This privacy and compliance threat throws shade at iPhone Mirroring

Apple-focused IT admins using device management software should perhaps temporarily disable iPhone Mirroring across their device fleets to prevent inadvertent privacy or compliance challenges as a result of using the new macOS Sequoia feature. (Apple is supposed to be working on a fix already.)

It appears at present that when you use iPhone Mirroring with a Mac running Sequoia your computer gathers a small amount of information about the iPhone apps being used. It doesn’t gather all the data, just very basic information concerning app name, time of use, and so on — and while some MDM systems reportedly don’t parse this information, some of the most commonly used data compliance tools do review it.

What is the real threat here?

Ultimately the problem is two-fold: 

Privacy: First, managed workplace Macs are gathering data concerning apps used on personally-owned iPhones, which can be a privacy failure and could be a bigger problem in some contexts. (For instance, an employee in an authoritarian state in which use of VPN or LGBTQ apps is proscribed might find their app use shared by this bug, with potentially serious consequences.)

Compliance: The second problem concerns regulatory compliance: If a compliance audit tool picks up use of an unauthorized iPhone app on a corporate network, which they will do due to the architecture of this bug, IT will be forced to explain and look into that use. This poses enterprise-wide compliance challenges, and also means admins could be forced to waste time on what should be a relatively trivial problem.

The iPhone Mirroring SNAFU isn’t a problem for smaller firms that don’t use device management or compliance tools, as in theory at least, the information gathered is not made available to anyone but the registered Apple ID/user of a system. Though the fact the data exists at all might pose an additional attack surface for data exfiltration. 

What is the problem?

The snag was first spotted in late September by Sevco Security, a company that does not develop for the Mac. It found that when iPhone Mirroring is used, any iPhone app creates an entry in a library item on your Mac. Effectively that is because the Mac treats these apps as native Mac apps, even though they are being run on iPhone.

You can read an in-depth account of the behavior courtesy of Sevco (above), but essentially if you run the mdfind CLI (Command Line Interface) in Spotlight you should see a complete list of both iPhone and Mac apps run on the Mac. You usually can only see the Mac apps used, but with iPhone Mirroring you now see iPhone apps, too. That information is then maintained in a deeply-stashed library file on the Mac, which most users will never see.

The problem is that most compliance, network, and endpoint security and audit tools will interrogate the library files to discover what apps are being run, including apps run on the Mac via iPhone. (They can’t see any of thew app data but could still provide insights that threaten privacy or compliance.)

Apple is working on a fix

Apple is working on a patch for the flaw, but it doesn’t seem to have appeared in the latest beta. At the same time, it’s worth noting that rather than giving Apple 30 days to rectify the problem (which is the usual approach for revelations of this kind), Sevco disclosed the problem just 12 days after informing Apple of it, citing the public interest as many Mac users work with iPhone Mirroring.

Sevco did say: “We appreciate Apple’s rapid response and urgency addressing the issue.”

What you should do now

Sevco offers the following advice pending a fix:

“Employees should not use iPhone Mirroring on work computers;

“Companies should communicate to employees that they should avoid using iPhone Mirroring on work computers (this may be a legal or regulatory requirement);

“Companies should identify any enterprise IT systems that collect software inventory from Macs and work with those vendors to mitigate the risk until a patch is available.”

It is important to stress that since Apple is working on a fix, this is unlikely to be a permanent concern. And most enterprises handling confidential data should already have forbidden the use of iPhone Mirroring on managed devices to prevent other forms of data exfiltration.

Switch it off and on again?

Some admins have noted that in cases in which such information has already been collected, getting users to log out of their Apple Account and login again might destroy the information held on the Mac. They can then disable iPhone Mirroring pending Apple’s fix. While logging out of an Apple Account seems a rather large hammer for a relatively small problem, if you are handling sensitive information, or have apps you don’t want to share the names of, it may be a useful step. (I’ve not tested this myself so cannot be certain this will completely wipe away the information.)

Should you panic?

This is not a red alert. Apple will rectify this problem soon, and its existence is unlikely to tarnish Apple’s reputation for security — certainly not in comparison to the appalling multi-billion dollars damage wrought by the recent Microsoft/Crowdstrike failure. While the flaw does pose compliance and privacy challenges, and the collection of the information itself flies in the face of Apple’s general promise to collect as little data as possible about what users do, it can be rectified.

At the same time, it is likely that Windows-invested security experts will redouble their attempts to poke holes in Apple’s reputation for security as they recognize the growing threat Apple now provides to the ecosystem in which they have so much invested. That’s particularly true now that Delta Airlines has hired David Boies’ feared law firm to pursue damages generated by the Crowdstrike mess. 

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.