Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Apple Ships iOS 15 with MFA Code Generator

Apple on Monday rolled out a major refresh of its flagship iOS mobile platform, adding a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.

Apple on Monday rolled out a major refresh of its flagship iOS mobile platform, adding a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.

The iOS 15 makeover also includes patches for at least 22 documented security vulnerabilities, some serious enough to expose iPhone and iPad users to remote denial-of-service and local code execution attacks.

The latest mobile operating system refresh comes on the heels of two major security and privacy-related controversies at Apple. The company was forced to scramble out an emergency iOS patch last week to address in-the-wild zero day attacks and Apple was also caught in a privacy scandal linked to its now-delayed sex-abuse scanning technology.

[ READ: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days ]

According to Apple, the built-in authenticator can generate verification codes needed for additional sign-in security. “If a site offers two-factor authentication, you can set up verification codes under Passwords in Settings — no need to download an additional app. Once set up, verification codes autofill when you sign in to the site.”

Another notable is Mail Privacy Protection, a new feature that prevents e-mail marketers from learning information about an iPhone user’s Mail activity.

“If you choose to turn it on, it hides your IP address so senders can’t link it to your other online activity or determine your location. And it prevents senders from seeing if you’ve opened their email,” Apple explained.

The iOS 15 upgrade also includes nifty privacy features like Secure Paste, an App Privacy report that exposes how often apps access a user’s location, photos, camera or microphone over a seven-day stretch.   

[ READ: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks ]

On the patching front, Apple documented 22 vulnerabilities fixed in iOS 15 and iPad OS 15 and warned that these issues could lead to code execution, denial of service, or authentication bypass attacks.

The most serious of these flaws could allow arbitrary code execution via rigged fonts or image files.  Apple also warned that of the security defects could allow a 3D model constructed to look like the enrolled user to authenticate via Face ID.

Apple is gently nudging iPhone and iPad users to apply the upgrades via a ribbon below the Software Update settings page.

Related: New iOS Zero-Click Exploit Defeats Apple ‘BlastDoor’ Sandbox 

Related: Apple Patches ‘Actively Exploited’ Mac, iOS Security Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.