or Connect
AppleInsider › Forums › Mobile › iPhone › Users may be weakest link in Apple ID, iOS security chain
New Posts  All Forums:Forum Nav:

Users may be weakest link in Apple ID, iOS security chain

post #1 of 27
Thread Starter 
While Apple's robust security practices have made malware a virtual non-factor, iOS device owners should still take care to ensure that they themselves don't become the weak link in the security chain.

Apple ID


A study published this week by internet giant Cisco --?and tweeted by Apple marketing chief Phil Schiller -- paints third-party apps as a leading cause for concern when it comes to security on mobile devices.

"Many users download mobile apps regularly without any thought of security," the report says.

Malware is not Cisco's biggest worry when it comes to mobile apps, though. The honor goes instead to age-old social engineering techniques like phishing, in which malicious individuals try to dupe unsuspecting users into handing over personal information like usernames, passwords, and financial details by pretending to represent legitimate businesses --?the notorious "Nigerian prince" e-mail scam is one popular example.
"Many users download mobile apps regularly without any thought of security," according to Cisco.
The problem is compounded by the implicit trust users often place in content from the App Store. This week also saw Apple settle with the Federal Trade Commission over in-app purchases, a dispute which boiled down to parents blindly supplying their Apple ID password to their kids without taking the time to understand the implications.

In that case, the parents simply saw a few more charges on their credit cards. The same action in a different context could have much more far-reaching consequences, and this issue has been the subject of a recent kerfuffle in the iOS developer community.

Well-liked social calendaring app Sunrise has come under fire for asking users to enter their Apple ID credentials when adding iCloud calendars, rather than using iOS's built-in calendar access API. Sunrise uses this information for a legitimate purpose --?services running on their servers facilitate key features that would be difficult or impossible to implement without that access.

Sunrise Calendar
Sunrise calendar's iCloud setup pane | Screenshots by Marco Arment


The problem, as articulated by Instapaper creator Marco Arment, is that the Apple ID has become a de facto key to many iPhone and iPad users' lives. Consider what happens when an iOS device is restored from an iCloud backup: iMessages, keychain data, email accounts, calendars, contacts, and data-filled apps are all happily retrieved from the cloud.

Of course, users are notified when a new device is added to an account, but even if they take notice of the message, it may be too little too late. Wired reporter Mat Honan had such an experience in 2012:

"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook," Honan wrote.
Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.
The attack on Honan was overt, carried out by hackers whose aim was notoriety, and thus easily noticed. What if it were a more subtle assault, though? Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.

Attackers needn't even go to the trouble of sneaking a phishing app into the App Store. Many services store access credentials on cloud servers, which present an exponentially larger number of attack vectors --?Sunrise was the victim of an attack on its web infrastructure last November, and was forced to warn users to reset their iCloud passwords.

Fortunately, these potential problems are easily mitigated by the application of common sense. Just as users wouldn't provide their social security number to a stranger on the street, they should carefully evaluate which services have access to their Apple ID. Apple also allows for the use of multiple accounts on a single device --?one can be used for sensitive information such as iCloud keychain, while another could synchronize less important data like calendars.
post #2 of 27
Had to laugh, with the exception of Windows OS ... 'Users' have been the weakest link I have ever come across in 35 years in this industry! 1biggrin.gif
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #3 of 27

So long as there is a human involved in any part of the security link, it will always be a point of failure.  Why is this even news?

post #4 of 27
Apple ID problems are one of the most common drivers of calls to Apple support. Maybe even the number one issue. Apple IDs and the associated details can be confusing to people who are not used to managing computer security. There are so many ways users can screw up their Apple ID and the things it governs that it's a bit of a wonder to me how Apple keeps the system afloat. I was an iOS At Home Advisor for a brief period last year. One of the many reasons I could not handle the job was the never-ending calls from people who had forgotten their Apple ID, or changed it and forgotten it, or tried to use two of them with iTunes and got locked out for 90 days or reset the password and never got the validation email . . . or . . . or - on and on. Maddening.

It would be easy to say Apple needs to revamp the whole Apple ID system, but that hardly seems practical or even worth the trouble. Apple knows exactly how confusing and problematic it can be and it's within their umbrella of acceptable costs to just leave it as is.
post #5 of 27
Quote:
Originally Posted by digitalclips View Post

Had to laugh, with the exception of Windows OS ... 'Users' have been the weakest link I have ever come across in 35 years in this industry! 1biggrin.gif

They should change the title to "users are the weakest link...."
"I got the answer by talking in my brain and I agreed of the answer my brain got" a 7 yr old explaining his math HW
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"I got the answer by talking in my brain and I agreed of the answer my brain got" a 7 yr old explaining his math HW
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #6 of 27
"Users may be weakest link..." There's no "may be" about it. WE are the weakest link.

If parents are giving the password to thier kids for in-app purchases, they have no case.
post #7 of 27
No shit. In fact users are the weakest link in almost everything.
post #8 of 27
Quote:
Originally Posted by lightstriker View Post

WE are the weakest link.

