“An operating system release may contain hundreds of code updates and changes. Every update could impact your app or service.”
As most of you will know, the last operating system (OS) update from Apple for iOS and iPadOS 14.4 included a fix for some vulnerabilities that were serious.
Every OS update that Apple releases to fix a security vulnerability, Apple provide details of the vulnerability via a security bulletin.
With OS 14.4 they advised about CVE-2021-1870, CVE-2021-1871 and CVE-2021-1782 and stated they may have already been actively exploited on Apple devices.
About Vulnerabilities
Most of the time, vulnerabilities that are announced as fixed are a result of a weakness or code flaws that has been discovered through routine penetration testing and intentional research into the code. These vulnerabilities have probably not been found by a malicious hacker but as soon as these CVE’s are public, they are fair game for the black hat hackers and you will want to patch your devices to ensure your corporate data is not at risk.
The other type of vulnerability is more serious, where the vulnerability is already in the wild and a fix is released because something has already been executed. We don’t have any details of what has happened with Apple’s latest announced vulnerabilities or which devices have been compromised but the fact that the attack may have been actively exploited before the vulnerability was fixed is concerning.
Beware of your busines critical apps and services
If a recommendation to update the operating system on your corporate devices is given, you need to consider the impact the update could have. If you are running business critical apps or services on your enterprise devices, then thorough testing is important to ensure business continuity.
An operating system release may contain hundreds of code updates and changes. Every update could impact your app or service.
An OS update can change the way authentication is handled, it can change the supported connection protocols, the interaction between the MDM agent and the app can be affected, the app may no longer be supported on the new version of OS as it is using old libraries….so many moving parts.
Do you have an app deployed that lets your field workers log in and access a database where they get product information or log their daily activities?
What happens if this app stops working? At a guess, that workforce stops working or is severely impacted by not having the app available. That’s an enormous cost in lost productivity and worst case – lost revenue.
Do you have a website for work activities that you access on mobile devices through a browser (Safari, Edge, Chrome)? Do your employees authenticate and then gain access to documents, data etc to be able to perform their activities?
What is the cost of not being able to access this data on the road, on-demand?
Beta testing is critically important
As we move beyond email on mobile devices to providing business critical services through apps and web apps there is a requirement to test these apps against the beta releases to ensure there is no business impact when an update is released in production.
Beta testing prior to production release allows you to roll-out a new update immediately, protecting you from vulnerabilities as soon as they are fixed.
If you want to execute zero-day patch releases, then ideally you should have:
-
a robust testing program to test app changes against your business-critical use cases, and
-
a testing contract in place with your app developer to ensure they are validating their code against the updates BEFORE they go live.
Both Apple and Google release beta versions for testing before production release day. If you have a critical dependency on mobile devices for your business, then you must be performing beta testing.
As an Apple Developer you can get access to Apple beta software
Apple Developer Program – Apple Developer
As a Google Developer you can get access to Android beta software at https://developer.android.com
Software Testing
A good software testing program will include:
-
Defining your test scope
-
Building testing scripts
-
Having designated test devices – both real and virtual
-
Having business user testers that test the app(s)
-
Having professional Quality Assurance professionals testing the app(s)
-
A mechanism for feedback and defect tracking
-
Validation of the impact of any OS update against critical apps and services
-
An SOP for Interfacing with internal and 3rd party app developers around their Quality Assurance processes
-
Validation of enterprise authentication with each update
-
Validation of all integrations with each update
There are software testing automation tools that can help to speed and scale your testing requirements but it’s also important to have user testing completed. Automation is not a silver bullet and may not pick up some display issues and interaction with other apps.
Conclusion
Vulnerabilities in the wild can leave companies scrambling to patch vulnerabilities but with a comprehensive testing plan, you can mitigate business risk and lower your chance of a loss in business continuity.
If you have questions about how to perform OS testing on your mobile devices, contact us.
Liz Knight
Since 2005 I have dedicated my professional capabilities to the advancement of wireless mobile data technologies. During my career I have worked with customers in markets large and small, including financial and government organizations in New Zealand, Europe and the United States.