iOS 9 Packed With Many New Security Features, Patches

Apple released iOS 9, the company's latest major version of iOS, which includes (among other user-centric features) many security features and security patches.

Many Security Patches

iOS 8 was regarded as one of the buggiest versions of iOS ever, which prompted Apple to focus much more on polishing up the OS in its next iteration. iOS 8 had over 100 security holes, and many of them sound quite scary, from bugs that allow TLS interception, to text files that can do arbitrary code execution, to holes allowing the RSA private key to be easily stolen, to bugs that allow privilege escalation, and many others.

iOS 9 fixes all of them, so users should feel much safer now in this regard, although we don't know what issues are yet undiscovered, so it remains to be seen how small or big Apple's future lists of security updates will be. However, because Apple fixed so many vulnerabilities already, iPhone users should update to iOS 9 as soon as possible, for this reason alone.

Six-digit PIN

Besides all of the security patches that iOS 9 brings, there are also many security features that should significantly improve how safe an iPhone is.

One of the major ones is a six-digit PIN, which comes as default now, replacing the previous four-digit PIN authentication system. The improvement here is 100-fold, as a four-digit PIN could be "guessed" in 10,000 tries, but a six-digit PIN requires 1 million tries.

Native Two-Factor Authentication

When the "Fappening" celebrity data breach happened, many argued that the data could have been protected by a good two-factor authentication system for iCloud. Apple added that after the fact, but it has now gone one step further by adding full native support for two-factor authentication in both iOS 9 and Mac OS X "El Capitan."

The way it works is that every time you sign in from a new device or browser, it will ask you for a verification code, which will be prompted on your phone or on your other Apple devices. This should keep out those who may have gotten your passwords (such as when you either used a simple password, had it bruteforced, or it was stolen from another site where you used it), because they'll need the two-factor code to authenticate as well.

VPN API

Apple included a public VPN API in iOS 9, which should allow VPN services to exist, which in turn can protect user security and privacy when using open Wi-Fi hotspots or when visiting more privacy-sensitive websites. The VPN API could also allow for the existence of Tor on iOS, as it has on Android with Orbot.

The API could also allow for various content blocking, which is what happened on Android, where ad blockers are specifically targeted by Google for banning. However, iOS 9 also comes with a separate content blocking API as well, so it's unlikely the VPN API will be used much for this anymore, especially considering that this method forces you to trust the ad-blocking entity with your browsing data.

LibreSSL Support

Starting with iOS 9 and Mac OS X "El Capitan," Apple switched from OpenSSL to LibreSSL, which is a fork of OpenSSL, but much cleaned up by the OpenBSD group. The fork was created soon after Heartbleed was discovered, after the OpenBSD guys realized that continuing to use OpenSSL had become unacceptable. Google has also moved to its own OpenSSL fork called BoringSSL.

App Transport Security (ATS)

Apple also introduced ATS in iOS 9, which allows developers to adopt HTTPS encryption for their apps. ATS is easy to implement the right way with strong defaults such as using the latest TLS 1.2 protocol and only Perfect Forward Secrecy (PFS) cipher suites.

This could single-handedly make the iOS platform much more secure than the web itself, where most sites are still far too slow even in adopting HTTPS at all, let alone TLS 1.2 or PFS cipher suites.

For users' sake, Google shouldn't be too far behind in adopting this sort of feature in Android, but it seems Google has already advised iOS developers to delay implementing the feature, because not all advertising networks may support HTTPS yet. That could mean Google won't be in a hurry to adopt app transport security in Android soon, either.

Google has denied that its intention was to delay ATS adoption and in fact wants everyone to use HTTPS fully, but it's still strange that it chose to write a blog post specifically on an ATS workaround in order to make iOS 9 apps compatible with Google Mobile Ads SDK, rather than the other way around (Google forcing or kicking out advertisers that haven't yet adopted HTTPS encryption on their networks).

Certificate Transparency

One of the best features of ATS is Certificate Transparency, a system invented by Google to more easily audit new digital certificates and ensure that they aren't forged or malicious. It's still very early days for Certificate Transparency adoption, which is why it seems like a big move from Apple to be one of the first to adopt it.

This year, Google removed China's Certificate Authority from Chrome's certificate root store and said it won't allow it back until China's CA adopts Certificate Transparency. Apple has had some problems with the Chinese government in the past regarding forged certificates and TLS interception, so that could be one of the reasons why it decided to be one of the first non-Google platform vendors to adopt CT.

Because it's still early days and there aren't that many certificate authorities that support Certificate Transparency, this feature is disabled by default in ATS. However, if developers have CT-enabled certificates, then they can opt-in into the feature.

Other Security Features

iOS 9 also brings improved MAC address randomization that now applies to location and auto-join scans, a more cleaned-up and improved list of cipher suites in Safari 9, as well as Apple-signed and hosted extensions for Safari 9 (just like Chrome, and soon Mozilla).

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hst101rox
    What about battery life? How much space on the internal SSD does it take after the upgrade is all said and done? 1.3GB for IOS 9 versus 4.58G for IOS 8, oh sure.
    Reply
  • Baumy15
    it has a low power mode which for my power hungry iphone 5 is great i can easily get through a whole day without using more than 60%.
    i only noticed 1.7GB dissapear after i installed the beta (9.1) and experience very few issues. i recon apple made IOS 9 almost flawlessly apart from a few lag bugs
    Reply
  • hst101rox
    So I downloaded the update from 8.4.1. to 9.0, it said it was a 1GB download (8.2 to 8.4.1 was a 340MB update).
    Before update and before downloading the update, I had 9.4GB free. After the update completed, 9.6GB but then it dropped to 9.0GB and now it's at 9.1GB. Not sure if it is mellowed out now but that's seems very nice. Will update if it sways much more.
    Reply
  • captaincharisma
    i can already hear the isheep complaining how iOS9 slowed down or crippled their old iphone and have no way to downgrade
    Reply
  • firefoxx04
    Let me guess, 6 digit pin is revolutionary. Must be because my S5 has a 4 digit pin lol.
    Reply
  • marcelleh
    You've said "The VPN API could also allow for the existence of Tor on iOS"...

    There are already many TOR enabled browsers on the IOS App Store. While these are not supported by the TOR project, they do include copies of the TOR source code.

    One example is Safe Browser Secure which is a free IOS/IPhone/IPad browser that has a very stable TOR implementation to allow you to browse normal web sites anonymously and access .onion sites. It supports TOR bridges, and is the only iOS TOR browser to support pluggable transports (https://www.torproject.org/docs/pluggable-transports.html.en) (obfs2, obfs3 and ScrambleSuit), crucial if your government or ISP blocks TOR, like the Great Firewall of China.
    Reply