The iPhone Mirroring feature rolling out in macOS Sequoia and iOS 18 creates a privacy issue for employees, potentially exposing their private applications to corporate IT environments, vulnerability management firm Sevco reports.

On Macs with Apple silicon or the Apple T2 Security Chip that run macOS Sequoia 15 or later, users signed in with the same Apple account as on an iPhone with iOS 18 or later can control applications on the iPhone directly from their Mac.

“With iPhone Mirroring, you can wirelessly interact with your iPhone and its apps and notifications from your Mac. Your iPhone stays locked, so no one else can access it or use it to see what you’re doing,” Apple says.

According to Sevco, however, if an employee uses iPhone Mirroring to control their personal iPhone from a corporate Mac, their personal applications may become part of the organization’s software inventory and be exposed to the corporate IT department.

Not only would this represent a liability for organizations, as they would be potentially collecting private employee data, but it could also put employees at risk by exposing certain aspects of their personal lives.

“This could include exposing a VPN app in a country that restricts access to the internet, a dating app that reveals their sexual orientation in a jurisdiction with limited protections or legal consequences, or an app related to a health condition that an employee simply does not want to share,” Sevco explains.

According to the firm, its customers are already facing multiple instances of personal iOS applications from various vendors being reported as installed on Macs. In all cases, devices running macOS Sequoia and iOS 18 were at fault.

If iPhone Mirroring is used, macOS’s Spotlight search tool would index personal iOS applications and metadata alongside the normal list of macOS applications, showing app name, icon, date, and version, as well as other information.

Apple confirmed the issue after receiving Sevco’s bug report and told the company it would address it shortly with an upcoming software update.

“If this bug is not addressed, it may lead to violation of major privacy laws such as CCPA, potential litigation, and federal agency enforcement,” Sevco notes.

Employees are advised to refrain from using iPhone Mirroring on work computers, while companies should notify employees not to use the feature and should identify enterprise IT systems that collect software inventories and remove the collected private information.

“We expect Apple to patch macOS before long based on our conversations with them. When a patch becomes available, companies will need to apply the patch to stop collecting private employee data. After the patch is available, Sevco recommends that companies purge any mistakenly collected employee data to eliminate liability risk,” Sevco notes.

Related: macOS Sequoia Update Fixes Security Software Compatibility Issues

Related: Apple Scraps CSAM Detection Tool for iCloud Photos

Related: China Says No Law Banning iPhone Use in Govt Agencies

Related: Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones