Although Apple announced “iOS 10 is our biggest release yet”, stuffed full of new features, there are not a lot of significant security enhancements to be found (see Apple’s security content of iOS 10). We partially addressed this topic in last week’s blog when Shahar Areli explained that Apple has taken some positive steps forward, and has responded very quickly to recent vulnerabilities (Pangu’s Jailbreak and Pegasus Spyware), but is not doing everything we would like to see to address the major threat vectors. Yet, there is one item to cheer about in iOS 10.
One security improvement that has been long overdue was finally addressed as CVE-2016-4747, a network vulnerability that has affected users since the first ActiveSync implementation on iOS. This issue allowed any network to easily obtain users’ credentials through SSL decryption, simply by asking a user to click “Continue” in a dialog box. There was another option in this dialog – “Cancel” – which is a far better option, but most people didn’t really understand the implications of this choice and simply wanted to get to the desired Internet destination. Skycure research indicates that 92% of users click “Continue”.
The dialog says “Cannot Verify Server Identity”, which means that the certificate presented is not the proper certificate for the requested site, a condition commonly found in Captive Portals. By clicking “Continue”, you are in effect saying that, although the intended security is not in place, I want to make this connection anyway. Instantly, your Exchange credentials are compromised, and any communications over this connection is exposed. Skycure has been warning users from the beginning that they should NOT click Continue.
Of course, we went farther than just a verbal recommendation of safe network behavior with the Skycure app, which will instantly warn the user of the suspicious network. For our enterprise customers, the app will automatically activate Selective Resource Protection and Secure Connection Protection to ensure credentials, communications and critical corporate resources remain protected.
Now that Apple has addressed this serious problem, users who upgrade to iOS 10 will have 1 less decision to make, as iOS 10 will now make that decision for them by terminating untrusted connections. We applaud Apple for finally addressing this insidious security hole.
As for Skycure, we will continue to proactively protect mobile devices from the remaining thousands of known and unknown risks and exploits.