THIS WEEK'S SPONSOR:

Prizmo 5

The Pro Scanner App with Powerful Editing Capabilities


Posts tagged with "security"

Apple Responds to The New York Times’ Story on the Removal of Parental Control Apps from the App Store

Yesterday, The New York Times published a story drawing on interviews from makers of parental control apps that had been removed from the App Store or modified at Apple’s insistence. The third-party apps monitored kids’ screen time and limited their access to apps – functionality similar to the Screen Time feature built into iOS 12. The Times suggested the timing of the removals was not a coincidence:

Shortly after announcing its new tools, Apple began purging apps that offered similar services.

The Times also notes that Spotify has complained to EU regulators about Apple, and says other unnamed competitors claim the company is abusing its power to harm them.

Today, Apple responded to the Times’ story on the company’s Newsroom website in a piece titled ‘The facts about parental control apps’:

We recently removed several parental control apps from the App Store, and we did it for a simple reason: they put users’ privacy and security at risk. It’s important to understand why and how this happened.

Apple explains that the apps in question were using Mobile Device Management, which is typically used by enterprises to control employees’ iOS devices. However, MDM poses serious security risks when used in consumer apps from third parties. According to Apple:

Parents shouldn’t have to trade their fears of their children’s device usage for risks to privacy and security, and the App Store should not be a platform to force this choice. No one, except you, should have unrestricted access to manage your child’s device.

In response to the broader suggestion that it was removing apps for competitive reasons, Apple says:

Apple has always supported third-party apps on the App Store that help parents manage their kids’ devices. Contrary to what The New York Times reported over the weekend, this isn’t a matter of competition. It’s a matter of security.

In this app category, and in every category, we are committed to providing a competitive, innovative app ecosystem. There are many tremendously successful apps that offer functions and services similar to Apple’s in categories like messaging, maps, email, music, web browsers, photos, note-taking apps, contact managers and payment systems, just to name a few. We are committed to offering a place for these apps to thrive as they improve the user experience for everyone.

Regardless of its intent, every action Apple takes can have significant economic consequences to its competitors. In that environment, it’s not surprising that stories like the one in the Times are published. It’s the framing of the story – that this is one example of anticompetitive behavior of many – that likely drove the prompt response. Apple has made it clear that services revenue is important to the company’s future, and I suspect it did not want to go into its earnings call Tuesday without having addressed the Times’ story.


Apple Answers Two-Factor Authentication Questions Raised by Developers

A week ago, Apple sent an email to developers announcing that it would require two-factor authentication for all developer accounts beginning February 27, 2019. The message linked to an Apple two-factor authentication support page that applies to all Apple IDs. The trouble was, the support page didn’t answer many of the developer-specific questions that were immediately raised.

The concern I’ve heard voiced most often by developers is whether someone who uses one Apple ID to log into their developer account would be able to do so using an Apple device that is logged in using a different Apple ID. Today, Apple published a new support page answering this and many other questions. Specifically with respect to the two-Apple ID scenario, Apple’s FAQ-style support page says:

Will I need a trusted device dedicated to my Apple Developer account if I enable two-factor authentication?

No. You’ll need to use a trusted device to enable two-factor authentication for the first time. However, you can use the same trusted device for multiple Apple IDs that are enabled for two-factor authentication. Additionally, if you do not have access to your trusted device, you can get your verification code via SMS or phone call. When possible, you should use a trusted device to increase security and streamline the process.

The document covers many other situations as well including:

  • How to check if you have two-factor authentication enabled
  • Configuring an iOS device or Mac to accept authentication codes for multiple Apple IDs
  • Enabling multiple trusted phone numbers that can receive authentication codes

The support page concludes with a link to a contact form for Apple’s developer team to raise any other circumstances that prevent a developer from enabling two-factor authentication.

Although it would have been better if this level of detail was published when Apple’s initial email went out to developers last week, the company has clearly heard the concerns raised by the developer community and has put together a thorough explanation that should address most situations. By answering the most common questions, Apple Developer Relations will hopefully be freed up to deal with any outlier issues that aren’t addressed in its support documentation.


