How do the new features in OS X Yosemite and iOS 8 impact security and privacy?
At the annual Worldwide Developer’s Conference (WWDC) Apple announced the latest versions of OS X and iOS. With this announcement came a long list of new features and technologies that as a whole work towards providing a more seamless experience for users of both their mobile and desktop products.
There are a significant number of privacy and security questions that users should keep in mind should they decide to participate in Apple’s newly announced Public Beta program.
To Apple’s credit, they’ve come a long way with security, at least when it comes to providing more information to people. Apple released a fantastic white paper earlier this year – iOS Security, which does a good job of explaining key security features in iOS devices and how they operate. Apple also released some guidelines explaining how they work with law enforcement.
This article will discuss many of the new features and technologies and some of my thoughts and analysis of those features. My assumption is that Apple has baked-in many security features into these technologies. I certainly hope that is the case.
The latest version of OS X has many new features that have significant security or privacy concerns. Let’s take a look at some of them:
Mail.app: Apple announced the ability for users to “mark up” mail. You can easily scribble notes, use your touchpad to virtually sign an email, draw graphics and text on pictures. But how will this feature work with “secure” documents like protected PDF files? Apple claimed you can mark up PDFs and send them back, but what if you’re the sender of the PDF and don’t want someone to mark it up? Will Mail.app respect your security settings and prohibit the marking up of secure documents?
Spotlight: Apple announced significant extensions to their search tool. Now everything is simply “…at your fingertips”. Start typing, and Spotlight will fetch data from Wikipedia, relevant maps, restaurant reviews from Yelp, news stories, you name it.
How is Apple presenting these Spotlight searches to these third parties? Presumably through an API, but do those services become aware that the searches are coming through Spotlight? While that information doesn’t seem all that private, third parties collect data from scores of sources and cross-reference them to build comprehensive user profiles. The more information a third party gathers about you, the more tailored targeted advertising can get-Â¦ and in the case of someone with a more nefarious purpose, these profiles can be used to build dossiers that could be used in spearphishing campaigns.
They also discussed using Spotlight to bring up recently used or created files in applications, such as a spreadsheet in Numbers.app. What happens in situations where multiple users (think parents and children) are using the same Mac – especially in cases where Family Sharing is enabled? Does Spotlight “hide” files you shouldn’t see? Can you lock down files in your user account from appearing in other user’s Spotlight searches? The potential for snooping is huge: kids reading their parents’ emails with their teachers, spouses reading each other’s emails, confidential spreadsheets. Previous versions of Spotlight enabled you to exclude directories of your choosing from being indexed, and certain per-user directories aren’t indexed-Â¦ but what if you’re a parent and you actually want to index your children’s directories?
Finally, what’s being done with all of this Spotlight data? Is it being stored locally? Is it shared with other Apple devices locally? Is Apple collecting any of it? What are they doing with it?
iCloud Drive: With the explosion of cloud-based file sharing and storage, of course it makes perfect sense for Apple to extend their popular iCloud service to provide storage of files and photos. Apple now says that you can “-Â¦store whatever you wish-Â¦ synchronized across all your (devices)”. All of these files will also be accessible to you via your iOS and your Windows devices.
Other cloud-based file storage solutions like Dropbox often save on space by searching accounts for identical files – say a photograph, funny Internet meme image, song or PDF – and only stores a single copy of the file across all accounts for retrieval later. What’s not known is if Apple will use similar technologies to save on disk space at their iCloud data centers.
Safari: The Internet browser saw a number of changes and new features. From a privacy perspective, perhaps the most important added feature is the ability to open a “Private Window”. A private window, as opposed to a private tab, enables you to open a new browsing window where any tab you open up will be private (Google’s Chrome Internet browser calls this “incognito’).
This would be a great feature for those people who want to open a whole bunch of private tabs at once – for example opening all of your banking and credit card online accounts. Open up all your accounts at once in a private window session, then work through them one at a time.
Continuity: Apple stated that one of their main goals is to allow “…the transitions between… devices to be as natural and seamless as possible.” Calling it “Continuity”, Apple has announced a number of new features that provide an apparently seamless movement from one Apple product to another.
AirDrop now works between iOS and OS X. This is great – I can certainly think of many times where an image or file was on my Macbook and I wanted to get it to my iPhone. Typically I would just end up iMessaging or emailing it to myself, which is not a very elegant method of transferring files.
But does the new AirDrop only work with devices you own or control? In the case of an enterprise or business, what’s to stop a malicious insider on a corporate network from grabbing someone’s iPad when they’re out to lunch and AirDropping sensitive data to the insider’s Macbook?
