Apple iOS 4 released - Security review

Filed Under: Apple, Apple Safari, Vulnerability

iOS 4 logo

Today's big tech news was the release of Apple's much awaited iOS 4 (Someone should tell them the name is already taken). The iPhone won't hit the shelves until the 24th, but iPhone and iPod Touch users can download the update today.

I am not going to comment on the general features of this OS upgrade, but I would like to point out some of the security enhancements Apple has introduced, as well as some areas that will require more work to truly be an enterprise device.

Recently I published a blog about the iPhone's hardware encryption being trivial to bypass. Fortunately Apple has introduced a new feature they are calling Data Protection. Data Protection uses the users PIN/Passcode to encrypt their email and contact list in addition to the built-in hardware encryption that can be bypassed.

Apple has made the API for this encryption available to third party application developers as well. I hope to see many of these applications for the App Store taking advantage of this new protection. I also would hope to see Apple use this method to encrypt all the user content stored on the device, rather than just email and contacts. It is understandable in a phone/multimedia device to need "instant on" and not encrypt the operating system, but photos, videos, and other personal content should be protected as well.

Applications can now be deployed over-the-air (OTA) with iOS 4. This traditionally had been a huge headache for administrators as applications could previously only be loaded from iTunes. This gets closer to the ideal world where iPhone users will not necessarily need to have iTunes loaded on their workstations to work with the iPhone. I cannot go into details yet as I have not been able to find specifications for the current release of the iPhone Configuration Utility. When I try to download it I get a message "Due to a scheduled upgrade of Apple's support systems, some features of the website are currently unavailable. We apologize for any inconvenience."

Apple website error page

It strikes me a bit odd that Apple would schedule maintenance in the middle of the day Pacific time in the US on the day of a product launch, but hey, who am I to question their maintenance schedules?

Apple also released a security advisory this afternoon with a list of security updates included in version 4 of the iPod/Phone/Pad software. There were 65 separate vulnerabilities patched in this single release. You can look at this two different ways I suppose... Wow! This update must be more secure than Alcatraz or my god, why have they waited this long to patch my iPhone!?!? Over 50 of the vulnerabilities affected Safari and WebKit, which is the most obvious way to remotely attack an iPhone device.

Normally I would not recommend to immediately go out and upgrade your devices, but with the enhanced email encryption, and the laundry list of vulnerabilities fixed I recommend updating your iDevice as soon as possible.

As more information becomes available from Apple I will do a follow up on how comprehensive the new enterprise features are, and how you can use them to lock down your Apple devices. If you are an iPad user, look out. Now that these vulnerabilities have been announced, criminals may try to take advantage of them to compromise your devices. According to Apple they will provide iOS 4 for iPad sometime this fall.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.