Apple + Recommended + Security & Privacy

Apple’s iOS 6 Release a Mixed Bag for Security and Privacy

Posted on September 17th, 2012 by

With Apple announcing the new iPhone 5 last Wednesday, we now have the release date for the next version of iOS – September 19th. There are a lot of new features (200, to be exact), some of which have some security and privacy concerns and some that have security improvements. Here's a rundown of the most notable new iOS 6 features and their security/privacy implications:

iOS 6 Security Concerns

Passbook
With the addition of Passbook in iOS 6, you’ll now have tickets, gift cards, loyalty cards and coupons stored in one central location on your phone. What a wonderful boon for cybercrime! Personally identifying information, information about when you’ll be out of the house, and potentially-resalable credit information will all be there for the taking. How long do you suppose it’ll be before we see hacks of this discussed in BlackHat/Defcon talks? I may be alone in this thought, but I was relieved to hear NFC is not being paired with this yet. The two combined could have lead to some serious eavesdropping temptation.

App Installation
This is one feature that concerned me, though not greatly. In iOS 6, you will no longer have to input a password to install free apps. It’s a fairly minor concern, but it’s worth noting. We’ve not yet seen malicious iOS apps in the wild for non-jailbroken phones. And with the granular permissions that iOS 6 is adding, it would be that much harder for malware authors to gain access to your device and then exfiltrate anything of value. But on the other hand, the introduction of Passbook does increase the value for malware authors who go to that trouble. For me, the biggest concern is security training – if people are used to apps installing without using a password, people will be unfazed by apps appearing on their screen without having to give explicit permission.

iOS 6 Security Strengths

Kernel Address Space Layout Randomization
The name alone is a mouthful of gibberish for a lot of folks. But from a security perspective, this is perhaps the most exciting feature of iOS 6. And it’s not just hard to say – it’s also hard to explain to the average user, and so it’s the least likely to be explained in feature lists. Here’s the short of it: there are certain data structures within the OS that allow hackers to exploit vulnerabilities in the operating system if they can get access to them. In iOS 6, these addresses are not static – they change periodically. So hackers can no longer use some of the most common methods for breaking into software. This means it will take a whole lot more skill and effort to come up with a jailbreak that works for iOS 6 (whether you consider that a good or a bad thing), and it also means it’ll be harder for malware authors to sneak onto non-jailbroken machines. That alone may be enough to mitigate any benefit to cyber criminals, from the two features above.

More Granular Privacy Controls
There has been a lot of press about apps gathering information that is not immediately obvious, and iOS 6 has put warnings in place to help make apps actions more transparent. Their new, more granular privacy notifications require apps to gain your permission before requesting access to your location, contacts, calendars, reminders, or photos. This should go a long way towards making people feel more secure about using apps, which is particularly timely given the recent report from the Pew Research Center which found that 57% of all app users either have declined to install or have uninstalled an app over privacy concerns.

All in all, this new version of iOS looks to be the most secure version yet. From a trickster perspective, it looks like the ongoing battle between jailbreakers and Apple has actually done amazing things in terms of improving devices’ overall security. Now that Apple is also giving us more view into the actions of legitimate apps as well as trying to keep out unauthorized code, we should be able to breathe a little easier about the security of our data.

Are you planning on updating your iDevices to iOS6? Which features are you most looking forward to? Do you think the security features in the newest OS will be helpful or an unnecessary hurdle?

  • http://twitter.com/NReilingh Nick Reilingh

    Your second header is “iOS 4 Security Strengths” — a few years out of date!

    About your App Installation concern, I would remind you that all app installation is still done through Apple’s own API and the App Store. Unless different mischief is afoot, we can pretty reliably say that only non-malicious apps will be installable through this method. Furthermore, the fact that any website has to tie into Apple’s own API means that you won’t get drive-by downloading of even legitimate free apps: at some point you will have to confirm the installation in an Apple-provided dialog of some sort (most likely the Install button in the App Store).

    I actually see this as a security benefit, since it means users will be having to type their password a LOT LESS. Excessive authentication increases opportunity for compromise.

    • LysaMyers

      Ack, typo! Thanks or noticing this.

      Not all apps in the app store have been totally benign, as we saw this summer: http://www.intego.com/mac-security-blog/the-summer-of-sketchy-apps/

      Likewise, if an exploit can jailbreak iOS, one could also be created that would install whatever it likes. The app store would not need to be involved, in that instance.

      Excessive authentication could potentially make people complacent about inputting their passwords, true. My own preferences fall towards making people take that second to specifically think about things they install, as this has been successful in other instances/operating systems.

  • Techpm

    I’m running iOS6 GM and the App Store definitely still asks for a password when installing free apps. It just doesn’t ask for one when updating existing apps.

    • http://twitter.com/NReilingh Nick Reilingh

      I’m seeing the same. The update allowance is new; I guess the free app install thing was just a rumor.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}