Broken Mirror: iPhone Mirroring at Work May Expose Employees’ Personal Information, Sevco Research Finds

Update 10/29/24: Apple has released an update to macOS 15 Sequoia, macOS 15.1, that fixes this privacy vulnerability.

Sevco recommends that companies apply the patch and update all enterprise Mac devices to macOS 15.1. Companies should also purge any mistakenly collected employee data to eliminate liability risk.

Technical Information

Although the app inventory is still present on the host and visible to applications with full disk access, Apple has excluded it from indexing so that they’re excluded by default from security tools that log software on enterprise devices, and thus it should no longer be collected in enterprise software inventories.

This fix is not noted in Apple’s security release notes for iOS/iPad OS 18.1 or macOS 15.1, but you can find the security release notes for macOS 15.1 here.

Original Blog

As deployments of macOS 15.0 Sequoia and iOS 18 continue, Sevco discovered a major systemic privacy bug whereby the applications from a user’s personal iPhone may become part of the company’s software inventory via a new Apple feature known as “iPhone Mirroring.” 

In short, the applications on an employee’s personal iPhone may be exposed to their corporate IT department.  

For iPhone users, this Apple bug is a major privacy risk because it can expose aspects of their personal lives that they don’t want to share or that could put them at risk. This could include exposing a VPN app in a country that restricts access to the internet, a dating app that reveals their sexual orientation in a jurisdiction with limited protections or legal consequences, or an app related to a health condition that an employee simply does not want to share. The consequences of such data exposure may be severe.

For companies, this bug represents a new data liability from potentially collecting private employee data. If this bug is not addressed, it may lead to violation of major privacy laws such as CCPA, potential litigation, and federal agency enforcement.

Sevco has notified Apple, who has identified the root cause and is working on a fix. We have also notified several enterprise software vendors where Sevco, Apple, and the vendor have common customers and we have confirmed the issue. We have also notified our customers that have collected or have the potential to collect private employee data.

In the immediate term:

  • Employees should not use iPhone Mirroring on work computers
  • Companies should communicate to employees to avoid using iPhone Mirroring on work computers. (This may be a legal or regulatory requirement)
  • Companies should identify any enterprise IT systems that collect software inventory from Macs and work with those vendors to mitigate the risk until a patch is available

We expect Apple to patch macOS before long based on our conversations with them. When a patch becomes available, companies will need to apply the patch to stop collecting private employee data. After the patch is available, Sevco recommends that companies purge any mistakenly collected employee data to eliminate liability risk.

Background 

iPhone Mirroring is a new feature that requires macOS Sequoia, iOS 18 and Apple Silicon. The full list of system requirements is here. The goal of the mirroring feature appears to be a more seamless user experience between a person’s phone and laptop. 

When Sevco saw personal iOS applications reported as installed on Mac devices, we assumed it was a narrow, one-off bug in our processing or an upstream customer inventory provider. As we dug in, we recognized it was not a glitch – personal iOS apps were indeed being reported on Mac devices from multiple upstream software vendors at multiple customers. This issue was something new and systemic.

Since Sevco aggregates device inventories, software inventories, and maintains the relationship between them, we immediately recognized the culprit macOS devices were running macOS 15.0 Sequoia and iPhone Mirroring became the obvious suspect. One macOS and iPhone iOS upgrade and a bit of tinkering confirmed it.

Technical Details / Reproduction Steps

The most succinct repro steps we’ve found use mdfind:

mdfind “kMDItemContentTypeTree == com.apple.application” | grep Daemon

mdfind is a command line interface into Spotlight, the macOS search subsystem which indexes file metadata. When executed in a terminal window that has been granted full disk access without setting up iPhone Mirroring, you will see a normal list of macOS applications. When executed in that same terminal window after setting up iPhone Mirroring, you will also see personal iOS applications and metadata.

The files we observed were all in the directory: 

/Users/<user>/Library/Daemon Containers/<uuid>/Data/Library/Caches/<app_name>

Those directories contain application bundles, but unlike a normal macOS application bundle that contains the executable code and metadata like icons, application name, dates, version, file descriptions these are “app stubs” and contain just the metadata. For example, the iOS Watch.app is 83MB, but the macOS Watch app stub is just 291KB. 

The Bug

This is the privacy bug: iOS apps mirrored to your Mac populate the same application metadata as native macOS applications. 

We’re not Mac developers, but we are developers of complex systems and can see the elegance in iOS application metadata seamlessly integrating into the macOS application libraries. 

Maintaining a comprehensive software inventory is a foundational security and compliance requirement in just about every security program out there. Any security analyst who scrambled to triage the installed footprint of SolarWinds or log4j understands why it is important and the challenges with existing software inventory solutions. 

Because of that requirement, many enterprise endpoint security and IT agents collect the applications installed on the systems to support those security programs, and those endpoint agents use the same metadata collection system that published your personal iOS apps as a result of the bug.

We’re a cloud dev team, not a Mac dev team, so that is about as deep as we have gone. As things develop, we’re sure a more complete picture will emerge. We will update this blog with references to more complete write-ups as they get published – follow us on LinkedIn to be notified. 

Timeline

  • Morning, Friday, Sept 27 – Sevco internal investigation shifted from “routine bug” to systemic issue.
  • Afternoon, Friday Sept 27 – confirmed iPhone Mirroring source, reported to Apple via privacy vulnerability reporting channels. Apple acknowledged receipt within an hour.
  • Wednesday, Sept 30 – provided Apple additional technical details on scope. Apple confirmed they reproduced the issue.
  • Thursday, Oct 3 – Apple confirmed intent to address the issue in an update coming soon.
  • Tuesday, Oct 8 – Sevco published this blog.

While typical responsible disclosure timelines are usually at least 30 days, we’ve decided to release this information now because we are watching the number of people and companies impacted grow with every day that passes. The biggest risk in this situation is to individuals in a potentially compromising situation and their best defense is their own awareness. We appreciate Apple’s rapid response and urgency addressing the issue. We will continue to monitor the progress with Apple and inform you on any developments at the top of this blog.

About Sevco

Sevco is an enterprise security software company. The root cause of many security problems is the lack of reliable, comprehensive IT asset inventories. We built a product to help organizations understand their complete asset inventory of company-owned devices (or any device connected to the organization’s network in some way), identities, software, and vulnerabilities. This helps us help others solve problems like uncovering missing endpoint agents,  aggregating vulnerabilities from multiple sources into a single dashboard, prioritizing those vulnerabilities for remediation, and more.

For technical inquiries on any Apple products, please contact Apple support. 

For technical inquiries on your enterprise software products that may be collecting employee iOS apps via iPhone Mirroring, please contact those vendors.

For questions on Sevco and what we do, click here.

Share This Post:

LinkedIn