Security

About the security content of iOS 9.3

Your rating: None (5 votes)

Apple has published a list of security updates in iOS 9.3: https://support.apple.com/en-us/HT206166

About the security content of iOS 9

Your rating: None (3 votes)

Apple has published their regular inventory of security updates in iOS 9. By my count it is a new record of patches: 107 vulnerabilities.

Apple's been getting better and better at documenting and fixing security vulnerabilities. So please do your part and update your devices!

Source: Apple Security Updates

About the security content of iOS 8.3

Your rating: None (3 votes)

It is a whopper: 58 security vulnerabilities fixed. Get those devices updated.

https://support.apple.com/en-us/HT204661

Bushel is now Generally Available!

Your rating: None (3 votes)

Bushel, an Apple device management solution, powered by JAMF Software, today announced general availability, expanding Apple device management to businesses of all sizes. Bushel is a cloud-based solution designed to make it simple and quick for regular people to complete their management tasks, including Apple device setup, security and usability. The software had been in beta for some time now, and users could use it on an invitation-only basis. Bushel has just today become generally available to the public to sign up for either a free or paid account. You can find out more and sign up on the Bushel website.

iOS 8.0.2 released last night

Your rating: None (2 votes)

iOS 8.0.2 was released last night, just eight days after 8.0, and just a day or so after 8.0.1 was released but quickly pulled. Our database of iOS Devices has all the links for direct downloads. Here are the release notes.

Quote:

This release contains improvements and bug fixes, including:

  • Fixes an issue in iOS 8.0.1 that impacted cellular network connectivity and Touch ID on iPhone 6 and iPhone 6 Plus
  • Fixes a bug so HealthKit apps can now be made available on the App Store
  • Addresses an issue where 3rd party keyboards could become deselected when a user enters their passcode
  • Fixes an issue that prevented some apps from accessing photos from the Photo Library
  • Improves the reliability of the Reachability feature on iPhone 6 and iPhone 6 Plus
  • Fixes an issue that could cause unexpected cellular data usage when receiving SMS/MMS messages
  • Better support of Ask To Buy for Family Sharing for In-App Purchases
  • Fixes an issue where ringtones were sometimes not restored from iCloud backups
  • Fixes a bug that prevented uploading photos and videos from Safari

For information on the security content of this update, please visit this website:
http://support.apple.com/kb/HT1222

Zdziarski's Backdoor: A Roundup of Articles

Your rating: None (2 votes)

About a week ago, security researcher Jonathan Zdziarski revealed what apparently is a number of "backdoors" to iOS. These allow access to data on even encrypted devices, as long as a pairing record is available from a trusted source (not trivial). Although Jonathan took pains to qualify the announcement, several reports have seemed to exaggerate the issue.

In response, Jonathan has compiled a list of more reputable tech articles on the topic. I've reprinted the list below.

iOS Lockdown “Backdoors” (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”

Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse

Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn

Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold

iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson

Any questions?

About the security content of iOS 7.1.2

Your rating: None (2 votes)

iOS 7.1.2 was released yesterday, and it includes a long list of security improvements. See the details here: http://support.apple.com/kb/HT6297

About the security content of iOS 7.1.1

Your rating: None (2 votes)

Apple has published a list of security content in iOS 7.1.1, which was released this afternoon. Here are the highlights:

  • 'CFNetwork HTTPProtocol:' An attacker in a privileged network position can obtain web site credentials
  • IOKit Kernel: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization
  • Security - Secure Transport: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
  • WebKit: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Quite a bit for a dot-dot-one release. Set your compliance rules accordingly and encourage updates.

I'm curious: do any of you have stats on how quickly your users update?

How bad is the OpenSSL "Heartbleed" vulnerability for MDM?

Your rating: None (2 votes)

Yesterday a vulnerability came to light in OpenSSL, which underpins much of the security infrastructure on web servers and application servers around the Internet. Today the technology world is on fire about the bug. Basically, any server running OpenSSL versions 1.0.1 through 1.0.1f is at risk to a simple query. There is an online tool available to check your servers.

The bug, however, doesn't only affect SSL. OpenSSL is also commonly used for generating the asymmetric encryption keys that are the foundation of, oh, the Apple Push Notification Service. And APNS is the foundation for MDM.

If your MDM service happens to be vulnerable, or was vulnerable any time in the last two years the bug has been available, then it is possible someone has stolen your server's private APNS key. And if they do that then your MDM is compromised. But since the attack leaves no trace, well it may be better to err on the safe side.

The "safe side" for MDM means revoking your APNS certificate, and re-enrolling all devices. By hand. That is going to be a huge a bucket of pain.

So here is hoping your particular MDM service is not and was not vulnerable. I've heard from a few already, but will wait for official statements to become available before posting. Watch this thread for more as this develops.