How iOS Makes Good Password Practices Easier for Users

We’ve all been there. You’re signing up for a new service or creating an account for a new app, and you’re asked to pick a password. You know you should use a strong, random password, but in a rush to get started, you take the easy path and choose a weak, memorable password instead because it’s the path of least resistance.

Apple has been pushing back against those bad habits with new iOS features designed to combat password reuse by flipping the calculus on its head. In an excellent presentation given at PasswordsCon 2018 in Stockholm, Sweden last week, Apple engineer Ricky Mondello explains the iCloud Keychain features implemented in iOS since iOS 11 and the thinking behind them. He also provides tips and resources for web and app developers who want to integrate better with those features.

What I especially like about Mondello’s talk is the insight into the thought and effort that’s gone into making good passwords easy to create. It’s not something I’ve thought about much before, which I take as a sign that Apple’s Safari and iCloud Keychain engineers are succeeding.

The presentation is also fascinating from a design and user experience standpoint. As Mondello explains, people are ill-suited to create and remember random passwords. It’s a problem that’s right in a computer’s wheelhouse, but one that also requires users’ trust and an understanding of their habits to solve.

I recommend watching Mondello’s talk. There are a lot of interesting implementation details throughout the talk and insights into the thinking behind them, which are approachable whether you have a background in the topics covered or not.

Permalink

Apple Strongly Refutes Bloomberg Report That Its Servers Were Compromised by Malicious Chips

Earlier today, Bloomberg published a story claiming that Apple and Amazon discovered tiny, malicious chips on Elemental network servers built by Super Micro. According to the story, the chips were the work of Chinese spies and designed to infiltrate the tech companies’ networks. Shortly after publication, Apple responded in an email statement strongly refuting Bloomberg’s account.

Amazon’s chief information security officer similarly discredited the claims saying in part:

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.

A short time ago, Apple elaborated on its initial statement to Bloomberg on its Newsroom website:

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

Topsy is a startup that Apple acquired in 2013.

For over 12 months, Apple says it repeatedly told Bloomberg reporters and editors that they and their sources were incorrect.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

Security and privacy are cornerstones of Apple’s business that it uses to differentiate the company’s products from competitors’, so the fact that the company takes this sort of claim seriously isn’t unusual. This also isn’t the first time Apple has taken Bloomberg to task on the veracity of its reporting. However, the forcefulness of the responses from Apple and Amazon, followed by Apple’s press release on its Newsroom site is something that is unprecedented. It will be interesting to see whether Bloomberg responds.


A Redesigned 1Password 7 for Mac Enhances Watchtower and Adds Flexibility to Vaults, App Login Support, and More

AgileBits has released 1Password 7 for Mac, a significant update that is free to subscribers but also available as a standalone download. I’ve used 1Password since I started using a Mac. The app has always been the best way to store passwords for websites, and for years, that’s primarily how I’ve thought of it.

There’s been more to 1Password than just password storage for a while now though, and what sets this update apart is the depth of those other features and the ease with which they can be incorporated in your everyday computing life. That’s important because it doesn’t take much friction for someone to get lazy about security.

1Password 7 is a comprehensive update that touches every corner of the app. The app will still be familiar to long-time users, but features like Watchtower and Vaults have been extended with new capabilities that are worth exploring if you haven’t in a while. 1Password also works better than ever with app logins. There are dozens of other changes big and small that along with a design refresh that make 1Password 7 an excellent update.

Read more


Apple’s Updated Security Guide for iOS 11.1 and iOS 11.2

Apple’s iOS Security guide is one of the most fascinating technical documents I’ve read in recent years. While the topics are intricate, they’re presented clearly in readable English. Earlier this week, the document was updated with new information on the latest additions to the iOS ecosystem – including Face ID, Apple Pay Cash, and Password AutoFill. There are some interesting details I didn’t know in each section.

