{"id":14960,"date":"2014-06-03T18:49:22","date_gmt":"2014-06-03T18:49:22","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=1959"},"modified":"2020-02-26T18:42:53","modified_gmt":"2020-02-26T16:42:53","slug":"ios-8-arrives-security-consequences","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/ios-8-arrives-security-consequences\/14960\/","title":{"rendered":"iOS 8 arrives. Security consequences?"},"content":{"rendered":"

Apple <\/a>made big news yesterday on WWDC14 announcing new versions of both of its fabulous operating systems \u2013 OS X and iOS. Such announcements are always a big deal and a major event, of course, but this time it\u2019s not just about new operating systems. Aside from those, \u00a0Apple made a couple of announcements with potentially big ramifications and repercussions ahead. Some are directly related to security.<\/p>\n

\n<\/p>

Well, first of all, hello, Mac OS X Yosemite<\/a>, hello iOS 8<\/a>. Earlier, these platforms had been evolving more or less independently, but now it seems as though they are on a collision course with more and more interpenetrating features and apps. For instance, here comes Continuity, a feature that lets you seamlessly start a task on a mobile device, and finish doing it on a Mac (composing an e-mail, for instance). Sure thing this privilege isn\u2019t going to be available to a Mac owner with an Android phone or an iPhone owner with a Windows PC.<\/p>\n

Also, Apple finally \u201cmounted coattails\u201d of Google and Microsoft, providing its iCloud service with a fully-fledged file hosting capabilities similar to Google Drive, Microsoft\u2019s OneDrive or Dropbox: iCloud Drive. It allows storage of any type of file, and to access it \u201con any device\u201d, which actually isn\u2019t exactly true: iCloud is unavailable for Android users. Besides, iCloud Drive, like many other functions of newer operating systems, will only be available to the users of the new hardware due to be shipped this Autumn.<\/p>\n

\u00a0Apple ID\u2019s single password provides access to everything associated with the user\u2019s account.<\/p>Tweet<\/a><\/blockquote>\n

\"800_1\"<\/a><\/p>\n

Effectively, this means that Apple is going to create a unified \u201cApple-only\u201d environment to bring in more users. This also means that all of these devices \u2013 Macs, iPhones, iPads and iPods \u2013 are going to be protected essentially by their Apple ID alone.<\/p>\n

This authorization system is quite robust, or at least doesn\u2019t look any worse than anything else<\/a> (description is available via the previous link). In essence, Apple provides new users with a free email, which requires a password, of course.<\/p>\n

Then this single password provides access to almost anything Apple: iTunes and App Store purchases, browser history, documents and \u2013 as soon as iCloud Drive is up \u2013 to all of its contents too. Users have to input their Apple ID passwords quite often \u2013 it is necessary to buy anything at Apple\u2019s stores or to update apps. In other words, a lot depends on this password, and it\u2019s up to the user to make it secure, a task not often performed well by users.<\/p>\n

This constitutes a weaker spot<\/a> for possible attackers, especially since users can get access to their iCloud mail<\/a> via the browser on a Windows PC, for instance.<\/p>\n

Another extremely interesting announcement is the new SDK for iOS 8<\/a>, containing over 4,000 new APIs. \u201ciOS 8 allows developers to further customize the user experience with major extensibility features like Notification Center widgets and third-party keyboards; and introduces robust frameworks such as HealthKit and HomeKit. iOS 8 also includes Metal, a new graphics technology that maximizes the performance of the A7 chip and Swift, a powerful new programming language,\u201d Apple\u2019s press release<\/a> reads. It further elaborates on new features and frameworks, such as HealthKit (which is supposed to \u201crevolutionize how the health industry interacts with people\u201d), home automation oriented HomeKit, Metal, new graphic technology for gaming, and Swift \u2013 new programming language for creating apps for both iOS and OS X.<\/p>\n

Beta of the SDK is available to iOS and OS X Developer Program members at developer.apple.com<\/a>.<\/p>\n

\"800_2\"<\/a><\/p>\n

Well, for starters this means new level of openness for iOS: a wider availability for developers. The concept of \u201cwider availability\u201d (at least the one that suggests that development tools are made more \u201caccessible\u201d) is always bit of a debated matter.<\/p>\n

