Three iOS 8 Security Issues You Need To Know
In the era of smartphones, keeping data private is very crucial especially considering all of the sensitive information we store and access on our mobile devices. In a world where the growing trend of BYOD is spreading at a tremendous pace and more and more enterprises are letting their confidential enterprise data be stored on employees’ smartphones, privacy remains at the forefront as a user concern. As part of our efforts to secure enterprise data on private smartphones, we conducted a comprehensive research of new iOS 8 security issues that may violate users and as a collateral effect, enterprise data protection.
We recommend you explore the new issues that we are analyzing in this post and to disable them if you do not plan to use them in your everyday life.
Issue 1: Siri Can Be Accessed By Others without Authentication
While one of the coolest features in the new iOS 8 is the ability to use Siri without touching the device by simply saying “Hey Siri” it unfortunately also poses a serious privacy risk. This feature allows anyone to activate Siri on a nearby device by calling “Hey Siri” plus the required command. This means that even if the iPhone is locked with a passcode, an amenable personal assistant named “Siri” will fulfill your wish. Indeed, some of the commands require a passcode and “Hey Siri” feature is only operational when the device is connected to power, but there are still a lot of dangerous actions that can be easily executed without identifying the user, without touching the device and while the real owner of the device just left the room for a second. Here are a few examples of such actions:
- Texting. Just say “Hey Siri, send message to…” and Siri will willingly send a text message on behalf of the user.
- Outgoing calls. “Hey Siri, call John” is all you need to say to call to any person in user’s contact list. More than that, you can reveal the contents of the victim’s contact list by simply trying different names (brute force attack).
- One of the most painful pranks – publishing a post on Facebook (“Hey Siri, post on Facebook”).
- Another funny or not so much prank – setting an alarm to go off at night hours. Just say “Hey Siri, set an alarm for 3 AM”.
- And the most serious privacy breach is the ability to get an access to different details of your contacts – “Hey Siri, what is John’s email?”, “Hey Siri, what is John’s phone number?”, “Hey Siri, what is John’s address?”
If we consider the risk of a more professional hacker attack, we must take into account that it’s quite easy to build a simple automation tool which uses voice commands to extract all the accessible information from the device left connected to charger, if even for just a minute.
So what can you do to avoid this privacy risk? Go to Settings->General->Siri->Allow Hey Siri and disable this feature. If despite all the risks, you insist to use this feature in your everyday life, then you have to be well aware to the risk of leaving your device connected to power in a non-friendly environment.
Issue 2: Your Deleted Photos Aren’t Deleted Permanently
From now on, when you delete a photo in your Photos application, it is not immediately deleted, but rather moved to a sort of recycle bin – “Recently Deleted” photo album, which holds on to the deleted photos for up to 30 days. While very useful for accidental deletions, any sensitive photos you truly want to be permanently deleted without any chance of recovery are going to be sticking around unless you delete them from “Recently Deleted” photo album.
So to double-delete any sensitive photos you need to go to Photos App -> Albums -> Recently Deleted -> Select -> Tap the photo -> Delete -> Delete Photo.
Issue 3: Stored Cookies, Credit Card Information and Advertisers
The default iPhone browser Safari stores a lot of sensitive information about the sites you visited and passwords/credit cards that you provided on some website. You can do a lot to significantly improve your privacy when using Safari. Go to Settings -> Safari:
- Do Not Track: prevent advertisers from tracking your every move on websites. Advertisement industry is a huge spying machine that stores tons of sensitive information about millions of users. NSA isn’t the only threat to your privacy.
- Block Cookies: stops websites from storing your identity and preferences. Some sites won’t work without enabling this option, but if you want more private browsing – keep this setting on “Always Block”.
- Fraudulent Website Warning: Safari will give you a warning whenever you try to open a website that is suspected of phishing. By default, this option is enabled. Do not disable it unless you know very well what you are doing.
- Clear History and Website Data – a very handy way to clean any traces of your browsing history.
Now that you know the three iOS 8 Security Issues, you can decide what action you may want to take. Take care, until next time!