Apple says iOS 8 is it's biggest iOS release ever, with a number of new features. Symantec's Candid Wueest outlines the new features – and an analysis of the security risk and how the features could potentially be exploited.
Last week, Apple introduced the new version of its mobile operating system, iOS 8, at its Worldwide Developers Conference. Apple unveiled many new features for iOS 8 in different categories and some of them were security related. Now that iOS 8’s new features have been revealed, it’s time to take a look at the possible security implications surrounding these enhancements.
Since iOS 8 has not yet been released, it is unclear how exactly these features will be implemented. Based on the information currently available, there is a handful of security features that should enhance iOS devices’ protection levels.
iOS app extensions – More than just third-party keyboards
One of iOS 8’s most discussed enhancements is its app extensions, which will allow third-party apps to communicate with each other.
With app extensions, third-party apps can send and receive data from one app to another through an iOS broker. This loosens up the concept of app sandboxes, which limit the resources an app can access, and allows for a wide range of new interactions to be created.
While many are anticipating the arrival of third-party keyboards on iOS devices, deeper integration of social networking apps or seamlessly integrated password managers could also be possible. Due to memory limitations, the extensions are expected to only run for a short time and may be cleared from the memory afterwards. The extensions will be executed by the system framework in their own context, meaning that they will not run inside the third-party application’s space.
iOS developers who want to use this feature will have to open up their app and prepare them to receive communication from app extensions. The iOS broker process will most likely check app extensions’ communications to ensure that they are not malicious. Although app extensions may technically be able to read other apps’ data by using the same default storage, intercept some of the traffic passed between apps or generate a keylogger, the chances of a malicious extension making it to the Apple App Store are quite slim. The extensions will be pre-screened by Apple, like with all other iOS apps, so malicious extensions will hopefully be stopped before they are distributed to iOS device owners.
Touch ID moves beyond unlocking screens
Since its introduction late last year, the Touch ID fingerprint authentication service seems to have helped to improve the security of iOS devices. According to Apple, before Touch ID, less than half of iPhone users implemented a passcode to unlock their device. Now, thanks to the fingerprint scanner, 83 percent of users have a passcode on their iOS device.
In light of this, iOS 8 will boost the abilities of Touch ID, which could help users better secure how they log into third-party applications. Touch ID will soon allow people to use their fingerprint to gain access to their third-party app passwords which are securely stored in the iOS keychain. This means that users won’t need to enter their password each time they log into an app. Along with providing improved protection, the feature could encourage users to come up with stronger and more complex passwords, as they'd know that they wouldn't have to input the password every time they access the app. On the other hand, users will probably have to rethink which of their friends or family members’ fingerprints should be registered to their device, as any registered user will have increased app access.
Managing homes and health through a mobile device
Two interesting new iOS 8 features include HealthKit and HomeKit. HealthKit will allow health apps to share their data with one another, while HomeKit will let users control household appliances and home security systems with their iOS device.
The integration of the HealthKit and HomeKit platforms into iOS 8 is a dream for developers of Quantified Self services and Internet of Things devices. A seamless integration of their services into the smartphone or tablet could give users a greater level of control of their house and their health. Of course, because of bring your own device (BYOD) policies in the workplace, users should ensure that their employer can’t get access to their private health data or gain control of their home automation system, especially when this data could open their door at home. Another concern is if a user remotely wipes their iOS device if it is lost or stolen. Users should make sure that they have a backup, in case they end up locking themselves out of their house.
Mobile devices will become an even more enticing target for attackers, considering how more sensitive information will be stored on or controlled by these devices. Along with this, there are privacy questions that need to be answered. Having an emergency medical history tab accessible on your lock screen might save your life, as a paramedic can check which medication you take. But the same tab could be seen by a curious coworker if you leave your phone unattended.
Other iOS 8 features that could impact security
iOS 8 will open its notification center to widgets and will introduce no-touch voice access to Siri. These features are long anticipated moves, but they may allow for more possibilities for attacks. There is a danger that malicious parties could take advantage of these features on a locked device in order to gain access to some of the device’s internal data. For example, if an iPhone user leaves their phone unattended, someone could control the notifications that appear on the device, such as meeting arrangements. Pranksters could also leave offensive audio messages on these devices.
In addition to the previously mentioned features, there are a few more iOS 8 enhancements that could have security implications.
Always-on VPNs: This feature could greatly improve security when an iOS device is connected to a Wi-Fi hotspot, as users do not have to explicitly connect to the VPN in order to benefit from it.
Anti-tracking feature: The introduction of randomized media access control (MAC) addresses when scanning for Wi-Fi networks will make it harder for attackers to track users. Unfortunately, it will still be possible to track these devices once they’re connected to the same Wi-Fi network as an attacker or through other identifiers.
AirDrop service for spontaneous file sharing: The main concerns surrounding this feature are that a user might be tricked into accepting malicious files or may unintentionally share sensitive documents with the wrong person.
Simple instant hotspot: iOS 8 will let users turn their mobile device into a hotspot with a single click. However, this could potentially let other people fake a pairing to this device and piggyback on the hotspot.
Handoff: This feature will allow users to start working on one iOS device and continue their work on a second device. It is unclear if the data will be passed through the cloud or will be sent directly to the device. Apple has also not detailed how the data will be secured from other parties attempting to intercept it.
Swift: The programing language Swift will have an influence on the quality of code that developers produce, but it will be a long time until all developers shift languages.
It is encouraging to see Apple talking about security and providing features to further improve the defenses of iOS devices and their data. We won’t know how effective these features will be until we see if attacks rise or fall when iOS 8 is released. Until these features become available, we advise mobile device users, as always, to stay vigilant when installing applications or enabling new features.
This article first appeared as a Symantec blog.