A privacy flaw has been identified in Apple’s new iPhone mirroring feature introduced in macOS 15.0 Sequoia and iOS 18.
The bug, discovered by Sevco’s cybersecurity experts, means that when a personal app on an iPhone is used on a work computer, its functionality could be listed in the company’s software inventory, creating a serious threat to employees. raises serious privacy concerns.
The issue is that iPhone mirroring integrates iOS app metadata into the macOS environment, allowing corporate IT to access metadata about personal applications, even though no actual app data is transferred. This is caused by
The flaw could expose sensitive aspects of users’ private lives, such as their use of VPNs, dating apps, and health-related services, potentially exposing them to legal or social risks depending on their location. there is.
This issue creates new liability risks for employers, including potential violations of privacy laws such as the California Consumer Privacy Act (CCPA). If this data is not managed correctly, companies can inadvertently collect personal data and face legal liability.
Sevco has reported this issue to Apple. Apple is aware of the issue and is actively working on a fix. In the meantime, Sevco advises businesses to disable iPhone mirroring on work devices and instruct employees not to use the feature in professional settings.
Impact on companies and employees
This vulnerability affects employees who use iPhone mirroring on their work computers and could cause the following:
-
Corporate liability under privacy laws such as CCPA
-
Confidential employee information is accidentally leaked
-
Potential breach of employee trust and privacy
The problem, said Jason Soroko, a senior researcher at Sectigo, is that iPhone mirroring doesn’t separate personal app metadata from the corporate software inventory.
“Although app data is not shared, the mere presence of certain apps, such as health services or dating services, can potentially expose sensitive personal information. “It’s metadata about the presence of an application on the iPhone,” Soroko said.
John Bambenek, president of Bambenek Consulting, echoed Soroko’s point, saying that Apple’s ecosystem design, which encourages data syncing across devices, exacerbates the problem when personal accounts are linked to business hardware. He further emphasized.
“The problem is when your personal accounts are on business hardware, which is very tempting just to sync your keychain,” Bambenech warned.
He recommended that privacy-conscious users move personal apps away from work devices or use virtual machines to maintain separation.
To learn more about privacy risks in enterprise environments, check out Enterprise Browser Touted as a Solution to GenAI Privacy Risks.
Immediate measures for companies
To reduce risk, Sevco suggests the following actions:
-
Disable iPhone mirroring on your work computer
-
Instruct employees not to use this feature on company devices.
-
Review your company’s IT systems to prevent the accidental collection of personal data
Apple will soon release a patch to address this vulnerability. Once a fix is available, companies should immediately implement it and delete any data collected in error to eliminate potential legal exposure.
Image credit: DenPhotos / Shutterstock.com
