Apple unveils iOS 8.0 - security from the ground upwards

News by Steve Gold

iOS 8.0 - 1.1GB large, but with Apple providing lots of security patches and upgrades...

More than seven years after the iPhone Operating System - now known as iOS - was first released, Apple has completed a root and branch upgrade of its mobile OS, taking it to version 8.0. In parallel with this, Apple has quietly fixed more than 40 security vulnerabilities, making it the biggest upgrade for the mobile OS in its history.

Apple's CEO Tim Cook posted a letter to his customers on the company Web site last night, launching a new section focused solely on "Apple's commitment to your privacy," as well as explaining how the new two-factor authentication system for iCloud and other Apple features works.

According to Apple, the list of new and enhanced features includes patches for a series of kernel flaws, multiple WebKit vulnerabilities, and two interesting bugs - that appear not to have been discussed previously - that allow apps to be freely installed from outside the official Apple app store resources.

The most interesting patch/re-code, however, seems to be a system to block a hybrid man-in-the-middle attack on WiFi networks.

As Apple says on it iOS 8.0 details section, "an attacker could have impersonated a WiFi access point, offered to authenticate with LEAP [Cisco's Lightweight Extensible Authentication Protocol], broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even - if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default."

According to ThreatPost's Dennis Fisher's analysis of iOS8.0, amongst the other issues fixed is a longstanding problem that caused Bluetooth to be enabled by default whenever iOS was updated.

"Apple also patched an integer overflow flaw in CoreGraphics that could lead to remote code execution. There also is a fix for a vulnerability that enables a malicious app to bypass kernel ASLR, one of the key exploit mitigations in iOS," he says.

1.1 Gigabytes large

That's the good news. The potentially bad news is that the update weighs in at around the 1.1 gigabytes mark, meaning that the upgrade needs to be loaded across a WiFi connection, rather than a 3G/4G link - and unconfirmed reports suggest that the installation process can take around an hour in total.

Seth Rosenblatt, a senior writer with CNET - and a seasoned Apple follower - says that, whilst Apple has updated and patched more than three dozen vulnerabilities, it is not saying how bad these issues are.

He also notes that the most notable fix of the Apple Knowledge Base list - more than 53 vulnerabilities long - "was hidden at the bottom of the list separated from the other vulnerabilities as a `note' that read, `iOS 8 contains changes to some diagnostic capabilities'."

The note, says the CNET senior writer in his analysis, links to another new Knowledge Base article, which details changes to the diagnostic tools in iOS 8.0

"Previously, the tools had allowed people with unauthorised access to iOS's encryption keys to connect wirelessly to the iPhone or iPad and extract sensitive information including text messages and pictures - without having to unlock the device," he says, adding that this backdoor was revealed at the Hope-X conference in July by independent security and forensics expert Jonathan Zdziarski.

According to Lee Wade, CEO of Exponential-e, the cloud security specialist, at first glance, the new features included in iOS 8 may not seem dramatic but they do reflect how Apple is once again preparing to disrupt the world.

"Retaining its position as a great innovator is a strategic imperative for Apple. The introduction of extensions, HomeKit and HealthKit demonstrate how the Internet of Things is starting to mature and the potential it holds for changing how users consume technology on a day-to-day basis," he said.

"Smart devices, ubiquitous networks and rich applications will converge to meet consumers' demands for an embedded, intelligent computing experience," he added.

Wade went on to say that it is important to remember that the update to iOS 8.0 will not be confined to a user's personal life.

The demand for a more connected experience, he explained, will start to infiltrate into the workplace and the cloud will be central to delivering a customised user experience that can be seamlessly transferred from one device to another.

"To be prepared, organisations need to ensure that they can keep cloud networks private and secure behind the firewall so that the most important asset in today's enterprise - its data - is not compromised as we move rapidly towards the Internet of Things," he said.

Important release 

Over at Quocirca, the business and IT research analysis house, Rob Bamforth, the firm's principal analyst for business communications, said that whilst iOS8.0 is a major release, the improved features and flaws addressed all seem quite small on their own.

"However, when taken as a whole, there are so many that this adds up to an important release - especially with new iPhones addressing the size issue and new iPads coming along," he said.

The updated iOS 8.0, he added, supports a model of simple professionalism, which, whilst it comes with a hefty price tag, continues along the path towards making all these devices into useful and productive workhorses as well as 'shiny' desirable gadgets.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews