One of the new features of iOS 18 and macOS Sequoia is iPhone Mirroring – but using this with a personal iPhone on a work Mac currently creates a privacy risk for employees, and a legal risk for businesses.
The problem, as cybersecurity company Sevco discovered, is that apps on the iPhone get treated as Mac apps, and that means their presence is included in corporate IT audits …
How iPhone Mirroring treats apps
Sevco found that when iPhone Mirroring is use, any iPhone app you run creates an entry in the Mac library here:
/Users/<user>/Library/Daemon Containers/<uuid>/Data/Library/Caches/<app_name>
That is, the Mac treats them as if they were Mac apps.
This means that when companies run automated network audits, to check that all the apps on their Macs are properly authorized and licensed, the iPhone apps will be identified.
The privacy and legal risks
For iPhone users, that creates a potential privacy risk, because your employer will be able to see your iPhone apps. To be clear, they can’t see the data in them, but Sevco says even knowing which apps you use could have serious implications.
For iPhone users, this Apple bug is a major privacy risk because it can expose aspects of their personal lives that they don’t want to share or that could put them at risk. This could include exposing a VPN app in a country that restricts access to the internet, a dating app that reveals their sexual orientation in a jurisdiction with limited protections or legal consequences, or an app related to a health condition that an employee simply does not want to share. The consequences of such data exposure may be severe.
It also creates a potential legal minefield for businesses.
For companies, this bug represents a new data liability from potentially collecting private employee data. If this bug is not addressed, it may lead to violation of major privacy laws such as CCPA, potential litigation, and federal agency enforcement.
In Europe, it would almost certainly contravene GDPR privacy requirements.
Apple is working on a fix; disclosure couldn’t wait
This is not intended behavior, and Apple is working on a fix.
Usually, a security company would wait for the fix to be pushed before it reveals the details, but Sevco said it felt that it couldn’t do so this time.
While typical responsible disclosure timelines are usually at least 30 days, we’ve decided to release this information now because we are watching the number of people and companies impacted grow with every day that passes. The biggest risk in this situation is to individuals in a potentially compromising situation and their best defense is their own awareness. We appreciate Apple’s rapid response and urgency addressing the issue.
Image: 9to5Mac collage of images from Apple and J Lee on Unsplash
FTC: We use income earning auto affiliate links. More.