Pulser_G2 · Jun 11, 2013 at 04:00 pm

Secure Encryption–An (Oxy)moronic Attempt by Apple?

In case you are someone like I am who doesn’t follow the annual “update” of iOS, this is where they make it more like Android and make use of some features Android has had for years (i.e. notification pull-down), and announce a few changes and “new” things the rest of the world has done for years.

Before I go any further, the previous sentence is intended as a joke, let’s not turn this into an iOS vs whatever war. This is about something that all platforms need to unite on: user data security.

Apple yesterday announced a new feature, whereby your passwords will be synced between all your devices, using their iCloud service. On the face of it, this ought to encourage users to use stronger passwords, as they do not need to remember each password. Unfortunately, this “user friendly” system appears to have a few fundamental flaws. This is called iCloud Keychain.

Firstly, Apple encourages password re-use. Not in the strict sense of using the one password across different sites, rather in the sense of using one password for secure and nonsecure tasks—an iPhone user must enter his/her Apple Account/iCloud password to install or update an app. They must also enter this same iCloud password to restore their cloud device backup to a new phone. And, no doubt, will use this iCloud password to unlock the iCloud Keychain.

At this point, the security-inclined among us will be boiling up in a nerdrage, at the thought of using the same password for a routine, insecure environment task (installing an app a friend recommends), and then re-using that same password to unlock your entire digital life of passwords and credit card details. To quote from Apple, this service will store website logins, credit card numbers, WiFi networks, and account information. Asides from the fact I sincerely doubt it is storing WiFi networks, and rather stores WiFi passwords, this seems rather unsafe.

I know 3 of my friends’ iCloud passwords. Not through some devious social engineering scam, or through some super-sneaky shoulder surfing. No… They each volunteered it to me. For whatever reason they were showing me something on their phone, and Apple decided it was time to ask for their iCloud password again. I was showing one how to update their apps, and before I could hand the phone back to them to log in on, they had told me their iCloud password. AAARGH… Don’t Apple teach security to their users?

I am more than certain that plenty of iPhone (and other Apple product users) are not aware of the need to keep secure their iCloud password, as Apple shields them from the technical nuances to avoid spoiling their marketing of everything being sleek and safe. Having a red warning “IF ANYONE FINDS OUT THIS PASSWORD, THEY WILL OWN YOUR ENTIRE LIFE FOREVER MORE” would be justifiable, but there is no such warning.

Unfortunately, the product launch also introduced some technical words. “Oh, but it protects them with robust AES 256-bit encryption”, I hear you say, quoting from the announcement. And indeed, that is correct. But AES-256 encryption is not quite so robust when a legitimate user can obtain the key through simply knowing their iCloud password. Or when someone just resets your iCloud password. Do you really think Apple will design this system securely, so if a user forgets his/her password, they forever lose access? Or will they build in a user-friendly backdoor to allow the user back into his/her account once they call support? I’ll let you figure that out…  Unfortunately Apple are in a predicament here: They need users to use super-strong, hyper-complex passwords for their iCloud account. And understand the technical reasons they must keep this password secure. The problem is, like most Apple products, they are designed for ease of use, and therefore the majority of users will pick a simple password.

Which means it will be nice and short so it is convenient for them to type in every time they install or update an app.

Which means it’s not secure.

Expect attacks on iCloud accounts to rise in volume and risk, particularly against less technical users. I anticipate a lot of phishing attacks attempting to tell Apple device users their account just needs a “little upgrade”, and to just click this link so one of their geniuses will sort it all out automatically. While the friendly-friendly approach works to a point, it doesn’t work whatsoever when it comes to the harsh realities of security. This is not secure encryption, as it depends on a user who is constantly shielded from the technical intricacies of the process.


_________
Want something on the XDA Portal? Send us a tip!

Pulser_G2

Pulser_G2 is an editor on XDA-Developers, the largest community for Android users. Developer Admin at xda-developers, interested in everything in mobile and security. A developer and engineer, who would re-write everything in C or Assembler if the time was there. View Pulser_G2's posts and articles here.
Chris Gilliam · May 3, 2015 at 12:24 pm · 2 comments

XDA Recap: This Week In Android (Apr 26 – May 2)

Here in the digital XDA newsroom, we spend our days pouring over an average of 2,500 news items and forum threads every 24 hours. Only the most timely and interesting bits survive the editing process, but the portal’s front page still sees weekly counts in excess of 100 posts. This is a glut of content to absorb, especially if following the news cycle isn’t your full-time job. However, the tech world is vast, and the information must flow. With this...

XDA NEWS
Mario Tomás Serrafero · May 3, 2015 at 11:00 am · 3 comments

Sunday Debate: Great Camera Hardware, or Software?

Join us in a fun Sunday Debate on phone cameras. Come with your opinions and feel free to read some of our thoughts, then pick your side or play devil’s advocate to get your voice heard and engage in friendly discussion. You can read our food-for-thought or jump straight into the fray below!     Cameras are typically one of the main attractions of a smartphone, and in the last couple of years, the advancements in this mobile picture-taking have...

XDA NEWS
Mario Tomás Serrafero · May 2, 2015 at 11:00 am · 2 comments

XDA Picks: Best Apps of the Week (Apr 25 – May 1)

Apps are at the front and center of any smartphone experience, and with over a million apps on the Google Play Store and new apps being submitted to our forums every day, staying up to date on the latest apps and games can be a hassle. At XDA, we don’t discriminate apps - if it’s interesting, innovative, original or useful, we mention them. The XDA Portal Team loves apps too, and we usually share and discuss the latest app releases...

XDA NEWS
Share This