Apple on Monday previewed a variety of security and privacy features it plans to add to macOS and iOS operating systems, including encrypted Facetime group calls, password-management tools, and camera and microphone protections. The company also released a beta version of the upcoming iOS 12 that, according to Motherboard, all but kills off two iPhone unlocking tools used by police forces around the world.
The feature, known as USB Restricted Mode, requires that users unlock their iPhone with a password when connecting to it a USB device. Motherboard said the beta requires a password each time a phone that hasnt been unlocked in the past hour tries to connect to a device using a Lightning connection. The password requirement largely neutralizes iPhone unlocking tools provided by companies called Cellebrite and GrayShift, which reportedly use USB connectivity to bypass iOS restrictions on the number of incorrect PIN guesses can be entered into an unlocked iPhone. With those limitations removed, police can make an unlimited number of PIN guesses when attempting to unlock a confiscated iPhone.
Previous iOS betas had USB restrictions that required the entering of a password when it hadnt been unlocked for seven days. Those USB Restricted Modes were later removed before Apple issued final versions of iOS. The restrictions this time around are much more stringent, because police would have no more than 60 minutes between the time they obtain an iPhone and connect it to an unlocking tool. Readers should remember that Apple has previously removed USB Restricted Mode before releasing final versions and may do so again with iOS 12.
End-to-end encryption, password management, and more
The unannounced beta feature came as Apple previewed a host of security enhancements to the upcoming macOS Mojave and iOS 12. One of the most important enhancements is end-to-end encryption for group calls with the Facetime app. It works for groups of 32 or fewer people. The ability to seamlessly encrypt voice calls in real time for such a large number touched off long social media discussions as security practitioners speculated how, precisely, Apple engineers made the end-to-end encryption work.
Other enhancements include tools for generating strong passwords, storing them in the iCloud keychain, and automatically entering them into Safari and iOS apps across all of a users devices. Previously, standalone apps such as 1Password have done much the same thing. Now, Apple is integrating the functions directly into macOS and iOS. Apple also debuted new programming interfaces that allow users to more easily access passwords stored in third-party password managers directly from the QuickType bar. The company also announced a new feature that will flag reused passwords, an interface that autofills one-time passwords provided by authentication apps, and a mechanism for sharing passwords among nearby iOS devices, Macs, and Apple TVs.
A separate privacy enhancement is designed to prevent websites from tracking people when using Safari. Its specifically designed to prevent share buttons and comment code on webpages from tracking peoples movements across the Web without permission or from collecting a device's unique settings such as fonts, in an attempt to fingerprint the device.
The last additions of note are new permission dialogues macOS Mojave will display before allowing apps to access a users camera or microphone. The permissions are designed to thwart malicious software that surreptitiously turns on these devices in an attempt to spy on users. The new protections will largely mimic those previously available only through standalone apps such as one called Oversight, developed by security researcher Patrick Wardle. Apple said similar dialog permissions will protect the file system, mail database, message history, and backups.
Until researchers have time to thoroughly test the new features, it will be hard to say just how effective or usable they will be for average users. Still, seeing Apple devoting a fair amount of its attention this year to enhanced security and privacy is encouraging.
[contf] [contfnew]
Ars Technica
[contfnewc] [contfnewc]