Pulser_G2 · Jun 11, 2013 at 04:00 pm

Secure Encryption–An (Oxy)moronic Attempt by Apple?

In case you are someone like I am who doesn’t follow the annual “update” of iOS, this is where they make it more like Android and make use of some features Android has had for years (i.e. notification pull-down), and announce a few changes and “new” things the rest of the world has done for years.

Before I go any further, the previous sentence is intended as a joke, let’s not turn this into an iOS vs whatever war. This is about something that all platforms need to unite on: user data security.

Apple yesterday announced a new feature, whereby your passwords will be synced between all your devices, using their iCloud service. On the face of it, this ought to encourage users to use stronger passwords, as they do not need to remember each password. Unfortunately, this “user friendly” system appears to have a few fundamental flaws. This is called iCloud Keychain.

Firstly, Apple encourages password re-use. Not in the strict sense of using the one password across different sites, rather in the sense of using one password for secure and nonsecure tasks—an iPhone user must enter his/her Apple Account/iCloud password to install or update an app. They must also enter this same iCloud password to restore their cloud device backup to a new phone. And, no doubt, will use this iCloud password to unlock the iCloud Keychain.

At this point, the security-inclined among us will be boiling up in a nerdrage, at the thought of using the same password for a routine, insecure environment task (installing an app a friend recommends), and then re-using that same password to unlock your entire digital life of passwords and credit card details. To quote from Apple, this service will store website logins, credit card numbers, WiFi networks, and account information. Asides from the fact I sincerely doubt it is storing WiFi networks, and rather stores WiFi passwords, this seems rather unsafe.

I know 3 of my friends’ iCloud passwords. Not through some devious social engineering scam, or through some super-sneaky shoulder surfing. No… They each volunteered it to me. For whatever reason they were showing me something on their phone, and Apple decided it was time to ask for their iCloud password again. I was showing one how to update their apps, and before I could hand the phone back to them to log in on, they had told me their iCloud password. AAARGH… Don’t Apple teach security to their users?

I am more than certain that plenty of iPhone (and other Apple product users) are not aware of the need to keep secure their iCloud password, as Apple shields them from the technical nuances to avoid spoiling their marketing of everything being sleek and safe. Having a red warning “IF ANYONE FINDS OUT THIS PASSWORD, THEY WILL OWN YOUR ENTIRE LIFE FOREVER MORE” would be justifiable, but there is no such warning.

Unfortunately, the product launch also introduced some technical words. “Oh, but it protects them with robust AES 256-bit encryption”, I hear you say, quoting from the announcement. And indeed, that is correct. But AES-256 encryption is not quite so robust when a legitimate user can obtain the key through simply knowing their iCloud password. Or when someone just resets your iCloud password. Do you really think Apple will design this system securely, so if a user forgets his/her password, they forever lose access? Or will they build in a user-friendly backdoor to allow the user back into his/her account once they call support? I’ll let you figure that out…  Unfortunately Apple are in a predicament here: They need users to use super-strong, hyper-complex passwords for their iCloud account. And understand the technical reasons they must keep this password secure. The problem is, like most Apple products, they are designed for ease of use, and therefore the majority of users will pick a simple password.

Which means it will be nice and short so it is convenient for them to type in every time they install or update an app.

Which means it’s not secure.

Expect attacks on iCloud accounts to rise in volume and risk, particularly against less technical users. I anticipate a lot of phishing attacks attempting to tell Apple device users their account just needs a “little upgrade”, and to just click this link so one of their geniuses will sort it all out automatically. While the friendly-friendly approach works to a point, it doesn’t work whatsoever when it comes to the harsh realities of security. This is not secure encryption, as it depends on a user who is constantly shielded from the technical intricacies of the process.


_________
Want something on the XDA Portal? Send us a tip!
Mario Tomás Serrafero · Mar 3, 2015 at 04:29 pm · 1 comment

Five New Forums for Latest Phones, Tablet and Smartwatch

The Galaxy S6 Edge, Huawei Watch, Xperia Z4 Tablet, Moto E 2015 and Xperia M4 Aqua all have gotten new forums here at XDA. If you want the latest and greatest in hardware as of now, the Galaxy S6 Edge's top-tier processor, memory, and camera will most likely fulfill your everyday needs with blazing speed, and extra screen-space to boot. Huawei seems to have nailed the smartwatch with their new Huawei Watch, a classy-looking but also durable and powerful Android Wear...

XDA NEWS
Mario Tomás Serrafero · Mar 3, 2015 at 04:00 pm · no comments

Cross-Platform Encrypted Messaging with Signal 2.0

Privacy and security are two increasingly important factors in today's globalized world, and with the surge of internet spying by government agencies and third parties, wiretaps are an everyday thing that don't just concern James Bond anymore. Encryption made its way to the semi-mainstream messaging world with the Telegram platform, but while millions flocked to it, it is still clear that convenience beats privacy for most of smartphone users. After all, with the huge user bases boasted by Whatsapp and the...

XDA NEWS
Mario Tomás Serrafero · Mar 3, 2015 at 03:43 pm · 1 comment

Best of Matias Duarte – “Ask Me Anything” Summary

Matias Duarte, VP of Design at Google, is perhaps one of the most prolific software designers of recent times: Material Design, the highest exponent of Android beauty, is Matias' own brainchild. Without him and his creation, the biggest Android update of all time wouldn't have been what it was and our favorite platform would still carry a look that many deemed outdated even before Material Design was shown. With an internet following that spawned several internet memes and even a weird community,...

XDA NEWS
Share This