Security

iOS 12 Requires Biometrics Before Autofilling Passwords by Muhammad Amir Ayub

From iMore:

While Apple introduced iCloud Keychain year ago, the lack of any authentication check always prevented me from using it. I just never wanted to have to worry about handing my phone to a stranger in an emergency or even a friend at a conference and also handing them all my logins and credit cards.

iPhone X introduced Face ID as an authentication check, and that was great… but only for iPhone X. Now, iOS 12 adds Touch ID to the system as well, and that means iCloud Keychain is finally a first-class password manager.

If you’re already using a third-party password manager, Apple’s integrating those into the auto-fill system as well, so now it’s win/win all around.

This wasn't mentioned in the previous article I quoted from, but this is something new I've definitely noticed and appreciate. Before, if someone had already unlocked your device, they'd have the access to your passwords because there was no added layer of security before it autofills passwords. Now, you'd have to authenticate with biometrics first (either Touch ID/Face ID) before  iOS fills in the password.

And finally, you can control your flashlight via Siri!

Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses (since 2007) by Muhammad Amir Ayub

From Macrumors:

Hackers have had an “easy way” to get certain malware past signature checks in third-party security tools since Apple’s OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools — designed to sniff out suspiciously signed software — into thinking the malware was officially signed by Apple while they in fact hid malicious software.

...

The researchers said that the signature bypassing method is so “easy” and “trivial” that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple.

...

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: “To be clear, this is not a vulnerability or bug in Apple’s code... basically just unclear/confusing documentation that led to people using their API incorrectly.” It’s also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: “If a hacker wants to bypass your tool and targets it directly, they will win.”

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”

It looks like a case where human engineering fooled the so-called security programs (and not helped by Apple's usually not so helpful documentation). All the more reasons that for the Mac, trusting the built in security is the way to go for the most part. You've already paid a premium for the hardware.

Try out Backblaze for free and protect your precious files.

An Overlooked Security Feature of iOS by Muhammad Amir Ayub

If you use an iOS device, read on.

Apparently there was a setting in the Touch ID & Passcode section that I never realize existed: "Erase Data - Erase all data on this iPhone after 10 failed passcode attempts" 

IMG_6F70575350F3-1.jpeg

At first glance, this sounds like a scary setting. Any parent has experienced times when you're locked out of your phone because your young child tried to unlock your phone and mashed some buttons, hopefully not followed by smashing of the said phone. Nevertheless, the outcome is a locked phone. And such a thing would be bad if once repeated enough times, your phone is wiped clean by your children, and not privacy-intruding authorities.

John Gruber found out that wiping out the phone is not so easy, as the timeout period becomes longer and longer, and hopefully you'll be holding your phone by then:

I had no idea until I looked into it last weekend, but it turns out this feature is far more clever than I realized, and it’s highly unlikely that your kids or jackass drinking buddies could ever trigger it. After the 5th failed attempt, iOS requires a 1-minute timeout before you can try again. During this timeout the only thing you can do is place an emergency call to 911. After the 6th attempt, you get a 5-minute timeout. After the 7th, 15 minutes. These timeouts escalate such that it would take over 3 hours to enter 10 incorrect passcodes.

I've turned it on and so should you. Especially in this age where privacy is more and more a concern, with multiple battlefronts and multiple viewpoints everywhere.