Apple announced a major milestone in its ongoing campaign for user security and privacy when it unveiled iOS 13 at WWDC 2019. With forthcoming features like the “Sign in With Apple” service and finer controls of location tracking, Apple continues to build on its commitment to protecting consumer data and privacy during a time of heavy concern on this issue. Before iOS 13 officially launches in September, IT teams should familiarize themselves with these new privacy features and prepare for some administrative changes to the iPhone enrollment process.
During WWDC 2019, Apple gave the internet plenty to talk about over the next few months when it introduced multiple new and improved features for iOS as well as iPadOS, the new standalone operating system for iPads. While many of these developments are intended to boost the performance and user experience of the iPhone and iPad, perhaps the most significant advancements announced for the operating systems are the ones related to security and privacy. While these factors might not always be top of mind for consumers, they are top priorities for businesses with mobile workforces.
iOS 13 Security & Privacy Features
‘Dark mode’ and a swipeable keyboard may have iPhone users eager for the launch of the new iOS, but here’s what the security community is paying special attention to:
- A new privacy feature called ‘Sign in with Apple’ lets users log into accounts and apps without adding an email address, which Apple says will protect users from third-party apps that want to track them.
- Users can also choose to share or hide their email address, and can ask Apple to create a random email for apps or services that forward to their actual email address, masking a user’s real identity without making them use a junk account.
- Restrictions on location tracking: when users give an app permission to access their location data, they can require the app to ask for permission each time. Apple now also blocks location tracking from Wi-Fi and Bluetooth.
iOS 13 will also introduce the option to send spam calls straight to voicemail and silence unknown callers.
Privacy Track Record
Apple has been a longtime proponent for user privacy. The company has maintained this stance through continuously delivering technologies that safeguard users from some of the pitfalls created by other tech giants, which rely on user data for targeted advertising revenue. At WWDC 2018, Apple unveiled a new feature for its Safari browser in iOS 12 that blocks third-party trackers and browser fingerprinting. In May 2019, Apple introduced a new Safari feature that blocks advertisers from following users across the internet and harvesting personal details.
Concerns over data privacy have expanded rapidly over the past decade, in tandem with the rise of the smartphone. In 2012, the Federal Trade Commission fined Google $22.5 million for charges that it had bypassed privacy settings in the Safari browser in order to track users and show them ads. In 2018, it was revealed that 50 million Facebook profiles were harvested by Cambirdge Analytica without consent and used for political advertising purposes. And Amazon has come under fire recently for allegations that its new Echo Dot Kids Edition is recording children’s voices without their consent or the consent of their parents.
While there are countless examples of data privacy controversies in the digital age, Apple has found itself on the opposite side of some major privacy disputes.
The most notable case was in February 2016, when the FBI obtained a court order demanding that Apple create a version of iOS that would let the FBI circumvent security controls. The FBI was investigating the 2015 San Bernardino terrorist attack and wanted to inspect the contents of the iPhone of one of the attackers. Apple appealed, claiming the order would “undermine the very freedoms and liberty our government is meant to protect.” Eventually, the FBI managed to unlock the device by leveraging a cybersecurity firm that was able to hack into the device and withdrew its request, but Apple’s refusal to cooperate made a bold statement about the company’s stance on privacy.
Security beyond the OS
The iPhone has been widely adopted across the business world, and security is undoubtedly a significant factor in purchasing decisions. Today, individual and corporate data are constantly at risk, so it’s encouraging that the provider of one of the world’s most popular smartphones is prioritizing security and data privacy.
While iOS 13 will continue to improve the security of iPhones, there are still numerous cyber threats that users and businesses need to remain conscious of. Each new iteration of an operating system brings security patches and enhanced features, but cybercriminals are constantly finding new ways to bypass safety measures and exfiltrate data as well as dupe users through social engineering techniques.
Businesses need an enterprise-grade mobile security solution to defend against cyber threats like phishing, malware and man-in-the-middle attacks, which go beyond basic operating system safeguards. This is what a mobile threat defense solution like Wandera provides as a complement to Apple’s security functionality.
Like Apple, Wandera is strongly committed to keeping users and their private information safe. With the recent launch of our Secure Access Layer, a new functionality that preserves privacy for end users, we are arming businesses with an ever-evolving solution to prevent mobile cyber threats without compromising user privacy.
Along with the updates mentioned above, Apple is rolling out some big privacy and security changes behind the scenes that will impact businesses, including a new enrollment process for BYOD (bring your own device) environments.
Since 2015, Apple has provided its Mobile Device Management service for organizations to carry out automated device provisioning and maintenance. Under this enrollment model, administrators are able to exert substantial control over managed devices, with the ability to:
- List and install apps installed on a device
- Completely erase a device
- Clear a device passcode (essentially unlocking a device)
- Set long, complex passcode requirements
- Configure device-wide VPN and Wi-Fi proxy
- View device identifiers like the IMEI, Serial Number, and UDID
Over the last few years, many businesses have shifted from COBO (corporate-owned-business-only) to COPE (corporate-owned-personally-enabled) and BYOD models.
To reflect this changing ownership landscape, Apple has announced User Enrollment, a new MDM enrollment mode designed to offer a more privacy-oriented approach to enabling mobile devices with enterprise data access. According to the full list of features on the iOS 13 preview page, User Enrollment strikes a healthy balance between user privacy and data security.
In a similar move to Google’s Android Enterprise work profile, Apple’s new User Enrollment functionality adds a specific managed and cryptographically segmented partition to devices using a separate, work-managed Apple ID. This allows admins to install and manage corporate apps and data, but does not let them see, alter or erase anything personal outside of the managed partition.
With User Enrollment, many of the controls available to IT administrators for device-level enrollments are restricted or removed completely. Even the way users onboard themselves onto the service is different, with a single page that outlines all of an organization’s privacy policies and the technical limitations User Enrollments impose.
For devices enrolled with User Enrollment:
- Installing and deleting apps and files is only possible within a managed partition
- Only managed apps may be seen by administrators
- Passcode requirements are limited to six digits
- Only per-app VPNs can be configured for apps, mail, contacts and calendars that have been installed by the organization
Basically, everything personal on a User-Enrolled device remains outside of the managed area and cannot be viewed or edited by admins, which is a fitting enrollment model for privacy-centric environments.
Single Sign-On Extension
Apple is releasing a new single sign-on extension for identity providers (such as Okta, OneLogin, IBM Cloud Identity and Azure Active Directory), to help streamline logins to enterprise applications and cloud services. The single sign-on extension is developed by the identity provider and bundled as part of their mobile app. The extension is then configured via an MDM profile that allows admins to specify details about their identity provider, like hostnames and other identifiers. Finally, enterprise-oriented apps, like Box and Salesforce, simply make a single API request to kick off the login via the new SSO extension, vastly reducing complexity and obscure integrations.
Ultimately, the goal of this extension is to make it easier for mobile devices to take advantage of the security benefits of single sign-on. Specifically, these extensions can serve as a second factor of authentication, helping to reduce the efficacy of password-based attacks. While these capabilities are exciting and enabling, it also could pose as an attack surface for a malicious app, upping the importance for the security capabilities offered by Mobile Threat Defense solutions.