As ZDNet columinst Stilgherrian<\/a>\u00a0put it, \u201cBy opening up inter-app communications in iOS, including communication with apps that control external network devices, and by providing more ways for the user to interact on the lock screen \u2014 that is, when the iDevice is still meant to be locked \u2014 Apple is massively increasing what information security practitioners call the attack surface<\/a>.\u201d<\/p>\n

Stillgherrian (which looks like a sort of Apple-sceptic) suggests that new tools will \u201cover-encourage\u201d new, \u201csuddenly-inspired\u201d developers, which possibly means that there is going to be a huge influx of new apps built by newcomers, who don\u2019t give a lot of thought to the security of their software.<\/p>\n

Also, \u201cthe increase in personal data that will be captured by new home and medical devices will make iOS devices an ever more attractive target\u201d, Stilgherrian said.<\/p>\n

These reservations are somewhat justified, or at least the second one is. Apple has to deal with an avalanche of new badly-written apps on a daily basis, so it\u2019s unlikely it would be impressed by a decuman wave of fresh mobile \u201cslagware\u201d if there is going to be any.<\/p>\n

Besides Apple has introduced a new programming language Swift. Among other things, it had been designed, according to Adrian Kingsley-Hughes<\/a>, \u201cto do away with entire classes of unsafe code.<\/a> Variables are always initialized before use, arrays and integers are checked for overflow, and memory is managed automatically.\u201d As long as it works as expected, this will provide a certain level of basic security. So there\u2019s no reason to expect any groundbreaking decrease in overall security of Apple platform.<\/p>\n

However, just like with every software, this security isn\u2019t absolute. Earlier this year a handful of Apple\u2019s security failures had been reported. For instance, in February the release of iOS 7.0.6 had been rushed ahead of time with a patch for a \u201cshockingly overlooked\u201d SSL encryption issue that left iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack.<\/a>\u00a0<\/p>

Apple\u2019s Swift language may increase the level of code security for new apps.<\/p>Tweet<\/a><\/blockquote>\n

In May, a number of iPhones, iPads, and Macs users in different parts of the world fell victims to ransom attacks with their devices remotely locked. Apparently somebody had stolen these users\u2019 credentials, but it\u2019s unclear where they came from. Apple has denied that iCloud had been hacked during those attacks, but just a few days before a Dutch-Moroccan team of hackers calling itself \u201cTeam DoulCi\u201d have claimed to hack a protective feature on Apple\u2019s iCloud system<\/a>. That could leverage an attacker to remove security measures on lost or stolen iPhone devices. Or lock them remotely<\/p>\n

In other words, Apple usually is doing well with its security. But there is no absolution and there is a growing interest from the cybercriminals.<\/p>\n

What does it all mean for businesses? \u2013 Lots of vigilance and a good MDM system<\/a>. Probably, if the sceptics\u2019 concerns are substantiated and the average security level of Apple\u2019s new devices indeed goes down in Autumn, the vigilance should go up more than ever.<\/p>\n

There is no reason to expect any malware epidemics on iOS any time soon, though. During his keynote at WWDC14 Apple\u2019s Tim Cook slammed Google for it\u2019s 99% share in mobile malware, which is by no means a problem for iOS. Hopefully it stays that way for a while.<\/p>\n

But aside from malware there are other threats, and again, there is no absolutely safe systems. With Apple ID a lot of things relies on a single password, which means that if it is weak, the device and associated services are insecure. Thus, there\u2019s no such thing as an\u00a0\u201cexcessive\u201d amount of reminders of how important it is to have good passwords.<\/p>\n","protected":false},"excerpt":{"rendered":"

Apple has announced new versions of its operating system. OS X and iOS become closer, gradually merging into a single environment. How well is it protected?<\/p>\n","protected":false},"author":209,"featured_media":15818,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[14,2102,2103,704,2104],"class_list":{"0":"post-14960","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apple","10":"tag-apple-operating-systems","11":"tag-apple-updates","12":"tag-ios-8","13":"tag-os-x-yosemite"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ios-8-arrives-security-consequences\/14960\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ios-8-arrives-security-consequences\/14960\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ios-8-arrives-security-consequences\/14960\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/apple\/","name":"apple"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=14960"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14960\/revisions"}],"predecessor-version":[{"id":26176,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/14960\/revisions\/26176"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15818"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=14960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=14960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=14960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}