Apple Fills iOS 8 Security Basket to Brim

Among the many ripples caused by Edward Snowden's decision to blow a whistle on the NSA is Apple's focus on security in iOS 8. The update makes Apple devices fortresses of security, more or less, but it does nothing to shore up the company's cloud. "Backed-up data in iCloud could still be turned over in the event of a government information request," noted Zscaler's Michael Sutton.

With data thefts and cybersnooping making headlines daily, security has started to capture the attention of the disciples of the digital lifestyle — and if the latest version of iOS is any indication, it’s catching the attention of Apple, too.

Along with nifty features like Hand Off and Family Sharing, iOS 8 contains a number of significant security and privacy enhancements. Among the most prominent is Apple’s decision to keep its hands off the passcode created by the owner of an iOS device — a decision that seems to be influenced by whistle-blower Edward Snowden’s revelations of rampant government snooping on U.S. citizens.

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” Apple’s newly minted privacy policy explains.

“Unlike our competitors,” it continues, “Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

Cracker Protection

The passcode is a key component in protecting the data on an iOS device. For example, it’s used to create entropy, or randomness, for encryption keys used to scramble data on the devices.

Because the passcode is so important to encryption on a device, Apple has made it even more difficult to crack the code by entangling it with a device’s UID code, a unique identifier unknown to anyone.

Although passwords of variable lengths and characters can be created for an iOS device, most owners use a four-digit code.

“A four-digit PIN is easy to exhaust,” Phil Zimmermann, author of one of the most widely used encryption systems in the world, PGP, told TechNewsWorld. “It’s only 10,000 possibilities. That’s ridiculously small.”

However, combining the PIN with the UID creates the kind of entropy that could take years to crack.

“If a crook takes the phone, Apple’s encryption is perfectly adequate to stop the crook,” Zimmerman said, “but if you’re attending a conference in Moscow and the FSB takes your phone away from you, it’s a different matter.”

Backdoor Fix?

As Apple made iOS 8 available for download this week, it further beefed up the software’s security by releasing 53 security patches for it out of the gate.

“Apple has a tendency to perform bulk security patching with OS upgrades, and iOS 8 didn’t disappoint,” said Michael Sutton, vice president of security research at Zscaler.

One of the more interesting patches in the batch modified “diagnostic capabilities” in iOS 8.

Although it’s not clear what those diagnostic changes are, “they come on the heels of denials that diagnostic capabilities exposed by security researcher Jonathan Zdziarski at the recent HOPE/X conference amounted to a backdoor,” Sutton told TechNewsWorld.

CEO Tim Cook posted a letter to the Apple website discrediting any notions that there were backdoors in his company’s products or services.

“We have never worked with any government agency from any country to create a backdoor in any of our products or services,” he wrote. “We have also never allowed access to our servers. And we never will.”

Apple did not respond to our request to comment for this story.

Hiding WiFi IDs

While governments seeking Apple’s help to crack their customers’ phones may be rebuffed, the same may not be true when they twist the company’s arm to turn over iCloud data.

“Backed-up data in iCloud could still be turned over in the event of a government information request,” Zscaler’s Sutton said.

Another security boost in iOS 8 is the way it handles MAC addresses in WiFi networks.

“While this isn’t something that most users will even be aware of, it will help to protect their privacy,” Sutton noted, “as WiFi network owners will no longer be able to track devices over time by identifying MAC addresses, which serve as unique device identifiers.”

Whenever software is upgraded and new features added, new security gaps can be created. That’s likely with iOS 8, too.

“App Extensions and the HealthKit and HomeKit developer tools may open some potential new security issues,” David Richardson, iOS product manager for Lookout, told TechNewsWorld.

In fact, release of the HealthKit tool already has been delayed by Apple because “bugs” were found in it.

With the release of iOS 8, Apple seems to want to change its security image.

“Apple is pushing security as a differentiator, attempting to show that they are making the protection of consumer data a top priority,” Sutton said.

Although Apple “was once extremely quiet about security,” he continued, “Apple marketing collateral now regularly touts security enhancements.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels