Last week Apple released iOS 7, featuring a completely redesigned user interface, hundreds of new features and Touch ID, a fingerprint identity sensor.
Here are some comments that Help Net Security received from a variety of security professionals.
Michael Sutton, VP of Security Research at Zscaler
As is customary, Apple has continued to raise the security bar with the latest version of iOS 7. Both consumers and enterprises will benefit from some of the recent changes.
On the consumer side, the most important enhancement is ‘Activation Lock’, which will force a user to enter their Apple account credentials before a device can be wiped. The feature is aimed at deterring iPhone thefts and is already being touted by the NYPD, who are encouraging users to upgrade to iOS 7 to obtain the feature, which illustrates just how prevalent iPhone thefts are in New York City.
On the enterprise side, Apple has made a number of changes to make O/S security more granular. Alongside MDM enhancements and restrictions on which apps can be used to open specific file types, iOS 7 now allows per app VPN configuration. The latter option is a welcome change for those enterprises that require VPN connectivity for corporate data but don’t want the hassle and battery hit of needing to enable the VPN at all times.
Apple has taken some heat following the iOS 7 launch as a couple of lock screen bypass issues have been uncovered. These are however relatively minor as they don’t allow full access to the device and will no doubt be patched quickly.
Much has also been made of a recent Chaos Computer Club post whereby they were able to bypass the fingerprint sensor on the iPhone 5S by creating an ‘artificial fingerprint’. While this makes for a great story it’s far from a catastrophic security flaw. The fingerprint sensor is an additional security control alongside the traditional pass code and replicating a fingerprint in the manner described by the CCC post is far from straightforward and requires local access to the device. One would be better off simply using the owner’s actual finger to open the device while they slept.
Xavier Mertens, Independent Security Consultant at TrueSec.be
Except if you just returned from Mars, you should be aware of the brand new IOS 7 which has been released last week. I upgraded my iPad, but will still wait a few day before doing the same with my iPhone (much more critical). Yes, an iOS upgrade is like any regular maintenance: it may fail! Be prepared to spend some time to recover! Repeat after me three times: “I will backup!”.
What’s new in terms of (in)security? Don’t be fooled, iOS is first of all a tracker! Be prepared to share your entire life with it (if you don’t review the default settings – I recommend this!). A new iOS means also that hackers from all over the world will use it as a new target. Even more, the new fingerprint reader provided with the new iPhone 5S. Security researchers already found funny stuff: Siri can disable some features, even if the phone is locked. Switching to flight mode disable the “find my iPhone” feature too. Another scary feature: “The iCloud keychain”, accounts, passwords and CC are stored in the Apple cloud…
But there are also good news: iOS 7 comes with 80 security fixes and introduces new controls like more prompts: “xxx” would like to access the microphone, “Trust this computer” when plugged into an unknown USB port. The data protection API is enabled by default for all apps. Data won’t be available until the user unlocks his device.
Finally, be careful if your iPhone is used in a corporate environment. First check with your local admin before making the big jump!
Jared Carlson, Senior Security Researcher at Veracode
Overall, iOS 7 represents a tremendous effort from Apple. From a security point of view, it’s plain to see that Apple put a focus on increasing the convenience of security. This is evident with the 5S’s fingerprint sensor, and the iCloud keychain (which was part of the beta SDK but removed from the GM, presumably until Mavericks is released). Making security more convenient is obviously a win, as we simply don’t see enough consumers and developers take advantage of the security options of mobile devices to protect their data.
As we look inside, the two areas that immediately interest me are the improved MDM (Mobile Device Management) tools and the private frameworks used to support Apple IDs. Apple is clearly looking to make the iPhone more Enterprise friendly, going through the certification process for various system components as well as increasingly fine grained control, perhaps more than most users might realize, available to an Enterprise administrator. Similarly the ID management system looks completely revamped, to help manage a user’s ID across devices and services such as Facetime and iMessage.
As iOS 7 continues to roll out I expect we’ll see some breakdowns as we’ve seen with the lock bypasses that have been unveiled. With such large changes to both the user interface and the underlying system – software and hardware – I’m sure gotchas will come up, but generally I think Apple has put a lot of work into security and will remain one of the most secure consumer devices available.
Fred Touchette, Senior Security Analyst at AppRiver
Two security issues come to mind about the latest version of the iPhone’s operating system, iOS 7. First, a bug appears to allow anyone to bypass a phone’s lock screen and access personal email, photos and social media accounts. Such security vulnerabilities give cyber criminals just enough personal information to do harm. For example, details could be used to personalize spear phishing campaigns to spoof the user into believing the message is legitimate and falling for the criminals’ ruse. Information may also be used to steal company secrets from email accounts.
The fingerprint reader has been another topic of great debate. Following on the heels of the NSA’s phone hacking scandal, the public has certainly become much more concerned about privacy, especially when it comes to mobile devices. Conspiracy theories have begun to circulate about how the utilization of a biometric device will allow digital spies to gain access to users’ fingerprints. Considering these physical features are simply stored as a string of ones and zeroes, the theory suggests that if this information can be acquired, it can be used as easily as a stolen password is currently. The only difference being that it’s much easier to get your password reset. Apple has assured people that the fingerprint data is never transmitted and is not easily accessible.
The fact is many people feel they cannot be bothered by security. Oftentimes if it requires an extra step or two to set up or to unlock their devices, a lot of people would rather choose going without. If this security feature simplifies the process and gets even a small percentage of people who didn’t use basic security before to use it now, it is nothing but a benefit.
For in-depth information on this new release, read the free guide to iOS 7.