The release of iOS 11 is here! We previewed the security enhancements and new mobile application features of iOS 11 and found three security impacts we think are important for security teams to consider. These include:
- More granular security for sharing of location information (but a lack of granular security on other sensor data)
- Apple’s new SMS-based Business Chat and fraud detection capabilities
- New core ML capability that provides a machine learning service for apps
We discuss each of these in more detail below and, as an added bonus, we have updated our analysis of apps that meet Apple’s App Transport Security (ATS) requirement announced in 2016.
Security granularity – Location Privacy
With iOS11, Apple has introduced a new Location Services setting, which allows users to restrict an app’s access to location data when the app is not in use. This refinement seems to be Apple’s late response to the Nov 2016 news that Uber violated users’ privacy by accessing users’ locations even after the app was closed. Apple’s deployment of this capability helps protect individual users’ privacy and potentially sensitive enterprise data by allowing the user or admin to control when location data is available to apps. As of this posting, Google has not implemented this capability.
From a bigger picture perspective, however, location is just one type of data that can violate user privacy if accessed by an app running in the background. Access to the camera and microphone from the background is another enterprise threat, which can significantly violate user privacy, and cause enterprise data leakage. These are behaviors exhibited by commercial spyware which targets enterprise executives.
According to our analysis, out of the top 100 apps we find in enterprise environments, 16% of them send location data back to a server, while 42% access the microphone and 81% access camera. The Apple MDM provides enterprise customers with the ability to disable the camera on managed devices, but the control is applied at the device level and would Impact other legitimate uses of the camera. Users will push back against security measures that disable the camera, microphone and other sensors at the device level. As with Location Privacy, more granular security applied at the application level is required to protect data without restricting legitimate use of the camera, GPS, microphone and other sensors.
With the Apple MDM, customers can also blacklist and remediate the use of unapproved apps among their employees without affecting the functionality of other apps.
In a future security update, we would like to see Apple update permission options that allow users and enterprises to restrict background access to each sensor’s data.
Pros and Cons of SMS Fraud Detection
A new feature in iOS 11, called Business Chat, allows users to chat with companies they find through Siri, Maps, Safari, and Spotlight search. Users will also be able to use Apple Pay for financial transactions on Business Chat. So, it makes sense that Apple is introducing SMS fraud detection in iOS 11, to warn users when they receive an SMS message that could be fraudulent, providing an additional layer of defense.
Once iOS 11 is deployed, all iMessages will be stored on iCloud. Apple states that the purpose of the cloud based storage is to save space on user devices, but this may represent only a part of the reason. Apple is likely leveraging the computational power of the cloud to detect fraud more efficiently.
And what is the problem with messages being stored on iCloud? Pre iOS11, all SMS, and iMessages were stored on users’ devices and encrypted. Now, they are on iCloud, synchronized on all the devices that users have and available anytime, anywhere. And security conscious companies may have concerns about iMessage storage on iCloud. These enterprises may need to modify their security policies if their confidential business messages are stored by a third-party. As a reminder, in 2014, there was a breach of celebrity photos from iCloud as a result of a targeted phishing attack.
Uncharted and unintended consequences of Core ML
iOS 11 debuts Artificial Intelligence (AI) / Machine Learning (ML) related features that apps could use – including malware apps. They include Natural Language Processing (NLP), Vision and Game Decision Tree Kits. The uses of these capabilities include – but are not limited to: identifying objects, faces, and sentiments from photos, videos, and texts. For example, an app accessing your photos may be able to determine your sentiment and identify your location and anyone else in the picture with you. Users would be sharing deeply personal sentiment and more contextual information with the app developer. Although Apple claims the intention is to maintain Core ML data on the device, historically we’ve seen that we cannot always trust third-party apps to do what they are supposed to do, even when they are on the official store. The information generated by Core ML is a new, untapped source of personal metadata, readily monetizable by someone for marketing or other purposes.
In addition to this privacy concern, Apple might be unintentionally equipping malware writers with AI! These Core ML APIs can be abused by malware apps – for stealth and malicious behaviors. On Android, there have already been malware apps which behave properly under the presence of any security apps or when they detect active inspection by the app store during the vetting process. Some adware learns about when users sleep and launch the attacks, such as sending data or committing click fraud, only during “sleeping” hours when the user is less likely to notice the activity. Some banking trojans know which banking apps users are using and tailor the attacks to those apps. So, imagine what iOS malware with an onboard machine learning model could achieve. This new iOS 11 feature makes this a good time for security companies to start considering AI detection methods in their malware detection models.
Update on Apple’s Compulsory SSL/TLS Enforcement on Third-party Apps
Last year during the Apple developer conference 2016, Apple announced that all third-party apps would have to follow its App Transport Security (ATS) requirements by the end of 2016.
In a previous Mobile Threat Report on ATS, Appthority calculated that only 3% of the apps complied with the requirements by the deadline. In January 2017, Apple extended the deadline – without setting a specific date.
To get an update on the number of apps in compliance, we re-analyzed the top 200 enterprise apps. We are glad to report that as of Q3 2017, 16.5% iOS apps are fully following ATS requirements. That is a solid improvement from previous 3% more than six months ago and is a positive sign of improving enterprise security. Nonetheless, enterprises should be aware that 83.5% of the most popular apps are still not following the full ATS requirements, exposing them to various types of network vulnerabilities.
Among our entire enterprise iOS app collection, we also found a positive trend in the use of SSL certificate pinning for all the network connections as shown in the following chart. The data indicates that iOS apps are getting better at network security, but a significant portion of them (about 98%) still have at least one connection without SSL pinning. These remaining insecure connections pose a network security threat with potential for data loss.
Apple is taking positive steps towards creating a more secure mobile ecosystem by adding new security and privacy features and focusing on enterprise Mobile Device Management (MDM). App vendors are gradually implementing SSL/TLS and certificate pinning to improve network security
However, due to the new features introduced in iOS 11 and the complexity of managing third-party developers, Apple is also introducing a new potential for data exposure and vulnerabilities.
Appthority Recommendations for Enterprises
- Take advantage of the new background location privacy option to reduce the risk of geo data leakage
- Continue analyzing and monitoring apps for risky behaviors and select those that implement best practices
- Begin monitoring the new capabilities introduced in iOS 11 to understand the potential risk of data exposure and loss
Appthority continuously protects its customers from wide range of known and potential security threats. Stay tuned for additional post iOS 11 release updates as we continue to monitor iOS security developments and vulnerabilities.