Apple Continues Security Push with Upcoming iOS 12

Yesterday Axios reported that Apple is delaying some features in iOS 12 in order to focus on addressing security and other performance related issues. This is likely because they have come under fire recently for a slew of security issues, which their recent iOS 11.2.5 drop (discussed below) is indicative of.

The problem, as Axios points out, is that users are not very fond of paying for security fixes, much rather paying for flashy new features instead. Unfortunately, Apple iOS devices are at every level of personal and business lives, with many critical functions of daily operations entirely dependant on iOS devices held by busy execs jet setting around the world.

With crackdowns on privacy breaches, and new security regulations such as GDPR, every organization is walking a minefield when it comes to data protection and mobility. The market needs leading smartphone organizations to continue their push into stronger and more effective security in order to prevent massive privacy infractions or data loss.

Apple’s Most Recent Security Fixes

Apple’s most recent security fixes for iOS 11.2.5 include a slew of CVE’s across a number of core OS systems. These include:

  • Audio: CVE-2018-4094

  • Bluetooth: CVE-2018-4087 & CVE-2018-4095

  • Kernel: CVE-2018-4090, CVE-2018-4092, CVE-2018-4082,CVE-2018-4093

  • LinkPresentation: CVE-2018-4100

  • QuartzCore: CVE-2018-4085

  • Security: CVE-2018-4086

  • Webkit: CVE-2018-4088, CVE-2018-4089 & CVE-2018-4096

The majority of above security fixes address issues with memory corruption or initialization that if exploited may allow malicious applications to gain access to restricted areas of memory or to execute arbitrary code with kernel (admin) level permissions. This is one of the primary ways in which malicious code exploits operating system and application vulnerabilities and is often the focus of zero day exploits.

Further information on the above CVE’s can be found on Apple’s Support Site.

How Does Apple Protect Devices & Users?

The perception is that Apple devices are fairly secure devices, and the assumption is generally sound, but looking back to the most recent iOS security release we can see that even a “secure” system still has a host of issues and vulnerabilities that can lead to bad outcomes.

While on the surface the above list of security fixes looks bad, we have to give Apple credit as they do go about security in a very rigorous way. Their security program covers a broad spectrum of security concepts and provides protections at all levels of the device including hardware, firmware and software. A great reference to this is from Apple’s own iOS security guide:

Up and down the stack Apple provides protections that cover a number of sub-topics including:

  • System Security

  • Encryption and Data Protection

  • App Security

  • Network Security

  • Apple Pay Security

  • Internet Services Security

  • Device Controls

  • Privacy Controls

The amount of specific security measures Apple implements is staggering, so we won’t cover those here, but we encourage you to review their iOS Security Guide to gain a full understanding of how they approach security and what security mechanisms are in place.

2018: A focus on Security

As we previously discussed in our 2018 Mobile App Security Outlook, there’s a number of ramping activities that we’ll see in 2018 including record levels of mobile payments and purchases, increased use of cryptocurrency and malicious activities like cryptojacking, and smartphones being used to control the Internet of Things devices (which we like to call the Internet of Threat). All of these activities mean we are ever more dependant on the security of that little supercomputer we carry in our pocket.

Apple is doing their best at keeping up with the pace, but security has always been a lopsided equation. Our recommendation is to stay current on releases, but also don’t just trust the source (in this case Apple). Ensure you’re leveraging 3rd party solutions to protect smartphone devices and the applications that are being deployed on them (especially apps that are critical to business functions).

What to do next

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio