The issue of privacy has become very big after a security bug in iOS 18 and macOS 15.0 Sequoia was discovered. According to research by Sevco Security, this “systemic privacy bug” could expose personal applications from your iPhone to your company’s software inventory through a new Apple feature known as iPhone Mirroring.
iPhone Mirroring Explained
Introduced in iOS 18 and macOS 15, iPhone Mirroring allows the user’s iPhone to be seamlessly integrated into their work MacBook. However, Sevco’s research found that this feature could accidentally expose personal apps from employees’ phones to their employers.
Sevco’s research paper, “Broken Mirror: ‘Mobile apps from a personal iPhone may appear in company software inventories, thereby exposing the personal information of employees,’ the paper explains. “For instance iPhone users who don’t want apps like VPNs, dating apps or health-related apps to be seen on their employer’s IT department,” Sevco said.
Unexpected App Exposure
The discovery began when Sevco found personal iPhone apps being reported as part of the Mac’s software inventory. They initially thought it was a bug in their systems. Yet more investigation revealed that the problem was universal across many customers and upstream vendors, indicating a systemically larger issue.
In other words, this bug is a major liability for companies that without intent collect private employee data, breaking laws such as the California Consumer Privacy Act (CCPA) and even causing legal cases.
Impact on Users
Naturally, how much of a risk does this bug really present? Although unwelcome, it is the reality that many companies and even users likely will not experience the full impact overnight. It’s never pretty when personal apps are exposed, but head of application security at Featurespace, Sean Wright, says it may not be too big of a deal if you already handle privacy sensibly at your job.
Wright says: “If you don’t trust your employer, you probably shouldn’t be using your personal phone for work.” “Many companies already handle sensitive information like your address and banking details, so the revelation of installed apps may not be the disaster it sounds like for most people.”
Despite this, Wright says employers are going to have to be careful about what software they’re collecting, or they could run afoul of the law. Moreover, the adoption of iPhone Mirroring is still nascent because many organizations have not yet updated their screen mirroring solution to macOS Sequoia.
When Will Apple Fix the Bug?
Apple had been informed by Sevco Security of the problem and is reportedly working on fixing it. Earlier, Sevco has also reached out to enterprise software vendors to help mitigate the risk until a patch is ready.
“Companies should identify systems that collect software inventory from Macs and work with their vendors to address this issue until Apple releases an update,” Sevco advised.
On September 27, Apple confirmed receipt of the report and verified the bug on September 30. Apple then said its upcoming update would fix the problem.
On October 3, Sevco decided to publish its findings quickly so that a data protection breach would not continue. The next best practice is a 30-day security bug disclosure window, but Sevco expedited things because of the increasing number of people that the bug was affecting.
Take Action Now
Sevco meanwhile advises that employees avoid using iPhone Mirroring on work devices until it has been patched. to prevent potentially litigious problems, companies should purge any mistakenly collected employee data.
There may be a fairly low risk in terms of those people who do not use their devices for work, but as businesses we need to be on our toes, to eliminate accidental privacy breaks and even prevent litigations.
