In addition to the new features that everyone else loves, the new iOS 9 release includes some important security fixes. See the full list from Apple here. Or peruse this list of “highlights” that no longer exist with this update. Some of these are very serious, but all require just the right set of circumstances, which hackers are often very good at creating:
- A maliciously crafted URL may be able to bypass HTTP Strict Transport Security (HSTS) and leak sensitive data
- A malicious website may be able to track users in Safari private browsing mode
- An attacker in a privileged network position can track a user’s activity
- An attacker may be able to create unintended cookies for a website
- An attacker with a privileged network position may intercept SSL/TLS connections
- An attacker may be able to decrypt data protected by SSL (yikes!!!!)
- A malicious application may be able to leak sensitive user information
- An attacker may be able to determine a private key (yikes!!!!)
- Processing a maliciously crafted font file may lead to arbitrary code execution
- Processing a maliciously crafted text file may lead to arbitrary code execution
And those were just the ones that caught my eye in the alphabetized list through letter D! Seriously, do not wait for your over-the-air invitation. Update now.
iOS 9 also changes the 4-digit passcode to 6-digits. Somehow you’ll figure out how to survive typing those extra 2 digits, but in the meantime your passcode goes from 1/10,000 to 1/1,000,000 strong.