Olivier Le Moal - stock.adobe.co
Apple iOS remains the primary mobile OS for enterprise use. And, for years, experts considered it the most secure mobile OS.
In recent years, however, Android has improved its security with innovations such as Google Play Protect, Project Treble and an emphasis on Android Enterprise improvements. Both iOS and Android are viable from a security perspective, so mobile IT pros should be familiar with the threats facing the devices in their fleet.
Apple device admins should be aware of major iOS enterprise security vulnerabilities, what patches exist for these issues and the overall security of the OS as they manage their mobile fleet.
Navigating iOS vulnerabilities
Apple's recent release of iOS 12.4 highlights ongoing issues with iMessage. Certain iMessage exploits crashed iPhones when users received certain strings of characters.
One of the new iOS vulnerabilities prevents iPhone users from responding to iMessages after they receive this character string, even after they reset their devices. This vulnerability requires a factory reset to make the device usable again.
Half of the Common Vulnerabilities and Exposures (CVE) that Apple patched in iOS 12.4 address arbitrary code execution. Most of these vulnerabilities were discovered by researchers and not yet weaponized, but hackers often use CVEs as blueprints to develop exploits for unpatched systems.
One historic benefit of Apple's iOS enterprise security is its superiority at forcing OS updates to endpoints. Recent versions of iOS, however, allow iPhone admins to impose a 90-day wait period before the latest version is permitted on enterprise devices, and malware writers can easily work within this time frame.
Apple is the mobile device market leader in the enterprise, so the data users carry on iOS devices is worth the effort for hackers to develop exploits, even if the exploits only work for a short period of time. Unless an organization has custom apps that require testing with each new OS update, the best practice is to push OS updates to mobile endpoints as soon as possible after release.
IOS enterprise security vulnerabilities in apps
The application layer on iOS devices is also an area of concern. Most security-conscious organizations have some form of email protection to prevent phishing email messages from reaching the user. The end-to-end encryption in most mobile messaging apps enables hackers to send SMiShing messages or messages through third-party apps to users without passing through any phishing filter. IT may not detect the phishing attempt until the user clicks on the malicious link.
The adoption rates for enterprise mobility management (EMM) tools are still nowhere near as high as the equivalent desktop and laptop management tools. The lack of comprehensive management controls for mobile devices can result in hackers syphoning information from unprotected devices.
WhatsApp, a third-party messaging app, has experienced two major vulnerabilities this year. The first vulnerability allowed attackers to install spyware on a device simply by calling it, even if the user didn't answer, and the user wouldn't receive a missed call notification. The second allowed a hacker to change a user's messages and sender identification. The latter vulnerability remains exploitable. There are secure enterprise messaging systems, but many companies allow WhatsApp on mobile devices for cost and convenience reasons.
These threats might make it look like iOS enterprise security is not effective enough, but IT can mitigate the damage such vulnerabilities can do with EMM and mobile threat defense tools. To help mobile admins discover and patch vulnerabilities quicker, Apple recently announced the Security Research Device Program, coming next year. Apple also increased the payment reward for bug bounties and exploit discoveries, while widening the scope of people who can claim the bounty.