Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Kenneth van Wyk: Shutting down security gotchas in iOS 6

Kenneth van Wyk | Sept. 25, 2012
What to do if you have data on your iPhone or other iOS device that you want to protect.

Now, how about all those whiz-bang new features in iOS 6? What are the security pitfalls for a consumer to avoid there? I'm glad you asked.

Let's start with Passbook. You can store movie tickets, boarding passes, payment credentials and a slew of other types of data in Passbook, provided that your vendor's app supports it. Passbook promises to be a convenient, single place to store things like that so that you can quickly access the bar-code data when you're at a movie theater, supermarket, airport and so on.

So how secure is Passbook? Well, it's brand new, so the jury is still out. Any application that touches our finances needs the highest levels of security. Encryption of the user data is a minimum requirement. Does Passbook adequately encrypt that data so your passes are protected on a lost or stolen device? Apple hasn't said. It needs to; with Passbook, it can't afford to display the cavalier attitude toward security that it sometimes has demonstrated.

In any event, the fact that a Passbook pass can be displayed on a device's lock screen means that Passbook isn't (at least by default) using the strongest built-in encryption supported by the platform. This reinforces my recommendations to use a strong passcode and to turn off access to passes on a locked device.

Until Apple is more forthcoming and the security community has done deep analysis on Passbook, it's probably best to use it only for things that you don't consider real money. I'll be testing it that way. And I would strongly suggest that you steer clear of Passbook if you aren't going to use a strong passcode on your device.

There's another hidden consumer security issue in iOS 6. Prior to this release, your apps had access to your device's Unique Device IDentifier (UDID). They can, and frequently did, use the UDID to track users and sessions, as well as to collect marketing data about your usage. Apple wisely deprecated access to UDIDs recently, and they're now completely inaccessible to apps via the review process in the Apple App Store.

That's all to the good, but UDIDs have been replaced by a thing internally called "identifierForVendor." This identifier, which is unique per vendor, can be used similarly to UDIDs for tracking your activities, sessions, etc.

How is that an improvement? For one thing, each vendor identifier gets wiped when the device is wiped, so if you decide to sell your device, the new user won't get your same ID.

The nice part for consumers: You have the ability to restrict access to vendor identifiers. (Go to Settings --> General --> About --> Advertising and turn ON the "Limit Ad Tracking" toggle.)


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.