7 enterprise security improvements in iOS 7

7 enterprise security improvements in iOS 7

Summary: iOS 7 is a major step forward in enterprise mobile security. Apple has institutionalized security techniques for which, until now, enterprises had to go to an independent MDM/MAM vendor.

SHARE:

 |  Image 5 of 8

  • iOS 7 patches scores of vulnerabilities in iOS 6

    Every new version of iOS fixes security problems in the previous one, but iOS 7 does more of this than usual. As I wrote about separately, iOS 7 patches 80 vulnerabilities in iOS 6. This alone puts heavy pressure on users and IT to upgrade, as Apple is not going to patch iOS 6.

    Every new iOS device also usually casts some old one into the "unsupported" bin. The iPhone 3GS and iPad (first generation) can't upgrade to iOS 7 and therefore will remain vulnerable.

    Two specific vulnerabilities demonstrate the severity of the situation: CVE-2013-1025 is a buffer overflow in iOS CoreGraphics, allowing an attacker to take control of the process with a malicious PDF, but only in the context of the sandboxed browser. CVE-2013-3953 is a privilege escalation vulnerability which allows a malicious program to break out of the sandbox. Combined, CVE-2013-1025 and CVE-2013-3953 can lead to full control just by viewing a web site. This, incidentally is exactly what the famous JailbreakMe did: combining code execution and privilege escalation vulnerabilities to create a complete compromise via simple web browsing.

    Yes, both the CVE-2013-1025 and CVE-2013-3953 are now patched patched, but it shows that these things happen on iOS. 

  • Managed Open-In

    When a user clicks "Share" to specify an app in which a document should open, he creates many potential software problems: Open in makes a copy of the document and the application may not be considered secure.

    In iOS 7, through the MDM interfaces, IT can specify which apps are allowed to handle specific content types, potentially limiting that access to managed apps. They call this "Managed Open-In."

  • Per-app VPNs

    System-wide VPNs on mobiles are considered undesirable, partly as a security measure and partly because the company doesn't necessarily want to run all a user's personal traffic through their VPN.

    For some time, MDM vendors have been allowing IT to specify per-app VPNs: each instance of each managed app gets its own VPN tunnel. Now iOS 7 allows these per-app VPNs through the MDM interfaces.

    The VPN is managed entirely by IT. When the app is launched it opens up a VPN tunnel and when it terminates it closes that tunnel. The user launches and uses the app as they normally would, and should see no difference from it running through the VPN.

    At the company end, the VPN could be any of dozens of VPN products from F5, Cisco, Juniper or anyone else, but the VPN products may need to be updated to support this feature.

    Image: Wikimedia Commons

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Thumbnail 8

Topics: Security, Apple, iPhone, iPad, Mobile OS, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

Talkback

41 comments
Log in or register to join the discussion
  • And One Enterprise Security Failure in iOS 7

    iOS 7 and 7.0.2 have broken our prior ability to open attachments contained within S/MIME encrypted messages.

    http://snnyc.com/2013/09/ios7-smime-fail/
    Snnyc
    • was this reported in beta?

      With so many enterprises testing it and so many of them using Outlook you'd think a bug like this would stand out
      larry@...
    • Do you have any other links?

      I checked yours and the links in the tweet gadget to the right - all of those links go back to your page. Or could you possibly post a screenshot?
      athynz
      • a screen shot of the pulsating attachment?

        It's in the post. Here's the direct image URL: http://snnyc.com/wp-content/uploads/2013/09/pulsating.gif
        larry@...
        • Exactly!

          I personally do not use S/MIME encrypted messages so I can't say for sure if this is an actual error or not. A pulsating GIF on a website that the OP runs - at least that is my assumption based on his pseudonym's similarity to the website - does not constitute proof that this exists. I would think if this was an actual issue there would be a lot more press on it. That's why I was asking if he had any more proof such as a screenshot for the iOS device.
          athynz
          • Followup...

            Athynz - A healthy skepticism is appropriate on the Internet, but this S/MIME attachment handling issue in iOS 7 - 7.0.2 is a real problem. If there were anyone at Apple or a high-profile customer who needed proof, I could certainly demonstrate it via a WebEx session using Reflector to mirror an iPad's live screen, or just send them a device configured with test e-mail accounts and certificates.
            Snnyc
  • Improvements? Yes. or not....

    Work announced we can now have the 5S.
    Installed work apps and certs.
    - restricted iCloud (no change from 5)
    - restricted Siri (no change from 5)
    - turn off fingerprint use on Lockscreen (can use for other things)
    - some exchange features having issues (some graphics and attachments)
    rhonin
    • Biometrics

      Fingerprint device login was shut off. It fails corporate security requirements regarding biometric login. Seeing as this is predominately hardware, is it an iOS7 improvement.
      rhonin
  • "Find My iPhone, now with remote lock"

    Windows Phone had this long before Apple. Who is follwiong who?
    pfdsotm
    • I do mention that...

      ... in the article I link to on that page: http://www.zdnet.com/apple-google-microsoft-make-progress-against-phone-theft-7000021171/
      larry@...
    • Couple of features

      doesn't mean anyone is following. Why does someone always feel the need to keep track of these things? Who cares?!
      new gawker
      • Enterprises

        That is who cares. Or maybe, if your company hasn't been thinking about what a lost cell phone can cost the company, it won't matter to you. We offer employees $35/month to use their own cell phones instead of enterprise phones. Very few takers. They don't want their phone wiped if they misplace it (really should not be a big deal if people back up theuir phones). And they don't want their phones locked by policy. people are way to lazy about corporate security even with a lost laptop garnering over $1.25 million in fines these days (HIPAA for a large government organization).
        hforman@...
    • Questionable isn't it.

      It's not the first biometric device either, by a long shot.

      Also MDM is painful if the device isn't work-only. Other platforms have adopted a separate scope for work and personal, or are looking to app launchers or apps like Sencha space for mobile app containers.
      dawesi
  • Apple really should continue patching iOS 6

    iOS 6 is slightly older than a year and support is already being discontinued?
    ye
    • Loyalty

      Just goes to show you how much Apple really cares about it's consumers. I'm sure there's a few million 3S owners out there that are perfectly happy with their phone. Now they're being kicked to the curb............
      svfiat
      • ????

        One does not have to upgrade either their phone or their OS and apps. It's not like Apple is holding a gun to anyone's head. I'm still running iOS 6 on my 4S and it works fine. What exactly is your issue?
        athynz
        • Not Quite Right

          Already starting to see app updates that contain bug fixes and new features. iOS7 is required.
          rhonin
          • security is the other issue

            There are 80 unpatched vulnerabilities in 6.
            larry@...
        • The issue is there are known vulnerabilities.

          And the only way to patch them is to upgrade to iOS 7. Something I am unable to do as I have business applications which do not work on iOS 7.
          ye
        • Security

          Most of the iPhone users I know have extremely confidential email and contacts on their phones. This is a discussion of "enterprise" issues and not who will care about a photo of my GF.
          hforman@...