Handoff: This is part of Apple’s continuity concept that has the ability to be a fantastic feature if it works as well as demonstrated: start working on something on your iPad while on the subway home from work, pick it up exactly where you left off when you get home on your Mac.
But how does Apple transmit this info between machines, especially machines not on the same network? Do the devices have to be located on the same network? If not, we can assume that these “handoff” files are stored temporarily in the iCloud Drive, but how is that data being transmitted to Apple? How is the data being stored by Apple? Can they access it? Presumably this info is being transmitted with encryption… how are the keys being generated to transmit? What encryption method is being used? Is it complete end-to-end encryption, or is it being encrypted by the iCloud servers? Can Apple decrypt that info if they wish? Can law enforcement access it? Can it be monitored in real time if Apple were served with a National Security Letter or court order?
End-to-end encryption isn’t typically used, but there’s no reason Apple couldn’t use it: your devices would silently generate a shared private/public key pair while located on the same network the first time you set everything up. Then from then on, it wouldn’t matter if the devices were local to each other or not – just encrypt that data using your public key, send it off to iCloud Drive’s servers, and your other device pulls it down and decrypts it using the previously-created private key.
An interesting quote from the keynote said: “Turns out now that when you’re working on your Mac, the devices around you… are aware of each other and are aware of what you’re up to.” That sentence should make most security-conscious users very concerned. What if your coworkers, kids or spouse have iPads and iPhones that are “around you”? Are they also able to see “what you’re up to”? The possibilities for silent monitoring exist if this is the case.
Instant Hotspot: Setting up a mobile hotspot using your iPhone or cellular-capable iPad is pretty simple in iOS 7. Apple has decided to make it even more simple to share your Internet connection in iOS 8.
No Internet access? If your phone is nearby, you can set up a hotspot in a click. “…(Y)ou never type a password, and you’re on the network that easily.”
“…and this works even if your phone is sitting in a handbag on the other side of the room-Â¦ you never have to touch it.”
What happens if you’re at an airport or your local coffee shop? Can you click someone else’s phone that’s sitting in a bag, set up a hotspot, and “steal” their bandwidth? Say goodbye to your monthly data cap!
Are these connections logged in any way? Is there a way for someone at least to determine if someone “stole” your Internet connection after the fact? Knowing Apple, it will be incredibly easy to set this up for less “skilled” users, meaning the potential for abuse by those in the know might exist.
Finally, what about AirDrop and the whole handoff proximity feature? While as of today, OS X malware isn’t anywhere near as prevalent as Windows malware, if you could get yourself in “proximity” to someone else’s Mac, maybe you could “drop” a piece of malware to that device that leverages an unpatched exploit to execute…
My hope is that all of this is hidden behind your authenticated iCloud account… but if that’s the case, then Instant Hotspot will only ever work for your own devices that are currently authenticated with iCloud and Apple. There will have to be another way (like the current iOS Mobile Hotspot feature) to set up a hotspot that you might actually want others to use.
SMS/Text Messaging: For iMessage users, it’s certainly been a long-standing pain to deal with bouncing between those blue iMessages and “inferior’ green text messages. Now iOS 8 and OS X Yosemite will “forward” SMS from your iPhone into Messages.app on your other devices.
Apple says your phone can act as a relay for your other devices. You can also reply back to that non Apple message from your other devices via SMS. How is this happening? Is your non-phone Apple device relaying that message back to the phone via the Internet or local network to be sent from the phone as an SMS? Or is Apple providing an SMS gateway on their side to relay SMS on your behalf? In either case, what’s happening with the SMS contents? Is Apple storing them? Is that data accessible to Apple in any fashion, and then to law enforcement?
“(B)elieve it or not, we’re able to do the same things with phone calls…” Similar questions as text messages apply: is the phone acting as an actual true relay? Or is Apple providing some sort of back end VoIP solution to send out calls? In either case, these calls are being sent over your network and the potential for tap and intercept, especially in public areas/open networks, exists. Apple hopefully is encrypting the call when relaying it between your OS X computer and your iOS device.
What about third party apps that can monitor your audio ports? How hard would it be for someone like the NSA to build an app that would silently monitor your Mac for phone call audio, record it and send it off to their servers for automated collection and potential review later? Whether sent exclusively via your LAN or via the Internet, is phone call audio being sent with any sort of protection or encryption across that network?
There are a lot of fantastic new features coming up in Yosemite, and I’m certain over the next days and weeks we’ll learn more about what mechanisms Apple has put in place to protect their users and their privacy while providing this seamless transition between devices.
Apple’s CEO Tim Cook reported some interesting figures today about iOS 7: he claimed that 89% of iOS users are using iOS 7, but how many of those are using iOS 7.1.1? There have been a significant number of security fixes over the life of iOS 7.
