iOS 8: Still Not Completely Secure

Kashmir Hill, Forbes:

It may be that the passcode doesn’t wind up protecting people as much as you might think from the headlines around Apple’s big move. Jonathan Zdziarski, a iDevice forensics expert, points out that his forensics software can still pull some data off a locked iPhone and that police could access much more if they seized a machine paired with your iPhone that would grant them access. Meanwhile security technologist Ashkan Soltani says that a majority of users likely use the iCloud to back up their devices, and Apple can hand over information from the iCloud to law enforcement if they have a warrant. “That’s still a huge hole,” says Soltani.

Apple is not in the business of selling your data to advertising companies; Apple is in the business of selling you stuff, like iPhones and Macs. One major concern, thanks to what the NSA and a bunch of hackers have been, are, and will continue doing, is user privacy. The recent phishing attack on celebrity iCloud accounts led to the leak of many private photos not meant to be seen by the public. The NSA has been engaged in a wholesale collection of communications data, which U.S. citizens assumed were private.

Apple wants to make its stuff as secure as possible; it is in the company’s interest to do this. I want my iPhone, iPad, and Mac to be more secure. Not because I have anything to hide, but because I do not want it to be so easy for anyone working at the NSA to access my devices. If I am the target of an investigation and am given a warrant to surrender my data I will freely give access to all of my devices, but until then I would like to keep my data, my communications, safe from the curious eyes of NSA agents. I do not think I am alone in desiring privacy from our government, and so an iPhone that is more secure will sell more than a less secure one. I will give credit where credit is due and Apple deserves credit for what they have done. Unfortunately the celebrity nude photo phishing debacle had to kick Apple in the butt for the company to add two-step verification to iCloud, but Apple has been working for quite some time to make it difficult for hacking tools to pull private data off iOS devices. iOS 8 encrypts data using your passcode. That means without your passcode the data stored in your iPhone is safe, in general. Unfortunately, forensics expert Zdziarski was able to pull data from a passcode-locked iPhone:

While your photos and messages might indeed now be encrypted with a key derived from your PIN, the pairing records stored on your desktop have a “backup copy” of your keybag keys (the escrow bag), which can be used to unlock the encryption on your phone – without a PIN. Again, this was added so that iTunes could talk to your phone while it is still locked.

Here is what Zdziarski recommends Apple do: “offer the user the option (via iTunes) to prevent the iPhone from being accessible at all while locked.”

No system is completely secure, but Apple has made phishing for and hacking into private data stored in iOS devices and on iCloud more difficult. Apple has to balance ease of access with secure to access, so I realize it is not simply a matter of adding and enabling all sorts of security protocols to iOS, iCloud, and OS X, but I think the company is moving in the right direction. I am coming to terms that only a fool would trust his private data to a company whose modus operandi is to gather as much data about him and sell that data to the highest bidder. I think it wiser to trust a company with little to no such business incentive.