Following the release of iOS11, Appthority previewed the security enhancements and new mobile application features and found three security impactsthat are important for consideration.
1. SECURITY GRANULARITY
Apple has introduced a new Location Services setting, which allows users to restrict an app’s access to location data when not in use. This capability helps to protect individual users’ privacy and potentially sensitive data by affording the user or admin more control over when location data is available to apps.
However, location is just one type of data that can violate user privacy. According to Check Point’s analysis, out of the top 100 apps in enterprise environments, 16% of them send location data back to a server, while 42% access the microphone and 81% access the camera. Whilst Apple MDM provides enterprise customers the ability to disable the camera on managed devices, this would impact the other legitimate uses of the camera. Appthority state that a future update is necessary to allow users and enterprises to restrict background access.
2. PROS AND CONS OF SMS FRAUD DETECTION
Business chat is a new feature in iOS11 allowing users to chat with companies they find through Siri, Maps, Safari and Spotlight and users will be able to use Apple Pay for financial transactions on Business Chat. Therefore, Apple have introduced SMS fraud detection to warn users when they receive an SMS message that could be fraudulent. Once iOS11 is deployed all iMessages will be stored on iCloud. You may ask what the problem with this is however, enterprises may need to modify their security policies if their confidential business messages are being stored by a third-party which could be breached.
3. UNCHARTERED AND UNINTENDED CONSEQUENCES OF CORE ML
iOS11 debuts artificial intelligence (AI) and machine learning (ML) related features that apps could use, including malware. For example, an app accessing your photos may be able to gain access to deeply personal information such as your location. Whilst Apple argues the intention is to maintain Core ML data on the device, from experience we know that we cannot always trust third-party apps to do what they’re supposed to do. This information is a new, untapped source of personal metadata readily monetisable by someone for marketing or other purposes.
Similarly, it appears that Apple might be unintentionally equipping malware writers with AI. These Core ML APIs can be abused by malware apps- adware for example can learn about users sleep patterns and launch attacks during ‘sleeping’ hours. This new iOS11 feature makes this a good time for security companies to start considering AI detection methods in their malware detection models.
UPDATE ON APPLE’S COMPULSORY SSL/TLS ENFORCEMENT ON THIRD-PARTY APPS
Last year Apple announced that all third-party apps would have to follow its App Transport Security (ATS) requirements by the end of 2016. In a previous report Appthority calculated that only 3% of the apps complied with the requirements by the deadline. As of Q3 2017, 16.5% of iOS apps are fully following ATS requirements. Whilst this is a solid improvement it is important to note that 83.5% of the most popular apps are still not following the full ATS requirements, leaving them exposed to various types of network vulnerabilities.
CONCLUSION AND RECOMMENDATIONS
Apple is taking positive steps towards creating a more secure mobile ecosystem by adding new security and privacy features. However, due to the new features introduced in iOS11, Apple is also introducing a new potential for data exposure and vulnerabilities.
Appthority recommends that enterprises:
- Take advantage of the new background location privacy option to reduce the risk of geo data leakage
- Continue analysing and monitoring apps for risky behaviours and select those that implement best practices
- Begin monitoring the new capabilities introduced in iOS11 to understand the potential risk of data exposure and loss
HOW CAN WE HELP YOU?
The industries above are just the top four, no sector is 100% data breach free, this is where Mobliciti come in, we can mitigate the stress of dealing with these challenges. We can offer you an abundance of fully managed services to suit your business’ specific needs. Mobliciti harnesses the most innovative and secure technologies to make your business secure and give you piece of mind.
Our managed services are Secure, Flexible, Scalable, built using our best of breed technology solutions and delivered by our experienced support and delivery teams. We allow customers to remove the risk and retain the control over the increasingly complex worlds of Mobile, Wireless and Cloud. Get in touch today to find out more.