The Security Implications of iOS 9 Adoption
At Duo Labs, we recently studied the state of outdated iOS devices in an article here. With the recent release of iOS 9, we revisited this discussion, given the unique device-based insight our service can provide.
iOS 9 Findings
iOS 9 was released on September 16th after several months of public beta testing, during which time it was easy for an iOS user or developer to obtain a beta build of iOS 9 and run it on their iOS device. And yet, during this beta period, we observed far fewer than 1 percent of our iOS devices running any given iOS 9 beta build.
Another troubling finding from our last study revealed that half of iPhones run significantly outdated versions of iOS. Further, over 90% of users had not applied a critical iOS security update during the first full week after it became available. Generally, users are falling behind and very slow to catch up - a troubling problem given how simple it is to update iOS devices.
Those slow-to-update statistics for version iOS 8.4.1 were repeated when iOS 9 was released, despite the media hype associated with a new version release of the Apple mobile software. Only about 14 percent of iOS devices upgraded to iOS 9 in the first week it was available. At the end of the second week, the adoption rate for iOS 9 had climbed to 25 percent.
One additional consideration is that the iPhone 6S and iPhone 6S Plus both shipped to consumers on September 25th. This appears to have not significantly changed the rate at which iOS 9 expanded its footprint across the Duo iPhone/iPad user base.
At the end of a full month of general availability of iOS 9, the adoption rate (including iOS 9.1 and 9.2 beta) was still below half of iOS devices enrolled with Duo, hovering at approximately 40 percent of devices. Many users continue to run significantly outdated (iOS 7 or below) devices, while a number of users have clung tightly to iOS 8 despite the compelling features and security enhancements in iOS 9, as well as the taco emoji in iOS 9.1.
Looking specifically at patch levels within iOS 9, the following updates were released within the first few weeks after iOS 9 became available:
- iOS 9 - September 16, 2015
- iOS 9.0.1 - September 23, 2015
- iOS 9.0.2 - September 30, 2015
- iOS 9.1 - October 21, 2015
The adoption rates below show how a decent portion of users kept a reasonable pace on adopting minor point releases shortly after iOS 9 - but again, adoption over the course of a month remained somewhat lower than other entities have reported. Because these phones are all registered to use our two-factor authentication service, we find the source dataset to be quite reliable in deriving these conclusions.
For the IT professional, does any of this matter? Yes! For starters, there were successful lock screen bypasses that would allow access to some contents of the phone without a passcode or TouchID unlock. An attacker that had physical access to an outdated phone could read messages, browse photos, or otherwise bypass certain security restrictions on the phone.
It’s also important to note that, generally, the population of devices running iOS 7 or below remains untenable. To refer back to our last post on this topic, we generally would never allow a significantly out-of-date computer to exist on a corporate network if it were months, if not years, out of date.
Fortunately, the path to resolution is simple! Duo suggests:
- Educating your users on the importance of running updates.
- Change user behavior over time by building awareness as to the importance of these updates.
- Streamline the update process with helpful suggestions like convenient update times, setting expectations for how an update should proceed, and giving tips on clearing space in order to avoid pesky error messages.
- Deploy an endpoint security solution that gives you insight into your users’ devices and the version of software they’re running. Admins can identify any potential security risks an outdated device may introduce to an organization.
We’ve focused our last few posts on iOS updates and security. Stay tuned, as Duo Labs is currently working up a similar study of the Android ecosystem!