Apple is notoriously tight-lipped about security, usually letting the glitz of its products do the talking (and also not wanting to invite trouble). But at last week's iPhone 5S and iPhone 5C launch event in Cupertino, security was one of the biggest features touted by the notoriously design-driven company. True, a lot of the attention was focused on the integrated fingerprint reader in the flagship iPhone 5S, but with these new phones and the new iOS 7, Apple has doubled down on mobile security.
Though not entirely unexpected, Apple's decision to include a fingerprint reader in the iPhone 5S is generating a lot of discussion. Unlike other fingerprint readers, the iPhone 5S reads your prints from the home button — which every iPhone user presses already. A sapphire lens lets the sensor get a clear image of an inner layer of skin, which Apple says gives it the best view of your loops, arches, and whorls.
In this post-Snowden world, concern about the NSA is rampant but Apple had some soothing words for the worriers out there.
Apple said fingerprint information would be encrypted and stored on its A7 chip — not on iCloud, and not shared with any third-party apps. Additionally, the Wall Street Journal reported that the iPhone 5S wouldn't store images of your fingerprint, but rather "fingerprint data."
A fingerprint reader that people actually use has the potential to change how authentication works in all devices. It's also likely that we'll see other smartphone makers taking an interest in biometric authentication — there's already a device that uses your heartbeat — which in turn will encourage organisations like banks and retailers to embrace biometrics. If nothing else, it might get that lazy 50 per cent of iPhone users to at least lock their phones.
Thankfully, Apple doesn't see fingerprints as the be-all and end-all of authentication on the iPhone 5S. The company told the Wall Street Journal that a special passcode must be used to unlock a rebooted phone or a phone which hasn't been unlocked for 48 hours.
Find My iPhone upgraded
Apple beat Android to the punch when it created Find My iPhone, a service that can track, lock, and wipe lost or stolen phones. It's an absolutely must-have service for any iPhone user, and Apple is making it even better in iOS 7.
For one thing, deactivating Find My iPhone will require you to enter your Apple ID and password (there's no word of whether it will use Fingerprint ID), making it harder for a thief to disconnect you from your device.
But the biggest change is what happens to your iOS device after you wipe it. Right now, wiping your device means ceding it to a thief, sans your data (unless you called your network provider first). Not so any more. "Find My iPhone can also continue to display a custom message," that is, flash on screen a message that you write from another Internet-connected device via your iCloud account, "even after your device is erased," according to Apple's website. "And your Apple ID and password are required before anyone can reactivate it."
When we talk about security tips, we always tell people to download and use a password manager. LastPass and Dashlane are the ones we recommend, but a new feature called iCloud Keychain might mean we have to add one more to that list.
Coming to iOS 7 after the as-yet unannounced launch of OS X Mavericks, iCloud Keychain is pretty much what the name implies: It stores your Keychain passwords on iCloud, making them accessible to all your iOS and OS X devices. And they'll all be secured with 256-bit AES encryption.
Keychain can already capture all your existing passwords, and generate new ones to boot, but they've been locked on whatever device you happen to be using at the time. Now those passwords can be everywhere, and for free. This doesn't quite catch up to the competition since it will be limited to Apple devices, but it will be free and (hopefully) seamless, and might encourage Apple users to get smarter about their own password habits.
iCloud Keychain is expected to work with website logins, Wi-Fi passwords, credit cards, and other forms of vital information. We'll see the full extent of the feature once Mavericks launches.
Privacy on your phone and on the web
I use both Android and iOS every day, and I much prefer Apple's fine-grained approach to permissions. In iOS 6, you can view the permissions you've granted apps for things like location, and revoke them at any time. In iOS 7, Apple will be giving you even more control, with per-app controls for cellular data usage, microphone access, and camera access.
iOS 7 also comes with a really interesting innovation in terms of how you interact with advertisers. Many free apps are able to make money by including code from ad networks. Sometimes this just puts banner ads in your app, but at other times the networks might try to nab your phone number or unique device ID in order to track your movement between apps.
Apple will soon be introducing an Advertising Identifier, a unique ID assigned to your device that advertisers can query without accessing something more important. And here's the best part: Apple is putting you in control. You'll be able to reset or limit advertisers' access to your ID from your iPhone's and iPad's settings.
Beyond your phone, Apple is also adding security and privacy features to mobile Safari as well. In iOS 7, you'll be able to engage a Do Not Track option, which my colleague Jill Duffy believes to be a revamped version of Private Browsing from iOS 6. Once engaged, sites which comply with certain standards will not be able to track your movements between websites. It likely wont actively prevent tracking from advertisers who choose not comply, however.
SMS and call blocking, plus encryption
Android users have long enjoyed the ability to block calls and SMS using third-party security apps, while only a few iOS developers have tried to work around Apple's tight grip on phone functions. Now, Apple will provide that option in iOS 7.
From the settings, you'll be able to block contacts for calls, messages, and FaceTime interaction. Oddly, Apple hasn't provided a single setting for this feature. Instead, you activate blocking in the Settings menu for either Messages or FaceTime and iOS 7 will block interactions in calls, messages, and FaceTime.
iOS 6 users currently enjoy end-to-end encryption of their text messages between iOS users, and encrypted FaceTime video chatting as well. iOS 7 will also be adding FaceTime Audio, which lets you make a VoIP call over a data connection. Thankfully, these VoIP calls will also be encrypted, giving you a somewhat more secure way to carry on a conversation.
One of the big revelations at this year's Black Hat conference was the Mactans device which could hijack any iPhone connected via USB. The problem stems from a fundamental issue in how iOS devices behave when connected to another device via USB. By default, the iOS device would attempt to mount itself as a USB mass storage device, regardless of what was on the other end of the USB cable.
But no more. With iOS 7, you'll be prompted to authorise whatever computer you attach to your iPhone. If you don't authorise it, the iPhone treats it like a regular old charger and just sucks down some electricity without making itself vulnerable.
Now, clever attackers could get around this with a little bit of social engineering, but it's definitely a step in the right direction.
Apple touted more than 200 new features in iOS 7, and happily it seems that security improvements were among the more noteworthy additions. But there are a lot of small changes that will keep you more secure, too.
For instance, iOS 7 lets you update your apps automatically, so you'll always have the latest and most recently patched version of an app. With more and more attacks going after services, you can bet that this will be critical in the future.
Apple even paid lip service to the issue of malware, acknowledging that mobile malware was a rising problem. However, Apple didn't provide much of a clue as to how it's addressing the issue, saying only, "hardware and firmware features are designed to protect against malware and viruses," whatever that means.
Taken altogether, iOS 7 and the new iPhone 5S are powerful statements from Apple about security. The company is definitely aware of the threats that exist, and seems to have been paying close attention to how threats have developed on the Android operating system. While there are some security issues Apple has yet to address, or address adequately, this is the most we've seen Apple say about mobile security in a long time. The iPhone 5S and iOS 7 might just be the most secure offerings from Apple, ever.
iOS 7 will emerge tomorrow, and if you want to find out if your iPhone (or other Apple device) is compatible with it, check out our article here.