Index ¦ Archives ¦ Atom

Two new iPhone security features

I am at heart a bit of an open source hippy who sees the world through rose coloured glasses. I want to believe that Android1 is the best mobile operating system because it is at it's core open source and it gives users the freedom to run their own code and inspect the code running on their device without needing to pay licensing agreements or sign NDAs. Unlike the walled garden that Apple has built.

However, if pushed I'd begrudgingly admit that if security is your priority Apple and the iPhone have the edge.

Apple has released two new security features for their latest version of iOS and I think they are really interesting to look at from the point of view of threat modeling because they cater to almost polar opposites of the threat landscape.

The two features are USB Restricted mode and "tools for generating strong passwords, storing them in the iCloud keychain, and automatically entering them into Safari and iOS apps across all of a user's devices." these two features nicely demonstrate what Bruce Schneier called "Going Dark" vs. a "Golden Age of Surveillance"

With USB restricted mode, if someone has an iPhone and they are picked up by police, the police can no longer access their phone to look for incriminating material2. This is a great step forward and has privacy advocates cheering, but it's not something that most people have to worry about.

While with the password generation an storage, this is something that will result in a greatly increased security for a huge number of people. People generally are bad at picking passwords, bad at storing passwords and absolutely terrible at not repeating the same password across numerous systems. Letting your iPhone generate a password for you and syncing that across all your Apple devices is going to be a hell of a lot better than what most people are currently doing. It's not only going to be more secure but it's going to be easier and people will always take the easy option, it's like LastPass but built into the operating system.

If I had to give anyone the job of securing all that data I'd say companies like Apple and Google are about as good as you can get. But if Apple are syncing the passwords across devices then they must be storing the passwords in such a way that it's possible to recover the cleartext. That just opens up a whole can of worms, even Apple's best developers are still human, and humans make mistakes or can be bribed or threatened. There was a story no that long ago where some celebrity had their iCloud account password guessed and compromising photos leaked online, and that was a result of Apple forgetting to rate limit one of their services, so these things do happen.


  • USB Restricted mode Good for the ~1% of people who are political activist or being surveilled by intelligence agencies? yes. Good for the ~99% of people who just want to keep their Facebook account safe? it can't hurt I guess.

  • Password generation and cloud storage: Good for the ~1% of people who are political activist or being surveilled by intelligence agencies? maybe, it depends. Good for the ~99% of people who just want to keep their Facebook account safe? Yes.

  1. Actually, I still want to believe that in the future Maemo 5 from my old Nokia N900 or KDE Plasma Mobile will dominate the mobile market, but I'm at least somewhat in touch with reality, so Android it is. 

  2. I feel like I'm flogging a dead horse here and I shouldn't need to say this but, just because something is incriminating or illegal doesn't mean it's immoral. There are still countries where it's illegal to be homosexual, a man could have pictures of him and his boyfriend kissing. Illegal yes, immoral no. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.