A privacy flaw in Apple’s new iPhone mirroring feature, introduced with macOS 15.0 Sequoia and iOS 18, has been identified.
This bug, discovered by cybersecurity experts at Sevco, enables personal apps on an iPhone to be listed in a company’s software inventory when the feature is used on work computers, creating a significant privacy concern for employees.
The issue stems from how iPhone mirroring integrates iOS app metadata into the macOS environment, allowing corporate IT departments to access metadata about personal applications, although no actual app data is transferred.
This flaw could expose sensitive aspects of a user’s personal life, including their use of VPNs, dating apps or health-related services, potentially putting them at legal or social risk, depending on their location.
For employers, this issue presents new liability risks, including possible violations of privacy laws such as the California Consumer Privacy Act (CCPA). Companies could inadvertently collect private data and face legal consequences if this data is not managed correctly.
Sevco reported the issue to Apple, which acknowledged the problem and is actively working on a fix. In the meantime, Sevco advises companies to disable iPhone mirroring on work devices and instruct employees to avoid using this feature in professional settings.
Implications for Businesses and Employees
The vulnerability, which affects employees who use iPhone mirroring on work computers, could lead to:
-
Legal liability for companies under privacy laws like CCPA
-
Accidental exposure of sensitive employee information
-
Potential breaches of employee trust and privacy
According to Jason Soroko, a senior fellow at Sectigo, the issue lies in how iPhone mirroring fails to separate personal app metadata from corporate software inventories.
“While app data isn’t shared, the mere presence of certain apps like health or dating services can reveal sensitive personal information. What is being shared is the metadata about the presence of applications on the mirrored iPhone,” Soroko said.
John Bambenek, president of Bambenek Consulting, echoed Soroko’s point, further highlighting that the Apple ecosystem design, which encourages data syncing across devices, exacerbates the issue when personal accounts are linked to business hardware.
“The problem is when personal accounts are on business hardware, which is very tempting just for the Keychain to be synced,” Bambenek warned.
He recommended that privacy-conscious users keep personal apps off work devices or use virtual machines to maintain separation.
Immediate Steps for Companies
To mitigate risks, Sevco suggests the following actions:
-
Disable iPhone mirroring on work computers
-
Instruct employees to avoid using the feature on company devices
-
Review enterprise IT systems to prevent accidental collection of personal data
Apple is expected to release a patch soon to address this vulnerability. Once the fix is available, companies should ensure it is implemented immediately and delete any mistakenly collected data to eliminate potential legal exposure.
Image credit: DenPhotos / Shutterstock.com