This Week's Sponsor:

Listen Later

Listen to Articles as Podcasts

Posts tagged with "security"

Are AirTags Causing Stalking or Making Us More Aware of It?

The problem of AirTags being used to stalk people has been in the news ever since they were released last spring, but a recent story in The New York Times has brought the issue to the forefront again. AirTags are fantastic when used as intended to keep track of your keys, luggage, and other personal items, but stalking is a serious problem that Apple should do everything it can to prevent.

Apple is also in a unique position given the vast size of its Find Me network. That puts the company in a different league than competitors like Tile, which carries greater responsibility with it.

In a story on Peer Reviewed, Matt VanOrmer puts a finger on something I’ve been wondering for a while: Are AirTags contributing to the problem of stalking or merely making us more aware of it because of the unique stalking countermeasures built into the device? It’s a classic causation/correlation question that is worth reflecting on. As VanOrmer explains:

I think the increase in news stories about AirTag stalking situations are less indicative of AirTags causing more stalking, and more indicative of how frequently stalkings already occur — with AirTags’ anti-stalking features simply bringing more of these horrible situations to light. These stories may be a classic example of the Baader-Meinhof phenomenon (AKA the “Frequency Illusion”) — in which increased awareness of creeps using AirTags to stalk women creates the illusion that it is happening more often, or even that AirTags are responsible for this illusory increase in incidence.

As VanOrmer rightly points out, Apple should do everything it can to prevent AirTags from being used to track people, which includes improving the tools available to Android users for whom Apple has made an app that is generally viewed as insufficient. This is also a topic where some added transparency about what Apple is doing to address concerns about stalking would help observers decide whether it’s enough instead of having only anecdotal news reports to go on. However, given the wide-reaching impact of the Find My network, which affects people who aren’t even Apple customers, I think a third-party audit of how Apple is handling the security and privacy implications of AirTags is warranted.

Permalink

Apple Updates Its Platform Security User Guide

Yesterday, Apple updated its Platform Security User Guide to cover new hardware and software features on its platforms. The guide is broken down into hardware security, system security, encryption and data protection, app security, services security, network security, development kit security, and secure device management sections that cover every aspect of Apple’s platforms.

Many of the latest updates to the guide hinge on aspects of Apple silicon as the introduction to the user guide explains:

Apple continues to push the boundaries of what’s possible in security and privacy. This year Apple devices with Apple SoC’s across the product lineup from Apple Watch to iPhone and iPad, and now Mac, utilize custom silicon to power not only efficient computation, but also security. Apple silicon forms the foundation for secure boot, Touch ID and Face ID, and Data Protection, as well as system integrity features never before featured on the Mac including Kernel Integrity Protection, Pointer Authentication Codes, and Fast Permission Restrictions. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use javascript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.

There are new materials spread throughout the guide that add security details about items like the company’s new M1 chips, the boot process of the M1 Macs, the new iOS car key feature, Safari’s password monitoring feature that lets you know when a password you use has been compromised, among many others. To review a full list of what has been added to and changed in the Platform Security User Guide, the guide includes a comprehensive revision history. If you’ve ever wondered about how the security of an Apple platform feature is implemented, the Platform Security User Guide is an excellent place to start your research.

Permalink

Apple and Privacy in 2020: Wide-Reaching Updates with Minimal User Intrusion

Privacy has increasingly become a competitive advantage for Apple. The bulk of the company’s revenue comes from hardware sales, in stark contrast to competitors like Google who depend heavily on ad revenue and thus benefit tremendously from collecting user data. Apple calls privacy one of its core values, and the structure of its business makes it easier to hold true to that value. But that doesn’t mean its privacy work is easy or without cost – behind the huge number of privacy enhancements this year was surely significant effort and resources that could have been diverted elsewhere. The company’s privacy discourse isn’t empty marketing speak; it’s product-shaping. Not only that, but thanks to Apple’s enormous influence in tech, it can be industry-shaping too, forcing companies that otherwise may not prioritize user privacy to do business differently.

