Now that Apple is becoming a more mainstream IT player rather than just a consumer electronics vendor, hackers are starting to take more notice. Appthority, an application risk analysis and mitigation firm has announced Quicksand, an iOS vulnerability that allows malicious apps or anyone who can get physical access to an iOS device to steal credentials and then exfiltrate corporate data.
As a “good guy”, they worked with Apple to develop a patch which Apple has released with iOS 8.4.1 . Anyone who is running a version of iOS older than that is vulnerable.
Unfortunately, it is estimated that, especially in the corporate environment, 70% of the users are running old, outdated versions of iOS.
In addition, many companies, especially smaller ones, do not have any corporate mobile device management solution deployed. As a result, these companies not only do not have a way to push critical patches such as this to their mobile users, but often they do not even know how many devices are out there accessing corporate resources , never mind knowing what operating system, application software or version those the devices are running.
As companies become more dependent on mobile devices (mostly phones and tablets), they need to deploy the tools that can manage those devices.
Alternatively, they can fly blind. An analogy would be driving your car on the highway, blindfolded. Generally, that does not produce good outcomes. Based on the number of breaches we are seeing, neither do current corporate mobile device management practices produce good results.
For a while it looked like Apple was immune to the issues that we were seeing in the PC world. My opinion was that as long as Apple was a bit player, the hackers chose to ignore them. Now Apple is in the hacker’s crosshairs – just like Microsoft, Google and every other large software developer.
And users and businesses need to adjust to the new reality.
Information for this post came from PRNewsWire. PRNewsWire, in an interesting twist of fate, was in the news last week as a hackee instead of a reporter.