When Apple announced iOS 8, the latest version of its mobile operating system in early June, developers welcomed the company’s pledge to allow more access to system features.
Soon after, however, security experts warned that with greater functionality typically comes greater risk. While Apple will allow applications, for example, to communicate with one another through a messaging “broker,” such communications could weaken the security sandbox model, antivirus firm Symantec stated in an analysis. In addition, the company’s move to create repositories for cloud, health and home data could entice attackers to target those valuable vaults.
While Apple efforts to vet programs before allowing them in the App Store will likely continue to limit attacker’s opportunity to steal data, a significant portion of the company’s security model relies on a gated ecosystem and opening up that system could weaken defenses in unforeseen ways, Candid Wueest, a Symantec threat researcher, told eWEEK.
“These changes have a lot of potential to be beneficial, but they have risks,” he said. “I don’t suspect that we will see a hoard of trojanized apps appearing, but you are still increasing the number of attack vectors for the whole system.”
On June 2, Apple announced both iOS 8 and the latest version of its Mac OS X operating system, Yosemite. The company added a number of security enhancements including more consistent virtual private networks, anti-tracking technology to hide device identifiers and a new programming language, called Swift that includes more secure coding features. The company also stated that 83 percent of owners use the iPhone’s fingerprint technology, TouchID, to secure their phone, compared to less than half that had set a passcode on previous devices.
Yet, features that will make the phones easier to use, such as app extensions, also increase the so-called attack surface area, Wueest said. Over the past decade, security-focused software companies have attempted to minimize the possible number of ways an attacker could breach their software. By decreasing the attack surface area, the developers make it less likely that a programming mistake could result in a security vulnerability.
Features, such as app extensions, deliver compelling functionality, but increase the attack surface area, according to Symantec.
“This loosens up the concept of app sandboxes, which limit the resources an app can access and allows for a wide range of new interactions to be created,” the company stated in its analysis. “The extensions will be prescreened by Apple, like with all other iOS apps, so malicious extensions will hopefully be stopped before they are distributed to iOS device owners.”
While Symantec explored the possible avenues of attack created by the improvements to iOS 8, the company cautioned that any analysis can only be based on what Apple has announced so far.
“Since iOS 8 has not yet been released, it is unclear exactly how these features will be implemented,” Symantec stated in its blog post. “Based on the information currently available, there is a handful of security features that should enhance iOS devices’ protection levels.”