A flaw in Apple’s mirroring feature within the iOS 18 and macOS Sequoia software updates compromises personal privacy when used on work Macs, according to a report from Sevco Security.

Personal iPhone apps become visible to the company’s IT department, as mirrored apps are cataloged like native macOS apps.

While app data isn’t shared, the mere presence of certain apps like health or dating services can reveal sensitive personal information.

The Sevco report warned that if this bug is not addressed, it may lead to violation of privacy laws such as the California Consumer Privacy Act (CCPA), potential litigation and federal agency enforcement.

The company noted it had alerted Apple, which confirmed the bug and said it is working on a fix.

Jason Soroko, senior fellow at Sectigo, explained the issue arises because the mirroring feature doesn’t adequately separate personal app metadata from corporate software inventories.

“In environments where device monitoring is standard, employees risk unintended exposure of their personal app usage,” he said.

Soroko said to mitigate this risk, iPhone owners should avoid using mirroring on work devices.

“Companies should revise policies to address this vulnerability, and Apple must implement stricter data segregation to protect user privacy in mixed-use settings,” he added.

Compliance, Legal Issues Arise

Chris Strand, global general manager of compliance for Sevco, from a compliance standpoint, many legal complications could come up because of an indirect compliance failure with the iPhone Mirroring bug that could compound liability for employers.

“The CCPA is a perfect example as data exposure — explicit or indirect — is heavily scrutinized and can create a case for an individual who’s the data owner,” he said.

Due to the data protection underwritten in the CCPA, the employee has the right to require that the employer prove that the data exposure was not caused by their negligence.

This is built into the protections around a consumer’s right to have a company disclose every instance of their data.

“In this case, it would be on the employer to prove that the exposure is not from the iPhone Mirroring bug,” Strand explained.

He said that this bug, under many data protection and consumer data protection laws including the CCPA, will make the process and chance of employee litigation situations a whole lot more possible.

Personal Data on BYOD Devices

John Bambenek, president at Bambenek Consulting, explained the Apple ecosystem is designed to sync data to a wide variety of devices belonging to the same iCloud account.

“The problem is when personal accounts are on business hardware, which is very tempting just for the Keychain to be synced,” he said.

For those who are privacy conscious, it means keeping personal stuff off business assets or running business apps inside a VM instead to keep the lines separate.

Sevco researcher Craig Carson said to protect employee privacy while securing corporate data in a bring your own device (BYOD) environment, the best practice is to maintain a clear separation between personal and work-related device

“It’s essential to avoid intermingling the two — employees should not use work computers for personal tasks, and ideally, they should have a separate mobile device for work,” he said.

He explained this approach helps minimize risks associated with mixing sensitive corporate data with personal information.

As outlined in NIST SP1800-22, organizations should aim to “separate organizational and personal information,” as allowing corporate data on personal devices introduces vulnerabilities by moving data outside of secure networks.

“At the same time, employees’ personal data may be at risk of being captured by corporate systems,” Carson cautioned.

NIST suggests mitigating this risk by restricting the flow of information between managed (work-related) and unmanaged (personal) applications. This ensures sensitive corporate data remains protected while maintaining employee privacy.

However, Carson notes that this approach is not always practical—many employees are resistant to carrying two devices.

For such cases, mobile device management (MDM) tools offer a middle ground, allowing companies to secure corporate data on personal devices while giving employees the option to opt out of sharing personal data with their employers.

“Opting out was not a possibility with this iPhone Mirroring privacy vulnerability because no one realized that personal data was being shared,” Carson said.