This year in its WWDC keynote, Apple dedicated an entire section of the presentation to privacy, detailing its latest efforts within the framework of what it calls its four privacy pillars:

  • On-device processing
  • Data minimization
  • Security protections
  • Transparency and control

Evidence of each of these pillars can be seen throughout much of what Apple announced during the rest of the keynote. On-device processing, for example, powers the new Translate app in iOS 14, HomeKit Secure Video’s face recognition feature, and more. New security protections have been implemented to warn you if a Keychain password’s been compromised, and to enable Sign In with Apple for existing in-app accounts, both of which make your accounts more secure. But the majority of this year’s most prominent privacy updates fell under the remaining two core pillars: data minimization and transparency and control.

Here are the privacy-focused changes you’ll see this fall across iOS and iPadOS 14 and macOS Big Sur.

Read more

Apple Shares Open Source Resources for Password Manager Apps

Today on Apple’s developer site, the company announced the release of new resources for password manager apps:

Apple has created a new open source project to help developers of password managers collaborate to create strong passwords that are compatible with popular websites. The Password Manager Resources open source project allows you to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords. The project also contains collections of websites known to share a sign-in system, links to websites’ pages where users change passwords, and more.

The open source project can be accessed on GitHub.

Apple has continually deepened its investment in the area of password management with iCloud Keychain upgrades in recent years and new APIs for third-party apps. Today’s announcement takes things a step further down the path of openness and collaboration, enabling apps to share important site-specific information with one another so that users have the best, most secure experience possible no matter their choice of password manager.

Permalink

Apple Responds to The New York Times’ Story on the Removal of Parental Control Apps from the App Store

Yesterday, The New York Times published a story drawing on interviews from makers of parental control apps that had been removed from the App Store or modified at Apple’s insistence. The third-party apps monitored kids’ screen time and limited their access to apps – functionality similar to the Screen Time feature built into iOS 12. The Times suggested the timing of the removals was not a coincidence:

Shortly after announcing its new tools, Apple began purging apps that offered similar services.

The Times also notes that Spotify has complained to EU regulators about Apple, and says other unnamed competitors claim the company is abusing its power to harm them.

Today, Apple responded to the Times’ story on the company’s Newsroom website in a piece titled ‘The facts about parental control apps’:

We recently removed several parental control apps from the App Store, and we did it for a simple reason: they put users’ privacy and security at risk. It’s important to understand why and how this happened.

Apple explains that the apps in question were using Mobile Device Management, which is typically used by enterprises to control employees’ iOS devices. However, MDM poses serious security risks when used in consumer apps from third parties. According to Apple:

Parents shouldn’t have to trade their fears of their children’s device usage for risks to privacy and security, and the App Store should not be a platform to force this choice. No one, except you, should have unrestricted access to manage your child’s device.

In response to the broader suggestion that it was removing apps for competitive reasons, Apple says:

Apple has always supported third-party apps on the App Store that help parents manage their kids’ devices. Contrary to what The New York Times reported over the weekend, this isn’t a matter of competition. It’s a matter of security.

In this app category, and in every category, we are committed to providing a competitive, innovative app ecosystem. There are many tremendously successful apps that offer functions and services similar to Apple’s in categories like messaging, maps, email, music, web browsers, photos, note-taking apps, contact managers and payment systems, just to name a few. We are committed to offering a place for these apps to thrive as they improve the user experience for everyone.

Regardless of its intent, every action Apple takes can have significant economic consequences to its competitors. In that environment, it’s not surprising that stories like the one in the Times are published. It’s the framing of the story – that this is one example of anticompetitive behavior of many – that likely drove the prompt response. Apple has made it clear that services revenue is important to the company’s future, and I suspect it did not want to go into its earnings call Tuesday without having addressed the Times’ story.

Apple Answers Two-Factor Authentication Questions Raised by Developers

A week ago, Apple sent an email to developers announcing that it would require two-factor authentication for all developer accounts beginning February 27, 2019. The message linked to an Apple two-factor authentication support page that applies to all Apple IDs. The trouble was, the support page didn’t answer many of the developer-specific questions that were immediately raised.

The concern I’ve heard voiced most often by developers is whether someone who uses one Apple ID to log into their developer account would be able to do so using an Apple device that is logged in using a different Apple ID. Today, Apple published a new support page answering this and many other questions. Specifically with respect to the two-Apple ID scenario, Apple’s FAQ-style support page says:

Will I need a trusted device dedicated to my Apple Developer account if I enable two-factor authentication?

