Securing Apple iOS8

Apple's new version of its mobile operating system - iOS8 - has more than 4000 applications programming interface (API) calls, making it the most open version of the iPhone and iPad operating system (OS) seen to date.

From a software and app developer stance, this is a perfect storm for multi-threading and layered programs.

As Apple puts it: "iOS 8 allows developers to further customise the user experience with major extensibility features like notification centre widgets and third-party keyboards."

The most fundamental change is the ability for apps to communicate with each other - even to the extent of making third-party app IP/networking calls . But as seasoned IT security professionals will immediately realise, this limits any sandboxing or similar approaches to secure execution environments.

The most interesting aspect of iOS8 from a coding perspective is a new programming language called Swift, which has been designed, says Apple, to sweep away entire classes of unsafe code.

"Variables are always initialised before use, arrays and integers are checked for overflow, and memory is managed automatically," says technology reporter Adrian Kingsley-Hughes in his analysis of the new programming language.

Michael Sutton, vice president of security research with Zscaler said the coding revolution within iOS8 creates a fundamentally different approach to security than Android.

"Android is attempting to be as open as possible, allowing apps not only from Google Play, but also third party app stores. Apple on the other hand maintains its 'walled garden' allowing apps to be installed only from the iTunes app store and even then, unapologetically rejects apps for a variety of reasons,” he said.

“While this decision may not have been driven solely by security, it has led to malicious apps rarely making their way to iOS devices via official channels, while Android is home to the vast majority of malware," he added.

The good news, he went on to say, is that Apple has changed the security architecture with iOS by compartmentalising apps and limiting their reach within the operating system.

"This approach has been made to better secure the OS by limiting the reach of an app (within the OS) and by extension eliminates traditional security tools such as anti-virus, which require broad access to the OS," he explained.

Opening up the platform

Tim Keanini, CTO of Lancope, meanwhile, said the new openness of iOS8 - through well documented and defined API calls - is the right way to 'open' up the platform, because it keeps the OS organisationally closed but informationally open.

"This is a very good design pattern. However, all of this new functionality will be put through its paces, like it or not, as security researchers, cybercriminals, and everyone else under the sun tries to subvert its integrity and security," he said.

"The best thing for Apple to do in my opinion is to get aggressive on bug bounties and to establish an extreme readiness for security related events.

"The resiliency of iOS8 in this hostile environment we call the internet is dependent on its co-evolution with the threat landscape. Apple has an opportunity here to show us how it does security well and I hope they step up their game because the cybercriminals are out-innovating everyone on a daily basis," he added.