Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Understanding iOS passcode security

Marco Tabini | March 8, 2013
Ah, the eternal question: Should you protect your iOS device with a passcode? On one hand, the knowledge that your data is presumably safe from prying eyes makes carrying around your phone and tablet less worrying; on the other, having to tap in a code every time you want to check your email or make a phone call can quickly become annoying.

Ah, the eternal question: Should you protect your iOS device with a passcode? On one hand, the knowledge that your data is presumably safe from prying eyes makes carrying around your phone and tablet less worrying; on the other, having to tap in a code every time you want to check your email or make a phone call can quickly become annoying.

Apple, for its part, isn't helping make this choice easier for consumers: Methods for bypassing the passcode screen or circumventing it altogether keep getting discovered, and though the company typically provides patches fairly quickly, these security holes don't instill confidence in iOS's ability to keep our data safe.

Besides, passcodes seem inflexible and at times even incompatible with the way we use our devices. I've stopped counting the number of people who have asked me why iOS doesn't use geolocation to automatically engage passcodes when, for example, you leave your house, where you don't need so much protection. And when you leave your passcode-locked device within reach of a toddler, you can find out rather quickly that Apple's deterrents aren't exactly designed with curious children in mind.

A look behind the scenes

On the surface, therefore, passcodes act as little more than gatekeepers to your devices--and, therefore, to the data stored on them. Like a watchful security guard, iOS becomes increasingly suspicious when incorrect codes are tapped in, and it requires longer and longer pauses between attempts until, after it counts ten tries, it either locks the device up for good or--depending on your settings--wipes out the data altogether.

If an iOS device's security consisted of nothing more than a passcode, however, then the system would be ineffective. It's relatively easy for a skilled hacker to bypass this locking mechanism by downloading the contents of your device's flash memory and, thanks to software tools ready-made for this very purpose, gaining access to its every byte in a matter of seconds.

Therefore, Apple, aware that its mobile device would likely be taken to (and lost in) all sorts of public places, baked security right into its hardware, creating a subtle interplay of technologies in which passcodes play a small but crucial role.

Encryption for all

iPad and iPhone security begins at the factory, where two special codes are burned right into the hardware; the first is a code that's unique to each device, while the second code changes from product line to product line. Thus, for example, each iPhone 5 will have its own unique code, plus a code that identifies it as an iPhone 5.

iOS uses these codes, together with a bit of random data called entropy, to generate a master cryptographic key, which is then stored in a dedicated area of memory called effaceable storage. Even though the hardware codes never change, the entropy ensures that this process, which occurs every time you restore your device, results in a different key every time.

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.