Article

Privacy, Enterprise and Security Changes in iOS 7

With Apple's recent release of iOS 7 comes many new features but what effect has this had on the security and privacy of users' data?

Apple has recently released iOS 7, which includes many new features that have an effect upon the security and privacy of users’ data on their devices. iOS 7 also offers new features to the enterprise and gives more power to MDM solutions. iOS 7 supports iPhone 5c, iPhone 5s, iPhone 4, iPhone 4S, iPhone 5, iPod touch (5th gen), iPad 2, iPad with Retina display, and iPad mini.

This article will cover features and changes in the following three categories:

  • User Privacy
  • Enterprise Features
  • Device Security

User Privacy

Browser Privacy

Private browsing is a feature that enables users to browse without the device storing their web history, cache or cookies. In iOS 7, users can now enable private browsing from inside Safari, whereas in iOS 6 and below, this had to be enabled in settings. 1

Safari web browser now offers new privacy features including a Do Not Track option. This is a header that is sent with HTTP requests, letting the website know that the user wishes to opt out of server side tracking. Whilst many popular websites honour DNT, websites are not forced to do this.

Application Privacy

Per application VPN

In iOS 7, users can now define different VPN rules for each app. This allows users to channel enterprise applications alone through the corporate VPN, not their personal applications. 4

Applications can no longer grab UDIDs/UUIDs

Unique Device Identifier/Universal Unique Identifier is a string that is used by applications to identify the device. Certain applications pass these on to third parties. This can raise privacy issues, as users can be tracked across applications by UUIDs being shared.

Applications can no longer ask for this: changes will affect all iOS 7 applications, and all new applications that are added to the app store will contain this feature for all iOS versions. Applications already in the app store can still access the device identifiers in iOS 6 and lower. Under iOS 7, applications get a completely random device identifier that changes after the user removes and installs the application.

Audio and Video

Applications now have to request user permissions to use audio input, in the same way that applications need to request geolocation. This may prevent applications from snooping on users’ conversations. For Chinese devices, iOS requests user consent for apps to use the camera input. If the user denies the request to view the camera, the app will see a black screen.

Third party application data protection

Third party apps will be encrypted by default until they first unlock after reboot. In iOS 6, it was only the Apple default apps that were encrypted by default; for third party applications, the developer had to opt in. 4

This is now implemented on the iPhone 3gs and newer (any device with hardware encryption). Previously, developers had to explicitly enable this, whereas now it will come by default. The built-in hardware encryption keys are protected by the device passcode, so it is advised that users use a strong password, as 4-digit codes can easily be brute-forced. However, if there is no jailbreak for iOS 7, then it may not be possible to brute force the passcode as easily.

Enterprise features

Enterprise single sign on

Single Sign On has been implemented in iOS 7. Using SSO, users can log in once, and can automatically be authenticated for many other corporate apps, meaning user credentials can be shared across apps. 4

Improved MDM configuration options

There are a number of new features that will make MDM solutions more powerful, including features such as configuring printers, accessibility options, whitelisting airplay destinations, installing custom fonts and wirelessly setting up apps. 4

Managed “Open In”

In iOS 7, administrators can restrict the apps that can open corporate documents. This aims to help protect corporate data. 4

To do this, device administrators define a list of trusted applications, preventing applications other than those from opening corporate documents. This can also be used to prevent personal documents from being opened in managed corporate apps and corporate documents from being opened in personal apps, furthering the privacy barrier between personal data and business data on the device.

App Store licence management

Companies can now purchase app licences from the Volume Purchase Program and use theirMDM solution to assign apps to employees over the air, whilst at the same time keeping full ownership and control over app licences. 4

Apps can be revoked at any time and reassigned to other employees. Books can also be bought in the VPP.

