SecureState Blog

Read SecureState's award winning blog.

Apple announced major changes for Apple's iOS software at WWDC. What are the security and privacy impacts for user security and privacy?


Apple kicked off its worldwide developer’s conference (WWDC) on June 2nd with a few big surprises that have the security world buzzing. With over 800 million Apple iOS devices in the world, these announcements will have a large impact on users’ security and privacy now and well into the future.


#1 – Apple’s new programming language, Swift

The first is the official release of Apple’s new programming language called Swift, for writing iOS and OS X applications. The new language is poised to replace Objective-C as the main language for Apple’s iOS platforms. Swift uses the same LLVM compiler and runtime as the Objective-C implementation, allowing for the two codes to live side-by-side in the same application. It also provides access to all Cocoa and Cocoa Touch features that developers are already familiar with from using Objective-C. Overall, the language was meant to “…unify the procedural and object-oriented portions of the language,” according to Apple.

Developers can expect significant speed advantages. According to Apple, Swift will run 3.9x faster than if run in Python. Apple also updated Xcode, so the debugging console now supports Swift syntax natively. While this new language is projected to be a similar to previously utilized languages, Apple has announced that with Swift they are eliminating “entire categories of common programming errors”. This could be good news on the app security front.  However, creating secure code should still be a concern for all developers. Since this is a new shiny language, time will tell if Swift actually helps developers code more securely.  No matter what the programming language, developers will always need education on secure coding practices.


#2 – Touch ID API

Another big announcement dropped during WWDC was the full integration of Apple’s Touch ID for third-party apps. Beginning on June 2nd, Touch ID will be available to everyone in Beta mode as a side feature of iOS 8.

Although the Touch ID has been used by most for unlocking their iOS devices, users will now be able to log in to apps more quickly. Applications that require additional security features, such as banking, email, ect., can now utilize Touch ID as a means of added security for the authentication process.

Apple’s senior Vice President of Software, Craig Federighi, firmly insisted that your fingerprint data will be stored only party developers. The security features and how Touch ID works have also been known for some time now so it seems users are comfortable using Touch ID.

However, time will tell if third-party developers will jump on this API.  My feeling is that as long as the API is easy to use, developers will start integrating this into their apps for users of iPhone 5s and future Apple devices. Keep in mind, many Apple customers are still on legacy iPhone 4′s and other older devices which do not support Touch ID.  This means that passwords are here to stay for quite some time but it’s good to see Apple promoting the use of other authentication mechanisms beyond passwords.


#3 – iOS 8

Apple announced 4,000 new APIs for developers with the release of iOS 8 (the Touch ID API being one of these). The bigger news out of this is that iOS 8 significantly changes the app security model within iOS.  Specifically, apps will now have the ability to communicate and pull data from one app into another.  Because of Apple’s new home automation (i.e.: The Internet of Things) HomeKit APIs and integration and with health information within the new “Health App” and HealthKit APIs, things are going to get very interesting if there are security vulnerabilities found in the design and implementation of cross-app communication.

From a privacy perspective iOS 8 also is adding “self-destructing” messages to iMessage.  This is very similar functionality to what apps like Snapchat have provided. It’s unknown how this feature works but messages (read: photos and video) will be auto-deleted from the senders and receivers phone after a set period of time. From a privacy perspective this looks like a positive development, however, it could also be a parents worse nightmare if there are no options to restrict this feature in iOS.  Having said that, there was an announcement about iOS 8′s “Family Sharing” feature.  Family Sharing will allow access to all photos, calendars and reminders of family members that have the same credit card linked to their Apple ID. Family Sharing also adds more restrictions and control for parents to limit unauthorized app store purchases. You can now more easily prevent your kids from buying hundreds of dollars worth of virtual “gold”.


#4 – Health App and HealthKit APIs

With the announcement of apps that can now talk to each other, Apple demonstrated how the new health tracking app (called Health which will work with tracking devices like Nike+) will be able to talk to third-party apps (like your health care provider’s app) all within iOS.  Depending on how this data access is implemented, this new feature could be a cause for concern as it’s a major change in the current security architecture of iOS. Currently apps are protected from each other and are not allowed to access or change data from other apps.  In Apple’s press release they mention that “With your permission, each app can use specific information from other apps to provide a more comprehensive way to manage your health and fitness”.  It should be interesting to see how Apple has changed it’s permissions system and if it can be broken. Let’s not forget about the privacy implications of your healthcare data and how this is managed by iOS as well.


#5 – HomeKit API

Lastly, the HomeKit API is Apple’s entrance into the home automation market, which will allow iOS to talk to home automation systems and appliances like your air conditioning system and your toaster. I was personally intrigued by this screen shot from the announcement showing a Kwikset door lock and an iPhone.


While there are apps that can do this already with locks (like the Kevo) via Bluetooth, it’s the first for a mobile device to natively support these new ways of physical access and home automation.  The security implications are almost endless. It should be a great year for security research on iOS and home automation alone!

To sum things up, it appears Apple is on the move to take away market share from Android but keep in mind, you have to be bought into Apple’s ecosystem to take full advantage of these new features.  Regardless, fasten your seatbelts.  It’s going to be one heck of a security and privacy ride this year and Apple is driving!