new badly-written apps on a daily basis, so it’s unlikely it would be impressed by a decuman wave of fresh mobile “slagware” if there is going to be any.

Besides Apple has introduced a new programming language Swift. Among other things, it had been designed, according to Adrian Kingsley-Hughes, “to do away with entire classes of unsafe code. Variables are always initialized before use, arrays and integers are checked for overflow, and memory is managed automatically.” As long as it works as expected, this will provide a certain level of basic security. So there’s no reason to expect any groundbreaking decrease in overall security of Apple platform.

However, just like with every software, this security isn’t absolute. Earlier this year a handful of Apple’s security failures had been reported. For instance, in February the release of iOS 7.0.6 had been rushed ahead of time with a patch for a “shockingly overlooked” SSL encryption issue that left iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack. 

In May, a number of iPhones, iPads, and Macs users in different parts of the world fell victims to ransom attacks with their devices remotely locked. Apparently somebody had stolen these users’ credentials, but it’s unclear where they came from. Apple has denied that iCloud had been hacked during those attacks, but just a few days before a Dutch-Moroccan team of hackers calling itself “Team DoulCi” have claimed to hack a protective feature on Apple’s iCloud system. That could leverage an attacker to remove security measures on lost or stolen iPhone devices. Or lock them remotely

In other words, Apple usually is doing well with its security. But there is no absolution and there is a growing interest from the cybercriminals.

What does it all mean for businesses? – Lots of vigilance and a good MDM system. Probably, if the sceptics’ concerns are substantiated and the average security level of Apple’s new devices indeed goes down in Autumn, the vigilance should go up more than ever.

There is no reason to expect any malware epidemics on iOS any time soon, though. During his keynote at WWDC14 Apple’s Tim Cook slammed Google for it’s 99% share in mobile malware, which is by no means a problem for iOS. Hopefully it stays that way for a while.

But aside from malware there are other threats, and again, there is no absolutely safe systems. With Apple ID a lot of things relies on a single password, which means that if it is weak, the device and associated services are insecure. Thus, there’s no such thing as an “excessive” amount of reminders of how important it is to have good passwords.

Tips