Why Apple's new security features set high bar for tech industry
It might just be two numbers, but it's a big leap forward when it comes to security.
Among the new features that Apple revealed Monday at its Worldwide Developers Conference was the addition of two digits to its four-digit passcode for iPhones and iPads.
听鈥淔our digit pins were not particularly secure," says Matthew Green, a cryptography expert at Johns Hopkins University. "Going from four to six digit pins is a big deal."
听What might seem like a simple update to the new mobile operating system, iOS 9, comes along with a string of other features that together set Apple apart from most competitors when it comes privacy and security safeguards. iOS 9 will be released in September.
听"We don't mine your e-mail, your photos, or your contacts in the cloud to learn things about you,鈥 said Craig Federighi, Apple鈥檚 senior vice president of software engineering, at the Developer鈥檚 Conference. 鈥淲e honestly just don't want to know."
Apple鈥檚 security update also comes amid the growing debate about听encryption between Washington and Silicon Valley. Last week, the to 鈥減revent encryption above all else,鈥 underscoring the government鈥檚 desire for back doors to be built in encryption, or no encryption at all. Last week, however, Mr. Cook reinforced Apple's commitment to strong encryption in a speech during an event with the Electronic Privacy Information Center, an advocacy group.听
鈥淣ow, we have a deep respect for law enforcement, and we work together with them in many areas, but on this issue we disagree,鈥 he said. 鈥淪o let me be crystal clear 鈥 weakening encryption, or taking it away, harms good people that are using it for the right reasons. And ultimately, I believe it has a chilling effect on our first amendment rights and undermines our country鈥檚 founding principles."
To be sure, the upgrades to security 鈥 and Apple's more overt stance on the encryption debate 鈥 are also being done with business in mind, says听Rich Mogull, a听security analyst at Securosis. He says the new security updates听serves two purposes: Genuinely increasing users鈥 security and protecting their business prospects abroad.听鈥淔rom a business standpoint,鈥 he said, 鈥渋f Apple has a backdoor for the FBI, can Apple still sell iPhones in China?鈥
Strengthening Apple security begins for iOS 9听with the longer pin code. A four-digit code means there are only about 10,000 possibilities an attacker has to go through to crack the screen lock, which amounts to only 111 hours with brute-force technologies such as听. A six-digit code has one million possibilities, increasing that time to just over 462 days with the same technology.听
Despite some user concerns that six digits will be difficult to remember, most consumers should quickly become accustomed to the extra digits, says听Lorrie Cranor, director of the听CyLab Usable Privacy and Security Lab at Carnegie Mellon University. Beyond the new length of the passcode, however, she says the effectiveness of the code will ultimately depend on听whether or not the user recycles a familiar password.
鈥淚 expect that many people will add two digits to the four digit code they鈥檝e already remembered,鈥 says Ms. Cranor. 鈥淭hat鈥檚 not great, but it will make it useable for them.鈥
Apple also hopes to make useable for certain services that will help prevent unauthorized users from accessing an account with a stolen password.听
鈥淚n this case I think that Google is a little bit ahead already,鈥 says Mr. Green, the cryptographer. 鈥淕oogle has a pretty good two-factor authentication system and application-specific passwords.鈥
Apple鈥檚 two-factor authentication requires a user to enter a password sent to one of their devices if they want to manage their Apple ID account or use other Apple services and products. This will help prevent hacks such as last year's iCloud breach that exposed听personal pictures of celebrities.
鈥淲e鈥檝e pretty much given up on using passwords as a sole method for authenticating people,鈥 Green says. 鈥淗aving a second factor right now seems to be the only thing that鈥檚 really reliably keeping systems secure.鈥
What remains to be seen with this feature is how problems such as lost or stolen devices are handled by Apple and usability.
鈥淚f they implement it in a way that all iPhone and iPad and Macbook users say, 鈥榃ow this is easy, I鈥檓 going to use it,鈥 it鈥檚 a big deal because it鈥檒l get people in the habit of using two-factor [verification] and will make them more willing to use it for their other accounts,鈥 Cranor said.
One of the most significant changes to iOS 9 is its new 鈥,鈥 which encourages developers to build apps using HTTPS, a security protocol that encrypts Internet traffic. HTTPS is typically used on sites when making financial transactions or providing other sensitive information. Apple has not yet made it a requirement, but encourages developers to move to HTTPS 鈥渁s soon as possible.鈥
Without a protocol such as App Transport Security, otherwise called 鈥淗TTP Strict Transport Security,鈥 to ensure users visit the secure version of the page, they remain susceptible to听attacks that can steal personal information.
听