No. You’ll need to use a trusted device to enable two-factor authentication for the first time. However, you can use the same trusted device for multiple Apple IDs that are enabled for two-factor authentication. Additionally, if you do not have access to your trusted device, you can get your verification code via SMS or phone call. When possible, you should use a trusted device to increase security and streamline the process.

The document covers many other situations as well including:

  • How to check if you have two-factor authentication enabled
  • Configuring an iOS device or Mac to accept authentication codes for multiple Apple IDs
  • Enabling multiple trusted phone numbers that can receive authentication codes

The support page concludes with a link to a contact form for Apple’s developer team to raise any other circumstances that prevent a developer from enabling two-factor authentication.

Although it would have been better if this level of detail was published when Apple’s initial email went out to developers last week, the company has clearly heard the concerns raised by the developer community and has put together a thorough explanation that should address most situations. By answering the most common questions, Apple Developer Relations will hopefully be freed up to deal with any outlier issues that aren’t addressed in its support documentation.

How iOS Makes Good Password Practices Easier for Users

We’ve all been there. You’re signing up for a new service or creating an account for a new app, and you’re asked to pick a password. You know you should use a strong, random password, but in a rush to get started, you take the easy path and choose a weak, memorable password instead because it’s the path of least resistance.

Apple has been pushing back against those bad habits with new iOS features designed to combat password reuse by flipping the calculus on its head. In an excellent presentation given at PasswordsCon 2018 in Stockholm, Sweden last week, Apple engineer Ricky Mondello explains the iCloud Keychain features implemented in iOS since iOS 11 and the thinking behind them. He also provides tips and resources for web and app developers who want to integrate better with those features.

What I especially like about Mondello’s talk is the insight into the thought and effort that’s gone into making good passwords easy to create. It’s not something I’ve thought about much before, which I take as a sign that Apple’s Safari and iCloud Keychain engineers are succeeding.

The presentation is also fascinating from a design and user experience standpoint. As Mondello explains, people are ill-suited to create and remember random passwords. It’s a problem that’s right in a computer’s wheelhouse, but one that also requires users’ trust and an understanding of their habits to solve.

I recommend watching Mondello’s talk. There are a lot of interesting implementation details throughout the talk and insights into the thinking behind them, which are approachable whether you have a background in the topics covered or not.

Permalink

Apple Strongly Refutes Bloomberg Report That Its Servers Were Compromised by Malicious Chips

Earlier today, Bloomberg published a story claiming that Apple and Amazon discovered tiny, malicious chips on Elemental network servers built by Super Micro. According to the story, the chips were the work of Chinese spies and designed to infiltrate the tech companies’ networks. Shortly after publication, Apple responded in an email statement strongly refuting Bloomberg’s account.

Amazon’s chief information security officer similarly discredited the claims saying in part:

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.

A short time ago, Apple elaborated on its initial statement to Bloomberg on its Newsroom website:

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

Topsy is a startup that Apple acquired in 2013.

For over 12 months, Apple says it repeatedly told Bloomberg reporters and editors that they and their sources were incorrect.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

Security and privacy are cornerstones of Apple’s business that it uses to differentiate the company’s products from competitors’, so the fact that the company takes this sort of claim seriously isn’t unusual. This also isn’t the first time Apple has taken Bloomberg to task on the veracity of its reporting. However, the forcefulness of the responses from Apple and Amazon, followed by Apple’s press release on its Newsroom site is something that is unprecedented. It will be interesting to see whether Bloomberg responds.

A Redesigned 1Password 7 for Mac Enhances Watchtower and Adds Flexibility to Vaults, App Login Support, and More

AgileBits has released 1Password 7 for Mac, a significant update that is free to subscribers but also available as a standalone download. I’ve used 1Password since I started using a Mac. The app has always been the best way to store passwords for websites, and for years, that’s primarily how I’ve thought of it.

There’s been more to 1Password than just password storage for a while now though, and what sets this update apart is the depth of those other features and the ease with which they can be incorporated in your everyday computing life. That’s important because it doesn’t take much friction for someone to get lazy about security.

1Password 7 is a comprehensive update that touches every corner of the app. The app will still be familiar to long-time users, but features like Watchtower and Vaults have been extended with new capabilities that are worth exploring if you haven’t in a while. 1Password also works better than ever with app logins. There are dozens of other changes big and small that along with a design refresh that make 1Password 7 an excellent update.

Read more