igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Apple iOS 8 security features: What they mean for enterprise security

Expert Lisa Phifer discusses new Apple iOS 8 security features and potential pitfalls, as well as the enterprise security ramifications of new iOS features, including Extensions, Family Sharing and Apple Pay.

According to Apple CEO Tim Cook, 98% of Fortune 500 companies use iOS, the operating system that powers iPhones and iPads.

However, core business app use remains low, driving Apple to add a slew of new enterprise-grade features to appeal to IT -- including iOS 8 security and management capabilities.

In this tip, let's examine what security professionals should know about these iOS 8 additions and their impact on enterprise security.

Hardening iOS 8 against attacks

Apple's iOS 8 release included dozens of security patches, including kernel, WebKit, Safari and wireless bug fixes to close privilege escalation holes, prevent passcode/lock screen bypass attacks, avoid Wi-Fi LEAP downgrade and Bluetooth attacks, randomize Wi-Fi MAC addresses, deter unauthorized code installation and execution, and disable debug tool vulnerabilities.

Due to these fixes, file relay and packet capture debug tools that previously enabled remote surveillance via Wi-Fi have been limited to USB debug use. Additionally, an attacker in possession of an iOS device can no longer access photos or exceed failed passcode limits. The factory-set Wi-Fi address used by each iPhone or iPad to scan for available WLANs has now been randomized to deter unauthorized tracking, thereby improving privacy for workers as they move through public and retail venues.

No release is perfect. Apple users must remain vigilant by avoiding jailbreaks, non-App Store apps and untrusted USB connections.

A complete list of security fixes can be found here for iOS 8, 8.1 and 8.1.1.

Of course, no release is perfect; new iOS jailbreaks have already emerged for iOS 8.1.2. Apple users must remain vigilant by avoiding jailbreaks, non-App Store apps and untrusted USB connections.

Strengthening iOS 8 for the enterprise

New iOS 8 security features and policy controls include the following:

Passcode protection for more stored data: iOS 8 expands content encrypted by default. Protected data now includes iOS native calendar items, contacts, email, messages, notes and reminders, as well as all third-party application data. This means there is no unencrypted app data left to be accessed without the user's passcode or fingerprint, which reduces the risk posed by a lost, stolen or seized device.

More protection for data in transit: iOS 8 adds IT-controlled, always-on VPN (reducing risk of wireless data leak) and per-message S/MIME encryption (extending end-to-end email security).

Expanded single sign-on support: iOS 8 allows enterprise certificates to be used for SSO, transparently logging users onto enterprise apps in a more robust manner.

Expanded Touch ID use: The option of using fingerprint authentication as a second factor, introduced in the iPhone 5s, is reportedly driving most users to enable passcodes. With Touch ID, users can enter their passcodes infrequently, instead using fingerprints for routine unlocking. iOS 8 extends Touch ID functions, allowing fingerprints to unlock App Store and Apple Pay purchases, as well as third-party apps that store their credentials in the device's keychain.

Stronger data leak protection: The Managed Open In feature, introduced in iOS 7, can now be used with more content types and managed applications in iOS 8. In addition, administrators have increased visibility into and control over iCloud backup in iOS 8, using mobile device management (MDM) to limit data copied to iCloud. Apple also now provides more transparency into how content types are encrypted by iCloud.

More location data privacy: In response to location-tracking concerns, earlier iOS versions added more granular control over application access to device location data. iOS 8 adds a third "when app is open" option that permits access in a more visible manner, reducing the possibility of silent background tracking.

Cradle-to-grave management: iOS 8 introduces new IT-configurable restrictions, including disabling local data erase and device reset, preventing user-added restrictions, and managing browser, PDF and book downloads. Apple's new Device Enrollment Program (DEP) also lets employers "pre-enroll" corporate-purchased iOS devices, which helps prevent use without MDM control and blocks MDM removal. These features reduce the value of stolen iPhones and iPads, while giving IT departments full lifecycle control.

New iOS 8 features with security implications

Beyond these features added in iOS 8, many new capabilities were introduced in this release that create significant implications for enterprise security. The most significant new capabilities include new software development kit (SDK) application programming interfaces (APIs), document handoff, photo sharing, Family Sharing between devices and Apply Pay.

More than 4,000 new SDK APIs were added in iOS 8, greatly increasing the "openness" of the iOS ecosystem for third-party application and device development. These APIs fall into several distinct categories, including CloudKit APIs to enable iCloud use by enterprise apps, HealthKit and HomeKit APIs to enable communication with wearables and smart home devices, and Extensions to enable iOS-mediated inter-app communication.

Most notably, Extensions opens the strongly sandboxed iOS environment to third-party keyboards, notification widgets, file sharing, photo editing, custom actions and document sharing (governed by Managed Open In rules). While Extensions significantly increases the attack surface afforded by iOS, apps still do not interact directly in iOS 8. Rather, iOS mediates interaction between host and consuming apps, keeping apps in their own address space and preventing the sharing of user-facing data. It remains to be seen whether Extensions will strike the right balance between openness and malware risk.

The increased content-sharing options offered by iOS 8 raise concerns about accidental data leakage in mixed-use employee-owned devices. For example, photos may now be streamed across all devices using the same Apple ID, which could result in accidental sharing of photos taken for business purposes. Similarly, Family Share extends content synchronization to other Apple IDs, distributing content to all devices within (for example) an employee's family. Here again, caution and policy controls are advised to leverage these new features without endangering enterprise data.

Finally, one of the most touted features introduced with iOS 8 is Apple Pay. With Apple Pay, iPhone 6 owners can use their device, Apple Passbook and Touch ID to authorize point-of-sale purchases via near field communication (NFC). Apple Pay uses the Secure Element inside each device to store and protect credentials (such as credit card data). To authorize a contactless transaction, the user touches his or her phone's Touch ID fingerprint reader (or enters the device's passcode). Payment data is then relayed securely via NFC to a merchant's contactless point-of-sale terminal.

Apple Pay creates new opportunities for both businesses accepting payment transactions and those wishing to pay for employee purchases. Regarding the latter, there are two ways to provision an iOS device with a payment card: manually or through iTunes. Neither enables IT control over employee payment via corporate credit card. No doubt this will be another area with IT-configurable profiles and restrictions in a future iOS release. For now, employers must realize that encrypted payment data may be carried on iOS 8 devices; this should be added to policies governing IT control and backup of employee-owned devices.

These are just a few new features found in iOS 8. Apple will continue its march into the enterprise in the future. For example, Apple and IBM recently introduced a suite of new applications designed for enterprise use. Hardening iOS, extending IT control over iOS, and facilitating third-party development for iOS devices are all important steps in realizing Apple's enterprise vision.

Security professionals must maintain awareness with each new version of Apple iOS, taking advantage of new security features while assessing newly created potential vulnerabilities.

About the author:
Lisa Phifer owns and is president of Core Competence Inc., a consulting firm specializing in leading-edge network technology. She has been involved in the design, implementation and evaluation of networking and security products for over 30 years. She has advised companies large and small regarding needs, product assessment and the use of emerging technologies and best practices.

Next Steps

Explore what the enterprise needs to know about iOS 8 enterprise features

Get the inside scoop on iOS' security secrets

Learn how iOS 8 improves IT security and control 

This was last published in January 2015

Dig Deeper on BYOD and mobile device security best practices