Apple released iOS 6 last night. Not only does the new version contain 200 new features, but it also addresses a variety of vulnerabilities. However one particular vulnerability remains un-patched. The way in which iOS parses some configuration files, an exploit exists that allows hackers to pretend an important system update (that appears to be signed by Apple or mobile carrier) is available for the user’s device. The signing is actually fake, so if the user installs the update, a malicious configuration file can actually make changes to critical system settings.
OK, so I’ve highlighted a yet to be fixed Apple iOS security flaw, so what are the really cool security and privacy features of iOS 6? Read on….
Lost or had your iDevice stolen?
Apple has introduced two new security and privacy improvements for iOS 6 iPhone, iPad and iPod Touch – Lost Mode (part of Find My iPhone), Passbook and have added a Privacy option which now includes more specific app permission control for Contacts; Calendars; Reminders; Photos and Bluetooth Sharing (this is a new option – see Passbook below) as well as Twitter and Facebook.If you download and install the FREE ‘Find My iPhone’ app you will notice that it has a new Lost Mode, Battery Charge Indicator, and Forever Login features. Lost Mode locks your missing device with a 4-digit passcode and can then display a contact phone number right on the lock screen. Lost Mode will also keep track of your device location.
How to manage and activate Lost Mode (remember iOS 6 only)
So, what happens if you lose your iPhone, iPad or iPod Touch? Easy folks:
- Visit: https://www.icloud.com/#find
- Enter your Apple ID and password
- Click on the ‘Find My iPhone’ icon enter your Apple ID password again
- Click Devices (top left) – this lists your activated devices
- You have the option to Play Sound activate Lost Mode or Erase your iDevice(s)
- Click on the iCloud image (top left) to go back to the Home screen
Note: To use the ‘Find My iPhone’ features you will need to have setup iCloud and enabled ‘Find My iPhone’ via Settings.
Passbook (similar in concept to e-wallets) is a new feature that will allow you to store all your digital tickets, boarding passes, store cards and coupons in an easy-to-access app. The idea of Passbook is that it will give you additional information such as a pop-up message highlighting a ticket or reward card which can be redeemed. As my blog is about security and privacy its good to know that this app comes with a virtual shredder which securely deletes your card or voucher. I’ve no idea right now on the encryption standard used.
Note to media who are misunderstanding why Apple isn’t taking the NFC route: Passbook isn’t relying on NFC which most if not all the Contact Payments industry is moving to. It relies on Bluetooth 4.0 technology. Also note, Passbook isn’t fully baked into iOS 6 right now – nor are there many apps that have enabled Passbook.
I’ve some interesting questions for Apple’s security team – do Apple look for malware and malicious behaviour by developers; do they audit iOS code?; can iOS be reverse engineered to reveal algorithms, weak points and operating system logic? Apple believes its anti-tamper technology is hardened sufficiently to stop reverse engineering – is this actually the case? Right now, these are questions that Apple are probably looking for answers too, or might already have them.
Safe surfing folks!