With Apple announcing the new iPhone 5 last Wednesday, we now have the release date for the next version of iOS – September 19th. There are a lot of new features (200, to be exact), some of which have some security and privacy concerns and some that have security improvements. Here's a rundown of the most notable new iOS 6 features and their security/privacy implications:
iOS 6 Security Concerns
With the addition of Passbook in iOS 6, you’ll now have tickets, gift cards, loyalty cards and coupons stored in one central location on your phone. What a wonderful boon for cybercrime! Personally identifying information, information about when you’ll be out of the house, and potentially-resalable credit information will all be there for the taking. How long do you suppose it’ll be before we see hacks of this discussed in BlackHat/Defcon talks? I may be alone in this thought, but I was relieved to hear NFC is not being paired with this yet. The two combined could have lead to some serious eavesdropping temptation.
This is one feature that concerned me, though not greatly. In iOS 6, you will no longer have to input a password to install free apps. It’s a fairly minor concern, but it’s worth noting. We’ve not yet seen malicious iOS apps in the wild for non-jailbroken phones. And with the granular permissions that iOS 6 is adding, it would be that much harder for malware authors to gain access to your device and then exfiltrate anything of value. But on the other hand, the introduction of Passbook does increase the value for malware authors who go to that trouble. For me, the biggest concern is security training – if people are used to apps installing without using a password, people will be unfazed by apps appearing on their screen without having to give explicit permission.
iOS 6 Security Strengths
Kernel Address Space Layout Randomization
The name alone is a mouthful of gibberish for a lot of folks. But from a security perspective, this is perhaps the most exciting feature of iOS 6. And it’s not just hard to say – it’s also hard to explain to the average user, and so it’s the least likely to be explained in feature lists. Here’s the short of it: there are certain data structures within the OS that allow hackers to exploit vulnerabilities in the operating system if they can get access to them. In iOS 6, these addresses are not static – they change periodically. So hackers can no longer use some of the most common methods for breaking into software. This means it will take a whole lot more skill and effort to come up with a jailbreak that works for iOS 6 (whether you consider that a good or a bad thing), and it also means it’ll be harder for malware authors to sneak onto non-jailbroken machines. That alone may be enough to mitigate any benefit to cyber criminals, from the two features above.
More Granular Privacy Controls
There has been a lot of press about apps gathering information that is not immediately obvious, and iOS 6 has put warnings in place to help make apps actions more transparent. Their new, more granular privacy notifications require apps to gain your permission before requesting access to your location, contacts, calendars, reminders, or photos. This should go a long way towards making people feel more secure about using apps, which is particularly timely given the recent report from the Pew Research Center which found that 57% of all app users either have declined to install or have uninstalled an app over privacy concerns.
All in all, this new version of iOS looks to be the most secure version yet. From a trickster perspective, it looks like the ongoing battle between jailbreakers and Apple has actually done amazing things in terms of improving devices’ overall security. Now that Apple is also giving us more view into the actions of legitimate apps as well as trying to keep out unauthorized code, we should be able to breathe a little easier about the security of our data.
Are you planning on updating your iDevices to iOS6? Which features are you most looking forward to? Do you think the security features in the newest OS will be helpful or an unnecessary hurdle?