One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.
There’s always a lot of fuss about new features, which tends to obscure the fact that iOS updates these days also come loaded with useful security upgrades and patches for software vulnerabilities.
Naked Security covered the expected iOS 12 security enhancements in August, but a quick reminder shouldn’t go amiss given that some need to be turned on by owners.
Settings you need to turn on
One of the first questions iOS 12 asks during initialisation is whether owners would like to turn on automatic iOS updating. Updating happens anyway with each major update, but without automatic updating it’s still possible to miss fixes for security issues that pop up between versions.
An interesting recent example of this is the 11.4.1 update Apple offered in July to turn on USB restricted mode in response to techniques believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen – it’s turned on by default in iOS 12 but users who enabled automatic updating could have had it two months ago.
Our advice is to turn this on! You can do this manually by going to Settings > General > Software Update while USB Restricted Mode is enabled via Settings > Touch ID & Passcode (Face ID & Passcode on the iPhone X) > and make sure the USB Accessories toggle is off. This will require the device to be unlocked before connecting USB devices in future, which some might find inconvenient – see Apple’s explanation of the feature for background.
Another welcome edition: Users of third-party password managers can now take advantage of the autofill feature without having to resort to tedious cut and paste or Share Sheets. LastPass, iPassword, Dashlane and Keeper have issued updates to reflect the new API that makes this possible.
This must be enabled manually via Settings > Passwords & Accounts and activating Autofill Passwords. Authentication using Face or Touch ID is still required.
On by default
iOS 12’s password manager now comes with an audit feature that warns users when the same password has been re-used across websites. This setting counters password stuffing, complete with the ability to generate a strong password to be stored in iCloud Keychain (rival password managers can do the same job).
As promised at a presentation in June to loud cheers, iOS 12’s Safari’s browser boosts its Intelligent Tracking Prevention (ITP) to limit the way big internet companies (code for Facebook?) collect data on browsing behaviour using cross-site tracking.
Security fixes
The most topical iOS 12 fix is the Safari and Microsoft Edge browser address bar spoofing flaw Naked Security covered last week (see also our video explaining the issue of URL spoofing), referenced as CVE-2018-4307 (CVE-2018-8383 on Edge).
The full CVE list is on Apple’s website, but other notables include:
CVE-2018-4363: A kernel-level flaw that might allow an application to read restricted memory.
CVE-2016-1777: Apple has removed support for the RC4 cryptographic stream cipher after a researcher discovered weaknesses.
CVE-2018-4313: discovered by a large group of researchers, this one’s an application snapshot weakness in Messages through which “a local user may be able to discover a user’s deleted messages.”
CVE-2018-4338: a Wi-Fi weakness that could allow a malware app to read restricted memory.