This leads to an interesting tangent: Apple claims that only 9% of Android users are using Android 4.4 KitKat, and a full 1/3 of Android users are using 4 year old Android OS firmware. Platform fragmentation and putting the onus on the device manufacturers to provide updates continues to be a massive issue for the Android ecosystem.
Of course, Mr. Cook used his stage to take a few potshots at Android, noting that Android “-Â¦dominates the mobile malware market”. Of course, in our 2014 Threat Landscape Report, we reported on how prevalent this “toxic hellstew” actually is, and our findings show mobile malware is even worse than the 99% Android claimed by Apple.
iOS Spotlight changes: Just like the changes to Spotlight in OS X, Apple says that “everything (is) at your fingertips”. But is this data being stored as well? Locally or remotely? Is Apple building customer activity profiles like Google does? If so, can you ask Apple to remove that profile if you decide to leave the Apple ecosystem? Google’s recent legal headaches in the EU involving EU citizens and the “right to be forgotten” should be a portent for Apple and other companies doing business in the EU.
Keyboards: Apple announced QuickType. This is a new predictive typing tool that is “incredibly smart” and auto-suggests words to complete sentences. Are these suggestions coming from the device itself or from a remote source? In this case, they claim it’s entirely local to the device and private-Â¦ but let’s look at the exact quote in the keynote: “All of this learning is local to the device, and none of your keystrokes leave the device.”
Apple is always very careful in how they make statements like this. They don’t actually say that the learning stays local. Just that the learning is learned on the device. They say only the keystrokes don’t leave the device.
Which makes sense to me: if you switch from your iPhone to your iPad to finish typing an email, does your iPad need to relearn everything? That would be incredibly frustrating for a user who expects iOS to offer similar suggestions from one device to the next. So where is that “learning” stored? On each device under your control? Or in iCloud? Can you purge that “learning”?
Messages: Apple announced the ability to share your physical location to people you communicate with through iMessage. Of course, the privacy implications of that are pretty obvious.
You can share for a moment, share for a bit longer, or share indefinitely. But is it sharing your location on a per conversation basis? Can you share your location with only certain people in the chat or must it be everyone? Likely the latter. This potentially is a great feature for parents-Â¦ but can you set up your kid’s device to always share their location info with you and lock that from being changed?
Apple also announced the ability to add audio and video messaging to an iMessage conversation. Neat feature. They also announced that these messages are self-destructing: great! Largely explained as a space-saving feature, and for people with low capacity iPhones this is a Godsend-Â¦ but can others save those audio messages if they want? Are these messages transmitted to other iMessage users in the chat securely?
They also demonstrated the ability to listen to these audio messages right from the lock screen: simply raise your phone to your ear and the message will play. But let’s say you leave your phone on your desk, someone walks by, sees a new audio message notification and decides to snoop? It appears the default auto-destruct is around 2 minutes – what happens then? “I sent you a message, it got delivered and then expired, so CLEARLY you heard it. Why are you ignoring me?” Hopefully there’s some fine-tuning available there-Â¦ the ability to prank others or cause marital strife likely demands it.
You also apparently can simply reply to an iMessage chat with an audio message by raising your phone to your ear from the lock screen and speaking. Similar issues happen here: what’s to stop someone else from grabbing your unattended phone and saying something incredibly embarrassing or offensive? Unless you have the ability to restrict this feature, you no longer have the ability to control outgoing messages.
Health/Healthkit: This is perhaps the biggest announcement from a privacy perspective. Apple stated that “…developers have created a vast array of health care devices and accompanying applications” which are used to track all sorts of sensitive health or fitness related information.
Activity trackers like Fitbit and Nike+, heart rate monitors, sleep monitoring applications, “smart” weigh scales, blood glucose monitors for diabetics, blood pressure monitors are all part of the iOS ecosystem today.
Apple built Health.app and Healthkit because today all of that information “lives in silos” and you are unable to “…get a single comprehensive picture of your health.”
All of these applications can “contribute” to a “composite profile”. Health.app “protects your privacy” by limiting what info these apps can use in health.app-Â¦ but how? Do you have to grant express consent for every piece of data? Can you grant a health-related application blanket permission to access everything – including new data that shows up later when you add a new sensor? HIPPA and other healthcare data legislation can be a huge, swampy mire-Â¦ how is Apple specifically protecting your information?
There’s also an emergency ID screen that can be accessed from the lock screen – think of it as a MedicAlert bracelet, but far more in-depth. But since it’s available from the lock screen… what’s to stop someone from picking up your phone and determining what medications you’re taking? Think of the privacy implications when it comes to someone with a serious chronic illness like HIV/AIDS, cancer, diabetes or any other serious illness that you may not want others to know about.