On Face ID:

Facial matching is performed within the Secure Enclave using neural networks trained specifically for that purpose. We developed the facial matching neural networks using over a billion images, including IR and depth images collected in studies conducted with the participants’ informed consent. Apple worked with participants from around the world to include a representative group of people accounting for gender, age, ethnicity, and other factors. The studies were augmented as needed to provide a high degree of accuracy for a diverse range of users. Face ID is designed to work with hats, scarves, glasses, contact lenses, and many sunglasses. Furthermore, it’s designed to work indoors, outdoors, and even in total darkness. An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your iPhone X with photos or masks.

On Apple Pay Cash, which details the new ‘Apple Payments Inc.’ subsidiary:

When you set up Apple Pay Cash, the same information as when you add a credit or debit card may be shared with our partner bank Green Dot Bank and with Apple Payments Inc., a wholly owned subsidiary created to protect your privacy by storing and processing information separately from the rest of Apple and in a way that the rest of Apple doesn’t know. This information is only used for troubleshooting, fraud prevention, and regulatory purposes.

[…]

Apple Payments Inc. will store and may use your transaction data for troubleshooting, fraud prevention, and regulatory purposes once a transaction is completed. The rest of Apple doesn’t know who you sent money to, received money from, or where you made a purchase with your Apple Pay Cash card.

To read more, get the full PDF here and check out the document revision history for January 2018.

Permalink

Apple Addresses the Meltdown and Spectre Exploits With Additional Mitigations to Come

In a support article, Apple has acknowledged that the recently-disclosed Meltdown and Spectre exploits, which affect virtually every CPU in computers, mobile devices, and other platforms, also impact every Mac and iOS device. Although there are no known exploits of the vulnerabilities, Apple advises that users proceed with caution and download apps from trusted sources only.

Mitigations to defend against Meltdown have already been shipped by Apple in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS is unaffected by Meltdown. Development of mitigations for both exploits is ongoing and new defenses will be released to each Apple OS as they become available.

The support article published by Apple provides a high-level explanation of how each exploit works. If there’s any good news to be found in the widespread concern caused by these exploits it’s that Apple says the recently-released mitigations have no measurable impact on performance:

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s support document also reveals that Spectre can be exploited in web browsers, including Safari, using JavaScript. Apple is working to address the problem with an update to Safari that will be released in the coming days. Apple says that:

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

The gravity of the exploits, which affect virtually all computing platforms, cannot be understated, but it’s reassuring that the initial mitigations released and those coming in the days ahead should have little or no impact on performance. It’s also worth noting that this is probably not the last we’ll hear about Meltdown and Spectre. As Apple notes:

We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. 

Permalink

Twitter Now Supports Third-Party Apps for Two-Factor Authentication

Earlier today Twitter announced that you’ll now be able to use a third-party app (such as Google Authenticator, Authy, or 1Password) for two-factor authentication instead of SMS. The company has updated their support document with instructions on how to set it up here.

This is great news as Twitter was the last service with 2FA that only supported sending codes via SMS. Switching from text messages to 1Password (which I use for one-time codes) was easy: in Twitter for iPad, I went to Settings ⇾ Account ⇾ Security, and enabled the ‘Security app’ toggle. I then selected to use another app to generate my codes and opened 1Password on my iPhone, where I hit Edit on my Twitter login item and scrolled to the OTP section. Here, I tapped the QR button, scanned the QR code Twitter was displaying on my iPad with the iPhone’s camera, and that was it.

Unless you specifically want to receive 2FA codes from Twitter via SMS, you should consider switching to a dedicated authentication app: these codes work independently from carriers and location, and they can be generated offline.

Permalink

Apple Fixes Root Access Bug with Security Update

Yesterday a serious security flaw in macOS High Sierra was discovered that let someone with access to a Mac running Apple’s latest OS gain root access to the its data. Today, Apple released Security Update 2017-001, which fixes the issue. The release notes to the update describe the issue as follows:

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

In a comment to Rene Ritchie of iMore.com, Apple said:

Needless to say, this is an important update that should be installed as soon as possible.

Permalink