NOWSECURE UNVEILS FIRST AUTOMATED OWASP MASVS V2.1 MOBILE APP SECURITY AND NEW PRIVACY TESTING

NowSecure MARI is the industry’s first simple risk score based on millions of assessments that identifies third-party apps vulnerable to PII and IP exfiltration, supply-chain and MiTM attacks and sensitive data theft.

MARI Datasheet featured image 768X480
NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy NowSecure Launches Mobile App Risk Intelligence Solution to Combat Threats to Customer and Employee Security, Safety and Privacy Show More
magnifying glass icon

iOS 18 Preview: Top Security and Privacy Updates

Posted by

Tyler Murphy

Application Security analyst
Tyler Murphy is an application security analyst for NowSecure.

At the recent Apple Worldwide Developer Conference (WWDC), Apple unveiled a slew of groundbreaking features. Among the most anticipated is the iOS 18 mobile operating system set to arrive in September. 

iOS 18 introduces a host of robust mobile application security and privacy features, including automatic passkey upgrades, app-specific locks and enhanced contact access controls. But the real game-changer is its integration of Apple Intelligence — Apple’s unique blend of Artificial Intelligence (AI) and other advanced technologies — which is “so much more” than traditional AI, according to Apple’s CEO, Tim Cook.

Let’s dive into iOS 18 security enhancements and privacy features and explore how Apple Intelligence will be incorporated into the user experience.

iOS 18 introduces a host of robust mobile application security and privacy features.

iOS 18 Privacy Settings

Our first stop as we swim through the pool of iOS 18 security features and privacy updates is the new registration API for transitioning users from phishable passwords to more secure passkeys. Passkeys utilize public-key cryptography to provide a more secure and convenient user experience. No longer will users have to enter username, password and then wait for the multi-factor authentication (MFA) code to enter as well. 

Passkeys enable the user to complete login with only one tap, all while receiving a higher level of security than the traditional cumbersome method. It’s easy for mobile app developers to add this API to their code. Here’s an example code block for developers to currently ‘upsell’ passkeys during login:

Image Credit: Apple

And here’s all it takes to include an automatic passkey upgrade:

Image Credit: Apple

With iOS 18, for the same amount of code, developers can now include the option for users to automatically upgrade their accounts from phishable passwords to private passkeys. After a passkey has been created, it can be securely stored within the password manager. This provides a significant step for user adoption of security features as the industry moves towards more secure authentication methods.

iOS 18 Contacts Permission Improvements

In previous versions of iOS when an application asked for permission to access the contacts stored on a device, it was all or nothing. Users could only grant access to the entire contact roll or to none of it. iOS 18 gives users the option to choose which contacts to share with an application. First, the user will be prompted to select whether to block or allow access. If they choose to allow access, they then receive the option to allow full access or only to select contacts.

New Contact Access flow

Image Credit: Apple

Developers will be happy to know that this new flow will be presented automatically when their app requests contacts access and will not require integration of a new API. There are, however, two other features of contact sharing that will require developer action to incorporate into their iOS apps, the ContactAccessPicker and the ContactAccessButton.

ContactAccessPicker (left) and ContactAccessButton (right)

The ContactAccessButton allows for unshared contacts to appear seamlessly within the application’s UI with the ability to grant access to that specific contact with a single tap. The best time for users to grant permissions is when they are required for use. It allows users to directly see and grasp what they are accepting. The new ContactAccessButton API does exactly that. Here’s an example code block for implementing the ContactAccessButton:

Image Credit: Apple

The second new contact access API coming with iOS 18 is the ContactAccessPicker. This feature allows for a user to add/change which contacts an application has limited access to, all while never needing to leave the application. The ContactAccessPicker is better suited for larger changes in an app’s limited access contacts set. Here is an example code block for implementing the ContactAccessPicker:

Image Credit: Apple

With the ever-growing Internet of Things (IoT) revolution, there are more and more devices on home networks that users may be wary of their apps connecting to and sharing data with. Similar to the automatic passkey transition, the new pairing process with AccessorySetupKit provides a smoother user experience and more secure connection. The previous flow had several prompts and permissions that slowed the process and could induce some skepticism. With AccessorySetupKit, a device can be paired with a single tap.