Other apps are going to be able to monitor specific pieces of health data – like blood pressure – and alert your doctor. While situations like this are altruistic in nature, how do you stop other health apps from collecting this data? Can you revoke this data access later on if you want?
Family Sharing: The new Family Sharing feature allows up to 6 “family members” to share reminders, calendars, photos and other features like “Find my iPhone” and location sharing. You can also “share” purchases like songs, movies and apps if all members are using the same credit card for purchases.
A new much-demanded feature is the ability to “ask permission” to spend your money as a parent: Apple paid out $32.5 million earlier this year in a settlement with the US FTC over “unauthorized” in-app purchases, so that was likely a major impetus for adding this. Both Apple and Google found themselves in hot water in cases where kids using “freemium” games and apps spent literally thousands of dollars without their parents knowledge or consent.
On the Developer side, Apple also made some announcements:
Extensibility: Apple is now going to allow apps to extend themselves to provide services (and data?) to other apps.
How do you control security and privacy? What happens when one app sends malformed data to another app?
Apple claims that extensions live inside each app’s individual sandbox, and all information is passed through iOS to the app it wishes to communicate with. Are there protections in place against one application attempting to cause strife with another? Until we know more, I speculate that the ability for applications to accidentally (or worse, intentionally) jump out of the sandbox just got a little closer to reality.
Non-Apple Notification Center Widgets: Apps can now create widgets to extend the functionality of Apple’s Notification Center. Apple demonstrated how a widget tied into your eBay app would work. You can now literally bid on items through Notification Center. Will apps provide some level of additional protection to ensure you can’t do things like place a bid from the lock screen?
Can you imagine the wrath of a parent who had a bunch of items they were watching or bidding on and ended up buying something they didn’t want to because Junior randomly swiped and poked at the locked screen of Dad’s iPad?
Keyboard Extensibility: One criticism Apple has faced for a long time is their steadfast dedication to the default iOS keyboard. Today they announced the ability to install third-party keyboards. Keyboards like Swiftkey and Swype for Android have been incredibly popular and successful.
These keyboards “by default” run in the “most restrictive” sandbox available, because Apple wants to “…protect your privacy”. But Apple is allowing third-party keyboards the ability to ask you for “Full Access”. This is a “big deal”.
I expect there to be a significant number of “free” third party keyboards made available via the AppStore that will request this Full Access and then send all of your typing to the app developer. It doesn’t take a rocket scientist to see how easily and quickly this can be abused-Â¦ and Apple is overtly allowing developers the ability to now monitor keystrokes via an installed third party keyboard. We’ll see how this plays out over the next few quarters.
TouchID: As expected, Apple is opening up TouchID to application developers. In the case of applications that wish to use TouchID, the application does not get access to the fingerprint data itself: the application is simply requesting Keychain access and you use your fingerprint via TouchID as a mechanism for unlocking Keychain and providing your Keychain password.
This is actually a great feature, as it will allow users to create much more complex mobile app passwords and then just use their fingerprint to provide them to the application. How complex are your mobile app passwords compared to your desktop ones? The answer is likely “much less complex”.
One thing that wasn’t mentioned though, and what I called for way back when I first researched TouchID and presented my findings, is the ability to extend TouchID as a true two-factor authentication solution. It appears that you still can not secure your iPhone 5S with both a passcode and a fingerprint. This really needs to happen.
HomeKit: Apple has announced a platform for the “smart home”. Similar to how HealthKit is expected to work, HomeKit will exist as a framework for third-party applications to exist under one umbrella. Apple claims that it is a “common… protocol with secure networking to ensure only you can… unlock your door.” Lights, door locks, garage doors, webcams, thermostats all have the ability to potentially be managed through HomeKit.
How does this work? What protections are actually in place? How is data protected and communicated? Can devices communicate with each other or does everything work as a communication between your HomeKit app and each device? For example, can you have your webcam that’s watching your door send a live alert/stream to you at the office if the front door opens? Hopefully Apple will publish a white paper that outlines more on how HomeKit operates and how to ensure no one else can interfere with your Smart Home.
Swift: Apple also announced a new programming language, called Swift. Swift was described as “Objective-C without the C”. Digging into Swift is a little beyond the scope of this post; I’ll take a deeper look in the future… although they do mention that Swift is incredibly fast at RC4 encryption… does this apply to other encryption methods? Why did they mention RC4 specifically?
There were a lot of great new things announced by Apple. I continue to be amazed by how far technology has come since the Internet really took off in the mid-1990’s – by scores of companies. It is my hope that Apple has given security a primary place in developing all of these new tools and features. We shall see in the coming months.
Author: Richard Henderson, Security Strategist, FortiGuard Threat Research and Response Labs at Fortinet.