Modern field guide to security and privacy

Why Apple's new security features set high bar for tech industry

Apple doubles down on security in iOS 9. The upgrades comes as the company has publicly challenged federal law enforcement efforts to weaken encryption on consumer devices.

Robert Galbraith/Reuters
Apple senior vice president for software engineering Craig Federighi spoke at the Worldwide Developers Conference in San Francisco on June 8.

It might just be two numbers, but it's a big leap forward when it comes to security.

Among the new features that Apple revealed Monday at its Worldwide Developers Conference was the addition of two digits to its four-digit passcode for iPhones and iPads.

 “Four digit pins were not particularly secure," says Matthew Green, a cryptography expert at Johns Hopkins University. "Going from four to six digit pins is a big deal."

 What might seem like a simple update to the new mobile operating system, iOS 9, comes along with a string of other features that together set Apple apart from most competitors when it comes privacy and security safeguards. iOS 9 will be released in September.

 "We don't mine your e-mail, your photos, or your contacts in the cloud to learn things about you,” said Craig Federighi, Apple’s senior vice president of software engineering, at the Developer’s Conference. “We honestly just don't want to know."

Apple’s security update also comes amid the growing debate about encryption between Washington and Silicon Valley. Last week, the FBI urged technology companies to “prevent encryption above all else,” underscoring the government’s desire for back doors to be built in encryption, or no encryption at all. Last week, however, Mr. Cook reinforced Apple's commitment to strong encryption in a speech during an event with the Electronic Privacy Information Center, an advocacy group. 

“Now, we have a deep respect for law enforcement, and we work together with them in many areas, but on this issue we disagree,” he said. “So let me be crystal clear — weakening encryption, or taking it away, harms good people that are using it for the right reasons. And ultimately, I believe it has a chilling effect on our first amendment rights and undermines our country’s founding principles."

To be sure, the upgrades to security – and Apple's more overt stance on the encryption debate – are also being done with business in mind, says Rich Mogull, a security analyst at Securosis. He says the new security updates serves two purposes: Genuinely increasing users’ security and protecting their business prospects abroad. “From a business standpoint,” he said, “if Apple has a backdoor for the FBI, can Apple still sell iPhones in China?”

Strengthening Apple security begins for iOS 9 with the longer pin code. A four-digit code means there are only about 10,000 possibilities an attacker has to go through to crack the screen lock, which amounts to only 111 hours with brute-force technologies such as MDSec’s IP Box. A six-digit code has one million possibilities, increasing that time to just over 462 days with the same technology. 

Despite some user concerns that six digits will be difficult to remember, most consumers should quickly become accustomed to the extra digits, says Lorrie Cranor, director of the CyLab Usable Privacy and Security Lab at Carnegie Mellon University. Beyond the new length of the passcode, however, she says the effectiveness of the code will ultimately depend on whether or not the user recycles a familiar password.

“I expect that many people will add two digits to the four digit code they’ve already remembered,” says Ms. Cranor. “That’s not great, but it will make it useable for them.”

Apple also hopes to make useable two-factor verification for certain services that will help prevent unauthorized users from accessing an account with a stolen password. 

“In this case I think that Google is a little bit ahead already,” says Mr. Green, the cryptographer. “Google has a pretty good two-factor authentication system and application-specific passwords.”

Apple’s two-factor authentication requires a user to enter a password sent to one of their devices if they want to manage their Apple ID account or use other Apple services and products. This will help prevent hacks such as last year's iCloud breach that exposed personal pictures of celebrities.

“We’ve pretty much given up on using passwords as a sole method for authenticating people,” Green says. “Having a second factor right now seems to be the only thing that’s really reliably keeping systems secure.”

What remains to be seen with this feature is how problems such as lost or stolen devices are handled by Apple and usability.

“If they implement it in a way that all iPhone and iPad and Macbook users say, ‘Wow this is easy, I’m going to use it,’ it’s a big deal because it’ll get people in the habit of using two-factor [verification] and will make them more willing to use it for their other accounts,” Cranor said.

One of the most significant changes to iOS 9 is its new “App Transport Security,” which encourages developers to build apps using HTTPS, a security protocol that encrypts Internet traffic. HTTPS is typically used on sites when making financial transactions or providing other sensitive information. Apple has not yet made it a requirement, but encourages developers to move to HTTPS “as soon as possible.”

Without a protocol such as App Transport Security, otherwise called “HTTP Strict Transport Security,” to ensure users visit the secure version of the page, they remain susceptible to attacks that can steal personal information.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.