Fast MDM enrolment

Corporate devices can be automatically enrolled by the MDM solution and can configure devices extremely quickly. These devices can be supervised and managed over the air by the administrator. 4

Device Security

Activation lock

iOS activation lock is a feature aiming to prevent thieves using stolen iOS devices. It requires the iOS password to turn off ‘find my iphone’ or to erase the device, which will prevent thieves from wiping the device to sell or reuse. 1

If the user chooses to wipe the device to protect their data, there is an option to display a custom message, even after the device has been erased. This prevents thieves ever using the device. However it is important to note that features such as activation lock may be easier to bypass if the device is Jailbroken.

Keychain

iOS 7 Keychain allows users to store passwords for their usernames, Wi-Fi credentials and credit card data on iCloud. This data is AES256 encrypted. 1

These credentials are synchronised across all Apple devices registered with the same account, and can be used to auto-complete form fields in Safari web browser. When registering a new account, Safari offers to generate and store a strong password.

There could be potential issues with this:

  • Currently it is understood that Apple encrypts iCloud data server side, where they hold the encryption keys and are able to decrypt and view users’ data if required. This includes contacts, emails, bookmarks, calendars, reminders, notes and application preferences. 2
  • In addition to this, if a device is lost, thieves can potentially log in to any of the users’ accounts, and, using Safari’s auto complete feature, they could also potentially gain access to credit card information.

GameCentre security Improvements

Apple have made a number of improvements on Gamecentre in an effort to prevent cheating on Gamecentre scoreboards. To prevent tampering, score submissions will now be signed. This will enable tampered scores to be identified and rejected. 3

In addition to this, developers can set max score limits to reduce the number of unrealistic and impossible scores.

Airdrop encrypted data transfer

Airdrop Encrypted Data Transfer is a new feature in iOS 7. This enables users to transfer files securely to each other over peer to peer WiFi. The device does not need an internet connection to send and receive files. It is recommended to set device visibility to hidden, rather than to contacts or to everyone. Only iPhone 5 devices and newer can use this feature. 1

Application auto update

In iOS 7, applications can now auto update themselves. This could potentially raise issues in the future for applications loading malicious code automatically without the user knowing. This feature is optional and gives users the ability to turn off auto updates when the device is not connected to WiFi. 10

Biometric Security

iOS 7 on iPhone 5s now includes a fingerprint scanner embedded in the home button. This is used to unlock the device. If the fingerprint scan fails, it will default to passcode login. This is also used to approve iTunes or app store purchases. However, CCC has already bypassed this feature, demonstrating that users should not use it as an alternative to a strong password. 9

SMS and Phone Call Blocking

Apple now offers the feature to block SMS messages, phone calls and Facetime calls from unwanted contacts. In addition to this, iOS 7 offers a Facetime audio only encrypted VOIP feature between iOS devices. 10

Lock Screen Changes

In iOS 7, notifications can be accessed from the lock screen without knowing the device passcode. This includes messages, Facebook and Twitter notifications. These notifications can be turned off from the Settings app.

Computer Authorisation

At Blackhat US 2013, researchers demonstrated how to compromise an iOS device by plugging a malicious charger into it. Now, in iOS 7, the user will have to authorise the computer to use advanced functionality. If it is not authorised, it will default to standard charging mode. 11

References

1 https://www.apple.com/ios/ios7/features/

2 http://arstechnica.com/apple/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy/

3 http://9to5mac.com/2013/06/14/apple-clamping-down-on-cheaters-adding-new-features-for-gamers-in-ios-7/

4 https://www.apple.com/ios/ios7/business/

5 http://www.apple.com/ios/whats-new/

6 https://www.mwrinfosecurity.com/articles/will-you-still-feed-me-when-im-64-bit-/

7 https://labs.mwrinfosecurity.com/system/assets/132/original/mwri_brave-new-64-bit-world_2010-06-02.pdf

8 http://blog.kaspersky.com/fingerprint-scanner-iphone-5s/

9 http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

10 http://www.pcmag.com/article2/0,2817,2424413,00.asp

11 https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.