Previous flow (left 3) and AccessorySetupKit (right)

On top of this much simpler setup, the application cannot discover other devices on the network that have not been paired with the app. The accessory menu also allows for individual device permissions to be shared with other apps. Later on if a user wants to forget a device, they can remove it from the accessory menu along with all the previously granted permissions. AccessorySetupKit increases iOS 18 app privacy and user experience — a sought after combination.

iOS 18 Hidden Apps

With iOS 18, no longer will a gibberish message be sent in your work chat when you give your phone to your child to play a game. No longer will unintended messages be seen, sent or deleted. No more (accidental) shipping orders for candy or toys. iOS 18 brings with it the ability to lock or hide specific apps, requiring authentication in order to use them. Authentication can either be a pin, Touch ID or Face ID. Locked or hidden apps won’t appear in searches or within notifications. This new iOS 18 hidden apps feature provides peace of mind to users when they hand their phone to someone else. Developers don’t need to adopt any new API or add any new code in order for this functionality to be compatible with their applications because this is a systemwide feature. 

iOS 18 Face ID app lock

iOS 18 Apple Intelligence

Finally, we have arrived at the deep end of the iOS 18 swimming pool, Apple Intelligence, which enables a personalized iPhone experience never before seen. It is designed to learn about users to best serve them, and Apple Intelligence is quite a powerful learning tool. Having AI built into the supercomputers in our pockets can be concerning. But Apple claims to have built the tool with “privacy and security from the ground up.” Apple is opening up its Apple Intelligence to independent security researchers to validate its claims – a comforting appeal to some of the more privacy-conscious users.

First and foremost, Apple wants as much of Apple Intelligence to run on-device as possible. This is for two reasons. First, it will result in a better user experience due to the faster processing that occurs when data doesn’t need to traverse its servers. Second, it aligns with the Apple mission of data protection and privacy by preventing attackers from getting ahold of their data in transit. Unfortunately, some requests require more processing power than possible on-device. When this occurs, user data will have to be sent to Apple servers. To deal with the security and privacy issues inherent in data transmission, Apple built Private Cloud Compute (PCC). PCC was created explicitly for processing Apple Intelligence in a private and secure manner.

PCC has a notable resume in terms of security:

  • No persistent data storage
  • Prevents privileged access, i.e. remote shell
  • Encryption keys are protected within a secure enclave
  • Similar to iOS, the PCC operating system utilizes secure boot to make sure the appropriate signature and verification are present
  • Trusted Execution Monitor ensures signed and verified code is the only code that runs
  • User devices employ Attestation for verifying the configuration and identity of a PCC cluster prior to the first request being sent
  • Utilizes end-to-end encryption
  • Transmitted data is not retained and never accessible to Apple

Apple said in its PCC announcement that it “believes this is the most advanced security architecture ever deployed for cloud AI compute at scale.” After reading the specs, I’m starting to think I agree with them. And if you think they are just making empty promises, you’ll be happy to hear they are promoting the independent audit of their PCC builds by security researchers. Apple is committed to making publicly available virtual images of each and every production build of PCC for security researchers to investigate and verify the promises they’re making. It is even offering rewards for findings through the Apple Security Bounty. 

iOS 18 Composition & Image Enhancements

Now that we’ve swam through some of the iOS 18 Apple Intelligence privacy and security-related features, let’s take a splash into some of the powerful functionality it provides. First up are the new Writing Tools. Writing Tools are deployed system-wide through Apple Intelligence, and can help users create succinct and impactful writing. Developers will be happy to hear that if they are already implementing standard UI frameworks for their text fields, then Writing Tools’ functionality will be added automatically. The only necessary effort on their part would be if they want to customize their application’s behavior while Writing Tools is running. Apple has created their new TextView Delegate API for just this purpose. 

Next up we have Genmoji. Say goodbye to the standard emoji keyboard — users now have the ability to create any emoji their hearts’ desire. Users simply type what they’re feeling and Genmoji will create a new emoji based on the input. Developers employing standard text systems with inline images only need to add one new line of code to allow their textViews to use the fun, new Genmojis.

Beyond emoji generation, users will also have the ability to create unique and exciting images through the Image Playground API. Following a similar process as Genmoji, all users need to do is enter a prompt and an image will be generated. Let’s see how to add this feature to an application. First, initiate the imagePlaygroundSheet:

Next, indicate where the image should be stored:

Finally, add a default prompt to provide an image to start with:

And the best part is these images are created on-device so users can play around with this feature as much as they like. Developers don’t need to shell out dough for new servers or spend time and resources implementing their own image generation architecture to include this functionality within their applications. 

As we complete our swim in the iOS 18 pool, we wade out of the water with some words on Siri’s major upgrades with Apple Intelligence. Siri will be able to understand its users in a  personal context like never before as it accesses Apple Intelligence’s semantic index of a user’s data, such as their messages, photos, calendar events, files and more. Applications utilizing standard text systems will enable Siri to access any text displayed on screen. And the new Spotlight API will give Siri the ability to search for data included in an application. 

In Apple’s own words, “Apple Intelligence will enable Siri to expose much deeper and more natural access to an application’s data and capabilities than ever before.”  If this level of integration raises privacy concerns, remember that Apple promises to encrypt this data, not store it, and not have access to it. And it is backing up that promise with independent audits by security researchers.

If mobile app privacy and security are important to you, please check out the NowSecure Platform automated mobile application security testing solution. NowSecure Platform integrates directly into development workflows to identify security and privacy issues in mobile apps and help developers fix them prior to release.