Pulser_G2 · Jun 11, 2013 at 04:00 pm

Secure Encryption–An (Oxy)moronic Attempt by Apple?

In case you are someone like I am who doesn’t follow the annual “update” of iOS, this is where they make it more like Android and make use of some features Android has had for years (i.e. notification pull-down), and announce a few changes and “new” things the rest of the world has done for years.

Before I go any further, the previous sentence is intended as a joke, let’s not turn this into an iOS vs whatever war. This is about something that all platforms need to unite on: user data security.

Apple yesterday announced a new feature, whereby your passwords will be synced between all your devices, using their iCloud service. On the face of it, this ought to encourage users to use stronger passwords, as they do not need to remember each password. Unfortunately, this “user friendly” system appears to have a few fundamental flaws. This is called iCloud Keychain.

Firstly, Apple encourages password re-use. Not in the strict sense of using the one password across different sites, rather in the sense of using one password for secure and nonsecure tasks—an iPhone user must enter his/her Apple Account/iCloud password to install or update an app. They must also enter this same iCloud password to restore their cloud device backup to a new phone. And, no doubt, will use this iCloud password to unlock the iCloud Keychain.

At this point, the security-inclined among us will be boiling up in a nerdrage, at the thought of using the same password for a routine, insecure environment task (installing an app a friend recommends), and then re-using that same password to unlock your entire digital life of passwords and credit card details. To quote from Apple, this service will store website logins, credit card numbers, WiFi networks, and account information. Asides from the fact I sincerely doubt it is storing WiFi networks, and rather stores WiFi passwords, this seems rather unsafe.

I know 3 of my friends’ iCloud passwords. Not through some devious social engineering scam, or through some super-sneaky shoulder surfing. No… They each volunteered it to me. For whatever reason they were showing me something on their phone, and Apple decided it was time to ask for their iCloud password again. I was showing one how to update their apps, and before I could hand the phone back to them to log in on, they had told me their iCloud password. AAARGH… Don’t Apple teach security to their users?

I am more than certain that plenty of iPhone (and other Apple product users) are not aware of the need to keep secure their iCloud password, as Apple shields them from the technical nuances to avoid spoiling their marketing of everything being sleek and safe. Having a red warning “IF ANYONE FINDS OUT THIS PASSWORD, THEY WILL OWN YOUR ENTIRE LIFE FOREVER MORE” would be justifiable, but there is no such warning.

Unfortunately, the product launch also introduced some technical words. “Oh, but it protects them with robust AES 256-bit encryption”, I hear you say, quoting from the announcement. And indeed, that is correct. But AES-256 encryption is not quite so robust when a legitimate user can obtain the key through simply knowing their iCloud password. Or when someone just resets your iCloud password. Do you really think Apple will design this system securely, so if a user forgets his/her password, they forever lose access? Or will they build in a user-friendly backdoor to allow the user back into his/her account once they call support? I’ll let you figure that out…  Unfortunately Apple are in a predicament here: They need users to use super-strong, hyper-complex passwords for their iCloud account. And understand the technical reasons they must keep this password secure. The problem is, like most Apple products, they are designed for ease of use, and therefore the majority of users will pick a simple password.

Which means it will be nice and short so it is convenient for them to type in every time they install or update an app.

Which means it’s not secure.

Expect attacks on iCloud accounts to rise in volume and risk, particularly against less technical users. I anticipate a lot of phishing attacks attempting to tell Apple device users their account just needs a “little upgrade”, and to just click this link so one of their geniuses will sort it all out automatically. While the friendly-friendly approach works to a point, it doesn’t work whatsoever when it comes to the harsh realities of security. This is not secure encryption, as it depends on a user who is constantly shielded from the technical intricacies of the process.


_________
Want something on the XDA Portal? Send us a tip!

Pulser_G2

Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there. View Pulser_G2's posts and articles here.
Faiz Malkani · Jul 2, 2015 at 08:41 pm · 1 comment

Mysterious GG1 Google Device Stops by FCC. Glass v2?

As the year progresses, we draw further away from Google's annual I/O conference, and closer to the time when the latest hardware from Mountain View is made available to the public. While I/O itself remains one of the most popular tech conferences, the hardware unveiling is a contrastively low-key post across social media, but nonetheless, remains an exciting and much awaited event. In the months leading up to the unveiling, a host of leaks take place, revealing various info about...

XDA NEWS
Faiz Malkani · Jul 2, 2015 at 04:54 pm · 3 comments

Material and Material Dark Hit Samsung’s Theme Store

The latest version of Touchwiz, launched alongside the Galaxy S6 and S6 Edge, was aimed at providing a vastly improved software experience in lieu of the bad reputation its predecessors had gained. While this iteration turned out to be a vast improvement in terms of lack of bloatware, fluidity and user experience, Samsung's OEM skin fell short in the aesthetics department by a long shot, abandoning a plethora of Material Design principles and leaving users wanting more. However, Theme Store...

XDA NEWS
Jack Jennings · Jul 2, 2015 at 01:09 pm · 4 comments

Swappa’s New App Helps You Value Your Device

There comes a sad time in everyone's life where you must part ways with your gadgets. Perhaps they are dropped from a height, carelessly hardbricked, or simply stashed in a drawer in favor of a shinier upgrade. Alternatively they might enter the world of the second-hand market, and become someone else's daily driver. Swappa is especially popular for this purpose here at XDA, where thousands of users trust the site enough to buy and sell their devices through it. In fact, we made...

XDA NEWS
Share This