technology

iOS security framework like a swiss cheese

apple did a quite good job with the restrction of openin function between managed and unmanaged apps, and advanced it’s separation within it’s native mail and even contacts app

  • allow open documents from unmanaged apps to managed apps
  • allowUnmanagedToRead ManagedContacts

read more >>

manged_contacts

but

there are still leaks in the security framework to get around enterprise restrictions, further details below


openin

apps and even accounts are separated in managed/unmanaged, via enterprise deployed exchange configuration could blocked to move/forward messages to other email accounts within the native apple mail app – the separation between private/business accounts highlighted in colors red/blue through managed domain configuration and also apply to safari domains, downloaded files from managed web domains could only be shared with managed mail accounts, 3rd party apps could implement app configuration to disable copy/paste, sounds perfekt so far,
…but it is still possible to copy/paste business data to private

quick look

an opened document in nativ viewer also respect to managed/unmanaged restriction…
…but when open the file in quick look, you able to send the file in any account without restriction

pictures

it is possible to save media to gallery, for sure it is possible to perform a screenshot but is a bit more tricky

lockscreen

via enterprise registered bringyourowndevices could display sensitive information without the need to enter device credentials at the lockscreen, a mangement system could block the information for devices registered

  • allowLockScreenNotificationsView
  • allowLockScreenTodayView

… but this would impact also the notification for private apps

keyboard

furhtermore for byod it is hard to maintain security without restricting private use, users could use custom keyboard with potential embedded keylogger, iOS developer could add a code below in their project’s to present default iOS keyboard


stay tuned for iOS13 adding more security features 🔐 and privacy with user enrollment 🔏