New Apple operating systems bring security mysteries

Apple's march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.

On Monday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad.

[Security firm discloses Apple iOS "malicious profile" vulnerability impact on MDM]

The ability to perform tasks across devices would work with many Apple apps, such as Mail, Safari, Pages, Numbers, Keynote, Maps, Calendar and Contacts. Developers could build the functionality into their own apps as well.

While certain to please many consumers, the feature would be a concern for businesses, Richard Henderson, a threat researcher for Fortinet's FortiGuard Labs, said. Companies with liberal bring-your-own-device policies would take the greatest risks.

"There needs to be a concern for data leakage prevention," Henderson said.

Another potential source of data loss is Family Sharing, which lets family members share calendars, reminders, photos and locations across devices. Again, such apps as calendars and reminders could contain sensitive business data.

If Apple intends to be friendly to businesses, then it should let corporate IT staff turn off these features when the new operating systems are released in the fall.

"If not, you probably should have a very, very serious discussion over whether you want to let iOS devices on your network," Henderson said. "The ability for people to leak data that doesn't belong to them exists with these new technologies."

One feature that could prove useful to the enterprise is the extended use of TouchID, the application that lets a person use the fingerprint scanner on the newest iPhone to unlock the device.

Starting with iOS 8, developers will be able to tap into Touch ID in order to require a fingerprint scan to launch an app or access certain features in the app.

What companies would want is the ability to use Touch ID in enforcing their own policies for unlocking a device or using enterprise apps, Paul Madsen, principal technical architect for identity management vendor Ping Identity, said.

To be friendly to the enterprise, Touch ID would have to be configurable through mobile device management systems, which is what many companies use to control the use of business apps and the movement of corporate data.

While Apple could extend Touch ID for use in MDM systems, "I've only heard of the consumer-centric cases for Touch ID," Madsen said. Those cases have included online banking apps.

In general, many of Apple's feature announcements at its Worldwide Developers Conference in San Francisco raised lots of questions among security experts.

"Apple hasn't really released a whole heck of a lot of information on how this stuff works under the hood," Henderson said.

[Impact of EA Games hack on Apple shows ripple effect of attacks]

Therefore, researchers will start looking for answers on their own.

"Until a lot of us out there in the security sphere start to poke around and play with this stuff, we're not going to know the answers to the questions," Henderson said.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managmentoperating system securityFortinetapplicationsNetworkingnetwork security risksmanagementAppleMicrosoftsecurityData Protection | Application Securitymobile securityAccess control and authenticationsoftwaredata protectionaccess control

More about AppleEA GamesFortinetMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place