• United States



Security pros and cons of Apple’s latest operating systems

Jun 04, 20143 mins
Access ControlApplication SecurityData and Information Security

Researcher says Apple has been stingy with security info on new features in iOS 8 and Mac OS X Yosemite, set for release in the fall

Apple’s march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.

On Monday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad.

[Security firm discloses Apple iOS “malicious profile” vulnerability impact on MDM]

The ability to perform tasks across devices would work with many Apple apps, such as Mail, Safari, Pages, Numbers, Keynote, Maps, Calendar and Contacts. Developers could build the functionality into their own apps as well.

While certain to please many consumers, the feature would be a concern for businesses, Richard Henderson, a threat researcher for Fortinet’s FortiGuard Labs, said. Companies with liberal bring-your-own-device policies would take the greatest risks.

“There needs to be a concern for data leakage prevention,” Henderson said.

Another potential source of data loss is Family Sharing, which lets family members share calendars, reminders, photos and locations across devices. Again, such apps as calendars and reminders could contain sensitive business data.

If Apple intends to be friendly to businesses, then it should let corporate IT staff turn off these features when the new operating systems are released in the fall.

“If not, you probably should have a very, very serious discussion over whether you want to let iOS devices on your network,” Henderson said. “The ability for people to leak data that doesn’t belong to them exists with these new technologies.”

One feature that could prove useful to the enterprise is the extended use of TouchID, the application that lets a person use the fingerprint scanner on the newest iPhone to unlock the device.

Starting with iOS 8, developers will be able to tap into Touch ID in order to require a fingerprint scan to launch an app or access certain features in the app.

What companies would want is the ability to use Touch ID in enforcing their own policies for unlocking a device or using enterprise apps, Paul Madsen, principal technical architect for identity management vendor Ping Identity, said.

To be friendly to the enterprise, Touch ID would have to be configurable through mobile device management systems, which is what many companies use to control the use of business apps and the movement of corporate data.

While Apple could extend Touch ID for use in MDM systems, “I’ve only heard of the consumer-centric cases for Touch ID,” Madsen said. Those cases have included online banking apps.

In general, many of Apple’s feature announcements at its Worldwide Developers Conference in San Francisco raised lots of questions among security experts.

“Apple hasn’t really released a whole heck of a lot of information on how this stuff works under the hood,” Henderson said.

[Impact of EA Games hack on Apple shows ripple effect of attacks]

Therefore, researchers will start looking for answers on their own.

“Until a lot of us out there in the security sphere start to poke around and play with this stuff, we’re not going to know the answers to the questions,” Henderson said.