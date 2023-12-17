#Worrying #security #gap #Apple #affecting #iPhone #users

By: Lennart Schwenck

iOS security risk: The Shortcuts app risks uncontrolled data sharing. Companies and iPhone users should take protective measures for now.

Munich – Research by the Fraunhofer Institute has revealed a significant security risk for iOS devices that affects Apple’s touted Mobile Device Management (MDM) restrictions. This became public at the beginning of October. At the end of November, the Fraunhofer Institute stepped up its game again after it became clear that the problems were more far-reaching.

MDM restrictions are intended to ensure that the flow of data between managed and unmanaged apps is strictly controlled to ensure the separation of personal and business data.

Serious security vulnerability discovered at Apple – danger to company data

However, it has been discovered that these protections can be easily bypassed by using the Shortcuts shortcut app that comes pre-installed on iOS devices, including all iPhones. Mobile device management restrictions, including managed pasteboard, are intended to prevent uncontrolled data sharing between different app categories.

However, the Shortcuts app, which has been integrated since iOS 13 (September 19, 2019) and allows task automation, has been identified as a vulnerability because it can bypass these restrictions. Apple apps that work with a managed clipboard since iOs 15 in 2021 include: Calendar, Files, Mail, and Notes.

Unless an appropriate solution is in place, there is a risk that company data will inadvertently leak into unmanaged apps via manually used or automated shortcuts, which could lead to uncontrolled data flow.

Was ist Mobile Device Management (MDM)

Mobile device management, or Mobile Device Management (MDM), is a solution that allows companies to easily and securely provision devices, distribute apps, configure settings, and ensure device security. Especially in collaboration with Apple. MDM allows configuration of apps, accounts and data across different devices and includes features such as password policies. If devices are lost, IT teams can securely wipe the devices remotely so that they can no longer interfere with the company’s network.

MDM solutions come in different flavors, including cloud-based and on-premise options, from different providers, with different features and prices. Other terms such as Enterprise Mobility Management (EMM) or Unified Endpoint Management (UEM) are sometimes used interchangeably as they all aim to effectively manage devices and company data.

Security risk on iOS devices: Shortcuts app bypassing MDM restrictions threatens companies

Practical experience shows that the Shortcuts app is able to read the clipboard and reset the content without any information about the original app. This allows data from managed apps to be inserted into unmanaged apps without MDM restrictions being able to interfere.

What’s also concerning is that the Shortcuts app appears to have access to data from managed apps, even if it’s not configured as a managed app. Despite reporting to the Apple “Vulnerability Disclosure” service – Apple’s service for reporting security or data protection vulnerabilities – the security risk has not yet been remedied, according to Fraunhofer (as of November 30, 2023). A solution in the form of a new security update from the company is still pending.

Apple users will be able to breathe a sigh of relief again by June 2024 at the latest. Because Apple will, reports from macwelt.de According to this, iOS 18 will be officially presented with the most important innovations for the first time at its in-house developer conference WWDC at the beginning of June 2024. The recently released security update iOs 17.2, dated November 30, 2023, only closed another security hole. This will not be the only innovation for Apple users in the coming year 2024.

iPhones, iPads and Mac computers have also been receiving updates between major updates since May 2023: Apple calls this rapid security measures. © Zacharie Scheurer/dpa-tmn

Security gap at Apple: This is how iOs users and companies can protect themselves

As a temporary measure, the only thing that helps companies is to uninstall the Shortcuts app from devices, including the latest iPhone 15, and block its installation via the MDM blacklist. However, it turns out that some MDM solutions, including VMware Workspace ONE UEM (AirWatch), cannot reliably prevent the installation of the Shortcuts app.

Companies are urged to take temporary protective measures to secure their data until an effective solution to this vulnerability is found. (ls)