New features in iOS 8 in light of BYOD and corporate security

iOS-based devices have a large share in the enterprise, which assures a strong demand for BYOD-oriented security features. A number of them arrive in iOS 8.

iOS 8 arrived almost a week ago with less than the usual fanfare. The few visual changes are insignificant, but it has a lot going on under the hood especially in terms of security.

Apple revealed that it had patched 53 vulnerabilities from earlier versions and some are quite serious. For instance, this one, allowed remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi access point and then performed a cryptographic attack against the MS-CHAPv1 hash.

Other more dangerous vulnerabilities could have allowed local users to escalate privileges, install unverified apps, or run the code with kernel or system privileges.

Even though iOS 8 arrived with digital band-aids, bandages, plasters, and digital insecticides to eradicate those bugs, there’s even more.

Interestingly, Apple emphasizes security features oriented to enterprise. This is by no means surprising, given that for years iOS devices have been dominating once-glorious Blackberry’s ancestral lands: The share of Apple’s smartphones may be slimmer than that of Android, but iOS holds 88% of enterprise apps activation, according to Q2, 2014 data from Enterprise mobile services vendor Good Technology. Android is growing, but remains far behind for now.


That also means there is a strong demand for BYOD security features in the enterprise segment. How has Apple responded?

1. Expanded data protection: passcode protection of all the major data types, including all third-party apps together with native Calendar, Contacts, Mail, Messages, Notes and Reminders. Apps are protected with a passcode until after the device is unlocked following a reboot.

2. Per message S/MIME: allows users to sign and encrypt individual messages for stronger control over mail encryption. This may be important, since it is not imperative to encrypt every single message (not all e-mail software is able to handle S/MIME), but it is a proper security practice to encrypt end-to-end sensitive messages. Apple has an explanation for the procedure on its Support website.

3.MDM features include new device restrictions to prevent users from adding their own restrictions or wiping their devices. This is an obvious enterprise-oriented feature – insurance against occasional (or not-so-occasional) wiping of a corporate-owned device by its current user. IT departments can also see the last time a device was backed up to iCloud so they know whether it’s safe to perform certain tasks. A new remote management UI makes enrolling and understanding the impact of MDM easier and more transparent for users. MDM also enables IT staff to help users authenticate to enterprise apps using certificate-based single sign-on (SSO).

4. Certificate-support for SSO in iOS 8 allows the use of certificate-based single sign-on for users to authenticate to enterprise apps. Or, simply put, users are able to switch between enterprise apps without having to enter their passwords every time.

5. Document management rules: IT departments are able to control which apps can open documents downloaded from enterprise domains using Safari. They can also set up rules for controlling which apps can open documents from iCloud Drive. Also iBooks, ePub, PDF docs can be now “automatically” pushed to user devices using the aforementioned MDM tools. When the materials are no longer necessary, they can be removed remotely.

6. Always-on VPN remains available in iOS 8, despite rumors that it will go away. Users still won’t need to manually reconnect to their company’s VPN every time they need to access it.

7. Content filtering APIs will enable third-party networking (VPN) developers to create tools to prevent users from having access to inappropriate content, whether users try to access it through a browser or in an app. This is a somewhat “draconic” measure, but employers have a right to prevent employees from accessing online casinos or adult sites during the day using corporate networks. It’s not about productivity alone; it’s also about security.

On a darker note, iOS 8 also generates some extra potential threats. We mentioned them in our earlier post. The first is a single password (passcode) for almost everything. Passwords are a notorious weak spot in any security system.

Then there is a new level of openness for iOS. While the developers would welcome those 4000 APIs crafted just for them, this is also a risk of a wider than ever attack surface. Apple, of course, made a lot of effort to prevent attacks from happening, and it has very rarely allowed anything malicious to slip under the radar into the Apple Store. Still, the more developers can do, the higher the risk of bad code – bugs, flaws, vulnerabilities, and attacks tailored just for them.

All developers can make mistakes, and bad things have happened to iOs. It’s possible there is no way to beat software vulnerabilities for good, but properly setting protective measures and “security-in-mind” features such as the ones listed above allow us to minimize the risks.