Apple Finally Secures OTA Software Update Process with HTTPS in iOS 10
Apple released iOS 10 to the public today. The latest version of Apple's mobile operating system brings a number of new features, enhancements and improvements. We have already talked about many of those features since Apple introduced iOS 10 at its WWDC event. What we are just getting to know about are the security fixes of iOS 10. As every update that comes to iOS devices, today's update also brings a slew of security fixes and updates.
iOS 10 security bulletin
One of the major security issues that today's update has fixed is an issue with iOS update process. Apparently, before today an attacker "in a privileged network position" was able to block a device from receiving software updates. Apple has explained that due to this issue in iOS update process, user communications weren't properly secured. The issue has now been resolved by using HTTPS for software updates. At WWDC, Apple had revealed the deadline for all apps to switch to App Transport Security. ATS forces apps to connect to web services over a HTTPS connection rather than HTTP, keeping user data secure.
Apparently the company has now finally extended secure connectivity to the OTA update process too. With a CVE code 2016-4741, Apple doesn't say why the updates before iOS 10 weren't downloaded using the secure HTTPS channel. Whether this affects the install process using iTunes or not, we don't know. But, it is unlikely that an iOS security error affected the update process in the iTunes.
iOS 10 also fixes security issues in Mail, Keyboard and Messages
Another serious problem appears to be with iOS keyboard which was "inadvertently caching sensitive information." In the security bulletin, Apple mentions that "Keyboard auto correct suggestions may reveal sensitive information." iOS 10 has fixed the issue.
Today's update also fixed an issue where messages were visible on a device that was not signed into Messages, when using Handoff. Coming to Mail, the update fixes a security vulnerability in iOS using which an attacker could have intercepted mail credentials.
Finally, Apple also resolved an issue that was allowing malicious applications to determine the recipients of a text message. You can read today's security bulletin here.
- Tip, Jesse Viviano