Apple iOS 7: A Security Overview

Perhaps the highest profile security feature of the combined iPhone 5s and iOS 7 is the built-in fingerprint scanner
Perhaps the highest profile security feature of the combined iPhone 5s and iOS 7 is the built-in fingerprint scanner

Perhaps the highest profile security feature of the combined iPhone 5s and iOS 7 is the built-in fingerprint scanner. The initial response from users is favorable, but the reality is that its real value, or lack, will only become apparent after months of use – and perhaps, misuse. Indeed, security researcher Nick Depetrillo has launched a crowd-sourced prize fund for the first person to demonstrate that the Apple TouchID can be hacked. 

"In the past," reports Forbes, "researchers have cracked various fingerprint readers with silly putty, gelatin, corpse fingers, and on one episode of Mythbusters, even a printed fingerprint on a sheet of paper. But Apple promises that its reader can sense beyond the top layer of a user’s skin, and includes a 'liveness' test that prevents even a severed finger from being used to access a stolen phone."

Marcus Chambers, general manager and VP EMEA at Good Technology, warned Infosecurity that "Touch ID shouldn't be considered a security cure-all. This is especially true in the context of BYOD, where devices are likely to have multiple fingerprints registered to the device." Controlling access to the device is important, he suggests, but not as important as controlling access to the data on the device. 

"Imagine a husband having fingerprint access to his wife's personal iPad that she also uses for business," he continues. "We wouldn't want the husband to have inappropriate access to Enterprise apps and data, but at the same time what right does a company have to limit use of a personal device at home?" Companies should not, therefore, be lulled into thinking that fingerprint authentication to the device is the same as user authentication to the data on that device.

A second new feature garnering much comment is the new Activation Lock. "Past iPhones," explains NBC News, "let you remotely trace, lock, wipe or even send messages to your stolen phone, in hopes of recovering your device, or at least erasing your info so others couldn't steal your identity. Now, Activation Lock really ties your device to your iCloud account, in a way that will make it very hard for bad guys to prep it for resale."

This will undoubtedly make it harder for the opportunist street thief to resell a stolen iPhone; but to what extent it will be able to forestall the latest or future forensic tools remains to be seen. It also promotes increased use of iCloud, whose security has already been called into question by some Edward Snowden/NSA leaks.

Chambers explained the significance of iCloud to Infosecurity. "Apple is now offering a service, which will store passwords and credit card details. The information can then be auto-filled when signing into a website or making a purchase. A great idea, but users need to be wary of what information is stored and ready for auto-fill. In this regard it’s not too different from many other services out there, but being incorporated into iCloud it’s likely to get significantly more use.

"Our lives require different containers," he continued. "Am I comfortable having my Facebook or Twitter password saved on iCloud ready for auto-fill? Probably. Am I comfortable having passwords for a banking app or an app that contains sensitive corporate data? Not on your life."

In some ways, however, iOS 7 is about apps and the enterprise, with over 40 new features specifically focused on business use. "First," comments Nigel Hawthorn, EMEA marketing director at MobileIron, "iOS data protection is now automatically applied to third-party apps." Second, he says, "there are new levels of control to prevent unauthorized apps from accessing corporate content and corporate apps from accessing unauthorised content." And third, "new web filtering allows IT to apply whitelist / blacklist policies through the EMM [enterprise mobility management] platform to all browsers on the iOS 7 device."

In short, Apple seems to have fully recognized the BYOD movement it was instrumental in creating, and has responded with improved security features for the enterprise market.

What’s hot on Infosecurity Magazine?