Apple’s new iOS 8 mobile operating system, released Sept. 17, is designed to provide users with new features as well as a renewed focus on security and privacy from Apple.
In a new section of Apple’s Website, the mobile giant details its commitment to user privacy. “At Apple, your trust means everything to us,” Apple CEO Tim Cook stated in a letter posted on the new Apple privacy site. “That’s why we respect your privacy and protect it with strong encryption, plus strict policies that govern how all data is handled.”
Apple’s security and privacy policies have been under scrutiny in a number of different instances this year. Security researchers have questioned whether Apple works with governments to provide backdoor access and earlier this month dozens of celebrities were victimized by an attack.
“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Cook stated. “We have also never allowed access to our servers. And we never will.”
Going a step further, as part of the iOS 8 update, Apple’s new privacy Website reveals that even if Apple receives a legal government request for access to a user’s iOS data, Apple will not be able to comply. Apple noted that user data—including email, call history and photos—are protected by the user’s passcode.
“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Apple states. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Security Patches
In addition to Apple’s privacy site and commitments to user security, iOS 8 also includes patches for 56 vulnerabilities that span the mobile operating system’s feature set.
By volume, the largest number of patches affects the WebKit browser-rendering technology that is used inside the Safari browser. Thirteen common vulnerabilities and exposures (CVEs) are fixed in iOS 8, and 12 of them were identified as being memory-corruption issues that could lead to arbitrary code execution.
The other WebKit issue fixed in iOS 8 is identified as CVE-2014-4409 and could have enabled an attacker to track a user, even when the user is running Safari in private browsing mode. Private browsing mode is not supposed to store user data, cookies or history in a bid to improve privacy.
“A Web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing,” Apple’s advisory states. “This was addressed by disabling access to the application cache when in private-browsing mode.”
iCloud Accounts
One noteworthy security vulnerability is CVE-2014-4423, an issue that could enable a malicious application to identify a user’s AppleID. The AppleID is a user’s primary username on an iOS system.
“A sandboxed application could get information about the currently active iCloud account, including the name of the account,” Apple stated. “This issue was addressed by restricting access to certain account types from unauthorized applications.”
There is also a pair of fixes (CVE-2014-4384 and CVE-2014-4386) for vulnerabilities that could have an enabled malicious app installation on an iOS device.
“A local attacker could have retargeted code signature validation to a bundle different from the one being installed and cause installation of an unverified app,” Apple warned.
Another noteworthy flaw fixed in iOS 8 has to do with making sure that the system and apps are up-to-date. Users are often advised to make sure that their devices and apps are up-to-date in order to be secure. The CVE-2014-4383 vulnerability, however, could have enabled an attacker to trick a user device into accepting that it was up-to-date, when in fact it was not.
“A validation issue existed in the handling of update check responses,” Apple stated. “Spoofed dates from ‘Last-Modified’ response headers set to future dates were used for ‘If-Modified-Since’ checks in subsequent update requests. This issue was addressed by validation of the ‘Last-Modified’ header.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.