About the security content of iOS 7.1

Your rating: None (2 votes)

An extensive list of the security fixes in iOS 7: http://support.apple.com/kb/HT6162

iOS 7.0.6 released with important SSL security fix

Your rating: None (2 votes)

Apple today released iOS 7.0.6 with an important security fix:

Quote:

iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID

CVE-2014-1266

Available, as always, via Software Update. Direct download links for each build are in our database of iOS Devices.

About the security content of iOS 7.0.3

Your rating: None (2 votes)

iOS 7.0.3 fixes three lock screen bugs. Get the details in this knowledge base article.

Does the iPhone 5s Give Passcodes the Finger? No, Not Yet. (Updated)

Your rating: None (4 votes)

There is a lot to like about Apple's new iPhone 5s announced Tuesday. The faster and 64-bit chip, the battery-saving M7 motion processor, the really nice camera. And gold, if that's what rings your bell. But for enterprises, the headline features seems to be "Touch ID", the fingerprint sensor built into the home button of the top-end phones.

It is clearly a leap forward, and journalists are getting very excited. But we need a reality check here, as there are some subtle but critical details that don't seem to be getting attention. Touch ID is not going to replace your passcode, it isn't more secure than your passcode, and it isn't two-factor authentication. If used properly, it can improve security for many of us. And in truth, it is a hell of a lot better than nothing.

Let me 'splain what I'm thinking.

Passcode required

Today, the key info about this feature comes from an article in the Wall Street Journal. An unnamed Apple representative says this:

Apple customers who wish the use Touch ID also have to create a passcode as a backup. Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours.

The way I interpret this statement is this: the passcode is, as today, the primary means of securing the device. The passcode is always available. The fingerprint sensor is an alternate means on unlocking the device, but the passcode will always be there. The fingerprint sensor is, in a sense, a shortcut to the passcode.

No additional security (unless you add it)

An iPhone with no passcode is like leaving the door to your house wide open.

Use a passcode, and you've closed and locked that door.

Not only is the phone locked, but you are now encrypting the data on your phone. So even if someone breaks open the hardware and removes the chips, your encrypted data is safe.

Introduce Touch ID, and here's what you have:

Now you have two ways into your house: Use the same passcode door as before or use the fingerprint door. If one door doesn't let you in maybe the other will. To me, it is clear this is not more secure than one door. If your passcode is "1-1-1-1" then I don't care about your fingers, I'll just enter through the passcode.

The standard 4-digit numeric passcode is pretty easy to crack. There are only 10,000 combinations, after all, and if you enter them through a tethered connection you can try them pretty quickly. But if you don't use a 4-digit numeric passcode, you get a lot more secure.

But there is a way Touch ID can enable stronger security. Since the fingerprint is effectively a shortcut around a passcode, I can now make a really difficult passcode to get into my phone. A passcode with 18 characters and symbols and caps and emoji and stuff. A passcode that was so difficult to enter that it would drive me crazy if I needed to enter it every 5 minutes. But if I need to enter the complex passcode only when rebooting the phone (almost never) or after 48 hours idle (absolutely never) then I can live with that.

Better security, but only indirectly enabled by biometrics.

Not two-factor authentication

Maybe you can see by now that the fingerprint sensor on the iPhone 5s does not provide two-factor authentication. 2FA is like two locks on the same door.

I use Google 2-Step Verification for my Google accounts — you should too — and that makes me happy. When I use that I need to enter BOTH my password and my 1-time code. [Experts will say this isn't true 2FA, but it keeps me feeling warm and fuzzy.]

Way better than nothing

Greater improvements to security are to come in iOS 7. On setup, users are prompted — actually encouraged even — to enter a passcode. And apps used to have to opt-in to use the protected data store; now it is on by default.

In truth, we should remember that not enough iOS users enter any passcode. Instead they leave their door wide open. Maybe having the fingerprint sensor is going to be just cool technology and smart shortcuts to get people to lock their front doors.

Update: You may know that using Mobile Device Management, configuration profiles, and/or ActiveSync, an administrator can require a passcode. I've heard many people asking if there will be a similar key to require a fingerprint. If I'm right in my thinking, we won't see that. If I'm right that the current implementation otherwise diminishes security (slightly), we'll see a key to disable fingerprint sensing instead.

Update 9/22: Yup, right. The new Configuration Profile Reference has a key "allowFingerprintForUnlock" that defaults to true. So you can disable fingerprint unlock, but not enforce it. Oh, and the CCC claims it has just cracked Touch ID using a high-resolution photo.

In case you need another reason to update to iOS 7, here is a really long list of its security fixes

Your rating: None (2 votes)

Apple has posted a remarkably long list of security vulnerabilities friend iOS 6, and fixed in iOS 7. See this link: http://support.apple.com/kb/HT5934

Recent Activity