Increased developer access to iOS 8 could result in decreased security, a mobile security expert warns.
Apple's expected iPhone 6 / iOS 8 announcement later on Tuesday is expected to include adding a number of new features to iOS 8 for developers. This will involve opening up more of the underlying architecture – increasing the risk of a security breach and eroding one of the key differentiators between iOS and Android, according to Andersen Cheng, chief exec of mobile startup SRD Wireless.
App designers are likely to get more options to increase accountability and authenticity but for iOS users this could mean that, without care, the environment may become less secure. Whether paying more attention to encryption, or simply what they record and store, users will need to be aware that Apple’s walled garden now has additional gates in it, according to Cheng.
"Apple has made a simple trade-off," Cheng explained. "Increasing access to the inner workings of iOS can allow developers to create better, and maybe even more secure, apps. Yet any potential vulnerabilities in these workings could be more easily identified and exploited."
Apple is effectively adding extra pathways into its walled garden and those risk eroding the security of the mobile operating system, according to the mobile security expert.
"One reason iOS is more secure than Android has been Apple’s Walled Garden approach – quite simply, the less access developers have to the inner workings of the technology, the less opportunity there is for potential attackers to discover vulnerabilities. Now, if there is even the smallest possible security flaw in camera controls, touch ID or other newly available functionality, you can guarantee that someone will eventually find it," he added.
Consumers would be well advised to pay closer attention to privacy settings and consider the use of third-party tools following the upcoming iOS 8 upgrade, Cheng concluded.
"Opening up access to its inner workings should help Apple gain market share. However, with the best will in the world, companies such as Apple and Google cannot account for every potential combination of technology exploit and human engineering that could leave users wide open. Consumers need to take extra care to keep their private information just that.”
“For instance,” Cheng continued, “wherever possible they should use methods of communication that guarantee levels of encryption and authentication over and above the operating system’s – meaning potential attackers have more obstacles in their way. Similarly, they should be wary of their passwords, how they are created and how they record them. Users must keep close control over what they do on their phones, and pay attention to just how and what they record and share.”
SRD Wireless is developing encryption and authentication products such as PQChat, a secure instant messaging platform, so it has a vested interest in talking up the underlying insecurity of platforms it wants to sell security add-ons onto. This doesn't mean its warning is misplaced – only that we ought to bear in mind that it stands to benefit from warnings that platforms may be more insecure than previously thought. ®