What will Apple’s latest operating system mean for the security of its devices? CBR rounded up 8 industry experts to give their views.
1. All new OSs bring security challenges
Nicko van Someren, CTO at Good Technology says:
"While iOS 9 introduces new security capabilities and will very likely be more secure than its predecessors, any new operating system release brings new bugs and undiscovered exploits in the places where new code is written.
"The constant pressure to add ever more new capabilities and features year over year often comes at the expense of new APIs that can leak and new code that can be exploited.
"From a CIO’s perspective, new OS versions mean ensuring corporate and third party apps are compatible so users don’t unknowingly incur risks to their company by rushing to upgrade their devices.
"Enterprises need to expand their thinking beyond patching systems retroactively and ensure that they proactively test apps and systems in advance of the new release."
2. Device protection made easier for enterprises
Sean Ginevan, Senior Director Strategy at MobileIron comments:
"The iOS 9 update makes it easier for IT departments to protect devices, while maintaining user experience. Previous security gaps in Apple’s iOS have been corrected with iOS 9, with employees now able to access the apps and content they need, with less security barriers in place.
"Security improvements in app, device and network security, have made managing a corporate device simpler for corporate IT departments and more transparent for users.
"The new trust user interface allows users to know when they are installing an app from an unauthorised enterprise developer. Users operating under a managed service will be better safeguarded when downloading new apps, even though IT departments will not be able to block unmanaged apps on employee-owned devices."
3. You can’t rely on an OS vendor to solve security woes
Eldar Tuvey, CEO and Co-founder at Wandera, says:
"With the release of iOS 9, Apple has incorporated some security updates and introduced enhancements such as new MDM controls. While these optimisations are noteworthy, enterprises are still exposed to mobile threats that exploit the underlying design of the mobile operating system.
"For example, iOS devices can be fooled into attaching to rogue Wi-Fi hotspots, and approved apps can still leak user credentials over unencrypted channels. Device configurations are important for maintaining security, but so is thorough app analysis, real-time network protection and infrastructure security.
"We are unlikely to ever see any of this capability delivered through an operating system vendor — they simply lack the visibility into the real-time traffic to provide adequate protections for all the various mobile threats that exist."
4. Raising the app protection game
Graham Stuart Watts, Senior Product Manager at SOTI, says:
"Mandatory HTTPS communication for apps has been teamed with improved policy controls to govern the installation of third-party enterprise apps.
"Whilst this does restrict installation of apps from other developers, one of the greatest security threats to the corporate network is from slapdash app development where the speed of deployment has come at the expense of the necessary level of security enterprises must maintain.
"Finally, Apple has release additional tools to protect corporate data by restricting AirDrop transfer and offer better governance of this feature.
"This is very important in light of the newly discovered AirDrop vulnerability which allowed hackers to install malware on the devices without even needing the victim to approve the transfer. Before this update, simply initiating the AirDrop was enough to allow the malware to go through."
5. Google and Apple spar over ad-blocking
Jerry Mumford, Sales Manager for Frontier Technology, comments:
"There are some clear security problems for Apple’s latest mobile operating system. It’s so clear in fact, that Google have informed developers on how they can bypass them. Google announced the five lines of code that developers can use to bypass Apple’s ATS.
"ATS (App Transport Security) is one of iOS9’s newest features and requires all content to implement the HTTPS encryption standard. HTTPS is designed to encrypt the users data in a way that it can’t be read or manipulated by third parties.
"This feature will essentially block some of Google’s ads (a massive part of their revenue). They are understandably quite concerned and released this statement on their blog which shed some more light on their actions.
"While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems.
"To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully."
6. Steps towards greater privacy and security
Mark James, Security Specialist at IT Security Firm ESET says:
"[It is] a nice set of advancements. Apple stated quite clearly in their keynote that they do not want to know your personal information where possible. After all, if they don’t know or store it, they can’t lose it, right? So not associating your information with your Apple ID and not sharing that info with third parties helps to back up their statement.
"They have also increased the use of two-factor authorisation (2FA). This can now be used for not only logins from new devices but new browsers as well. It will also protect any iTunes purchases if you wish and should be activated for greater protection.
"I like the idea of the ability to allow developers to create ad-blocking extensions in iOS 9; these days it’s one of the more common means to deliver malware and one that can affect the iPhone unlike many traditional methods used these days."
7. Changes to sideloading are a ‘serious win for security’
David Richardson, iOS Product Manager at Lookout, says:
"Among the many new features in iOS 9, Apple introduced a critical adjustment enterprises should note – a change in sideloading applications that is a serious win for security.
"Many people don’t realise it, but you can download apps via links or websites on iPhones and iPads as long as they are signed by an iOS enterprise developer certificate.
"These certificates are given to companies for the purpose of distributing apps easily to their own employee’s devices. However, you can use these certificates issued from Apple to install an app on any iOS device.
"Apple has introduced a significantly more complicated sideloading install flow, which requires a lot more user interaction. This will help to weed out many of the people who will download apps without much caution, but it doesn’t negate the fact that it only takes one weak link to compromise the network.
"Why is this change important? Enterprises often use sideloading as a method for distributing homegrown apps, malicious actors also use sideloading (via enterprise certs in many cases bought on the black market), to distribute their malware.
"Wirelurker, Hacking Team’s iOS malware, and XAgent are all examples of malware which use this kind of distribution."
8. Getting the basics right – passcodes
Professor Steven Furnell, senior member of the IEEE, says:
"One fundamental move in the right direction is the increase in the default length of the passcode from 4 to 6 digits. Although we have already seen the devices offer more advanced authentication in terms of Touch ID, it is still the passcode that sits underneath this as the primary mechanism (and indeed the fallback if the biometric does not work).
"Raising the baseline length gives some recognition of the increasing sensitivity of what we now store on the devices themselves, and the services they give access to.
"Of course, it still may not prevent people from choosing obvious sequences, but it signals an improvement and can help to ensure that people no longer simply just re-use the PINs that they already have for their bank cards and other services where 4-digits have been the norm.