Henry Hoggard, Security Consultant
7 mins read
Private browsing is a feature that enables users to browse without the device storing their web history, cache or cookies. In iOS 7, users can now enable private browsing from inside Safari, whereas in iOS 6 and below, this had to be enabled in settings.
Safari web browser now offers new privacy features including a Do Not Track option. This is a header that is sent with HTTP requests, letting the website know that the user wishes to opt out of server-side tracking. Whilst many popular websites honour DNT, websites are not forced to do this.
In iOS 7, users can now define different VPN rules for each app. This allows users to channel enterprise applications alone through the corporate VPN, not their personal applications.
Unique Device Identifier/Universal Unique Identifier is a string that is used by applications to identify the device. Certain applications pass these on to third parties. This can raise privacy issues, as users can be tracked across applications by UUIDs being shared.
Applications can no longer ask for this: changes will affect all iOS 7 applications, and all new applications that are added to the app store will contain this feature for all iOS versions. Applications already in the app store can still access the device identifiers in iOS 6 and lower. Under iOS 7, applications get a completely random device identifier that changes after the user removes and installs the application.
Applications now have to request user permissions to use audio input, in the same way that applications need to request geolocation. This may prevent applications from snooping on users’ conversations. For Chinese devices, iOS requests user consent for apps to use the camera input. If the user denies the request to view the camera, the app will see a black screen.
Third party apps will be encrypted by default until they first unlock after reboot. In iOS 6, it was only the Apple default apps that were encrypted by default; for third party applications, the developer had to opt in. This is now implemented on the iPhone 3gs and newer (any device with hardware encryption). Previously, developers had to explicitly enable this, whereas now it will come by default. The built-in hardware encryption keys are protected by the device passcode, so it is advised that users use a strong password, as 4-digit codes can easily be brute-forced. However, if there is no jailbreak for iOS 7, then it may not be possible to brute force the passcode as easily.
Single Sign On has been implemented in iOS 7. Using SSO, users can log in once, and can automatically be authenticated for many other corporate apps, meaning user credentials can be shared across apps.
There are a number of new features that will make MDM solutions more powerful, including features such as configuring printers, accessibility options, whitelisting airplay destinations, installing custom fonts and wirelessly setting up apps.
In iOS 7, administrators can restrict the apps that can open corporate documents. This aims to help protect corporate data. To do this, device administrators define a list of trusted applications, preventing applications other than those from opening corporate documents. This can also be used to prevent personal documents from being opened in managed corporate apps and corporate documents from being opened in personal apps, furthering the privacy barrier between personal data and business data on the device.
Companies can now purchase app licences from the Volume Purchase Program and use their MDM solution to assign apps to employees over the air, whilst at the same time keeping full ownership and control over app licences. Apps can be revoked at any time and reassigned to other employees. Books can also be bought in the VPP.
Corporate devices can be automatically enrolled by the MDM solution and can configure devices extremely quickly. These devices can be supervised and managed over the air by the administrator.
iOS activation lock is a feature aiming to prevent thieves using stolen iOS devices. It requires the iOS password to turn off ‘find my iPhone’ or to erase the device, which will prevent thieves from wiping the device to sell or reuse.
If the user chooses to wipe the device to protect their data, there is an option to display a custom message, even after the device has been erased. This prevents thieves ever using the device. However, it is important to note that features such as activation lock may be easier to bypass if the device is Jailbroken.
iOS 7 Keychain allows users to store passwords for their usernames, WiFi credentials and credit card data on iCloud. This data is AES256 encrypted. These credentials are synchronized across all Apple devices registered with the same account, and can be used to auto-complete form fields in Safari web browser. When registering a new account, Safari offers to generate and store a strong password.
There could be potential issues with this:
Apple have made a number of improvements on GameCentre in an effort to prevent cheating on GameCentre scoreboards. To prevent tampering, score submissions will now be signed. This will enable tampered scores to be identified and rejected.
In addition to this, developers can set max score limits to reduce the number of unrealistic and impossible scores.
Airdrop Encrypted Data Transfer is a new feature in iOS 7. This enables users to transfer files securely to each other over peer to peer WiFi. The device does not need an internet connection to send and receive files. It is recommended to set device visibility to hidden, rather than to contacts or to everyone. Only iPhone 5 devices and newer can use this feature.
In iOS 7, applications can now auto update themselves. This could potentially raise issues in the future for applications loading malicious code automatically without the user knowing. This feature is optional and gives users the ability to turn off auto updates when the device is not connected to WiFi.
iOS 7 on iPhone 5s now includes a fingerprint scanner embedded in the home button. This is used to unlock the device. If the fingerprint scan fails, it will default to passcode login. This is also used to approve iTunes or app store purchases. However, CCC has already bypassed this feature, demonstrating that users should not use it as an alternative to a strong password.
Apple now offers the feature to block SMS messages, phone calls and Facetime calls from unwanted contacts. In addition to this, iOS 7 offers a Facetime audio only encrypted VOIP feature between iOS devices.
In iOS 7, notifications can be accessed from the lock screen without knowing the device passcode. This includes messages, Facebook and Twitter notifications. These notifications can be turned off from the Settings app.
At Blackhat US 2013, researchers demonstrated how to compromise an iOS device by plugging a malicious charger into it. Now, in iOS 7, the user will have to authorize the computer to use advanced functionality. If it is not authorized, it will default to standard charging mode.