 

Sorry, I couldn't help reading this and hearing Anne Robinson's voice. :lol:

post #9 of 27
Different apple id's won't support calendar and keychain because it's iCloud and only 1 I'd for that
post #10 of 27
Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!
post #11 of 27
Well, good news: Mac OS X and iOS aren't the weakest link.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #12 of 27
Way to state the obvious. Users always have been and always will be the weakest link...this isn't an insult this is a confirmed, tried, tested and true reality in the field of privacy and security.
It's because they are lazy f*cks.
post #13 of 27
Quote:
Originally Posted by libertyforall View Post

Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!
I'm not sure what you are talking about. I still sync locally. You set it up in iTunes. In fact, icloud is not a full backup.
post #14 of 27

If you frequent the Apple discussion forums on a regular basis you soon notice user after user wanting to know how to turn off security features. From certificates to Flash, to Adobe Reader, they demand to be shown how to turn off anything that takes an extra step to do something. And I can just imagine what their passwords look like, as well as their total lack of a backup strategy. It’s amazing.

post #15 of 27
Quote:
Originally Posted by lkrupp View Post

If you frequent the Apple discussion forums on a regular basis you soon notice user after user wanting to know how to turn off security features. From certificates to Flash, to Adobe Reader, they demand to be shown how to turn off anything that takes an extra step to do something. And I can just imagine what their passwords look like, as well as their total lack of a backup strategy. It’s amazing.

ASD123? lol.gif
"I got the answer by talking in my brain and I agreed of the answer my brain got" a 7 yr old explaining his math HW
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"I got the answer by talking in my brain and I agreed of the answer my brain got" a 7 yr old explaining his math HW
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #16 of 27
Quote:
Originally Posted by dasanman69 View Post

ASD123? lol.gif
Great.
Now I got to change mine.
post #17 of 27

That's just silly, it always comes down to human error being the weakest link. Especially some of the people I've seen.

My blender/recipe blog: http://blenderinsider.com
Reply
My blender/recipe blog: http://blenderinsider.com
Reply
post #18 of 27
Quote:
Originally Posted by Napoleon_PhoneApart View Post
 

Sorry, I couldn't help reading this and hearing Anne Robinson's voice. :lol:

 

I recall a David Gilmour show from 2000 where he was taking a very long time tuning his guitar between songs and the audience was very quiet, until one guy loudly said 'you are the weakest link. Good night!', followed by huge laughter!

 

It was pretty funny.

post #19 of 27
Quote:
Originally Posted by libertyforall View Post

Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!

what are you talking about? You still can sync locally. That never changed, I am looking at the sync settings in iTunes 11.1.3 now.

Change sync from iCloud to "This computer". Couldnt be easier

 

I really cannot stand people who speak FUD without looking first. THAT is bone-headed sir.

post #20 of 27
@libertyforall

You have hit the hammer on the head. Seriously, not having the option to to sync locally is really a major faux pas. The entire iCloud system is completely flawed. It is created for one individual, using numerous idevices. Unfortunately, iMacs are seldom used by individuals - macbook pros yes, but imacs No. The iMac is a Family Computer. And this is where the stuff gets confusing:

1. If you have separate user id's on the one imac, then you have to buy songs/apps more than once. Solution: Use separate apple id's to log into each screen, but one Apple id for all to use with iTunes. That works, but it's cumbersome. And it's hit or miss if the iTunes log in also counts as the ID login for the session that you are in. Confused yet? Essentially, you can sometimes get that you are logged in as the screen login that you logged in with or logged in as the iTunes account holder.

2. Secondly, if you try to use Facetime with this, the computer gets totally confused. You will get messages showing "id A is linked to this imac, id B is linked to this imac....." and so on. In addition you can text to whomever from the computer to someone with an iCloud id, but you may or may not receive a response, because that person may not be sending from an iCloud account. Ugh?

3. Then there's the device issue. The Apple Geniuses will state that Apple id's are for identifying people using their devices and not iTunes. When I spoke with another about the confusion, he stated that this is just for Apple to send things to the right place. Not quite! Apple clearly states on their site that Apple id's control everything - iTunes, app store and essentially all communications with Apple. So if you use one Apple iD for everyone in your family, then everyone in your family will get your text messages, apps and just about everything. If you use separate iD's, then you have to find a way to get the right information through, while not paying for songs or apps twice.

It's still hit or miss, and I proposed a real solution a long time ago. Something that Amazon appears to be implementing, albeit slowly: Create a Master ID. Let users within a family make Sub-ID's but have the Master ID make purchases etc. Attach all purchases to the Master ID. I think that this would solve the problem.

Right now, it's just a confusing mess. iPhoto is another example of this, but that's for another day (ie. Is iPhoto using your ISP or iCloud?). Sorry for the length of this, but it's really gotten to me as well and I consider myself relatively knowledgeable.
post #21 of 27

Like my mother used to say, the problem with building anything foolproof is that the Almighty keeps making better fools.

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply
post #22 of 27
Sunrise is correct, there are limitations to the Calendar APIs in OS X and iOS. Lots of apps require your AppleID to function: BusyCal, MS Outlook, Sparrow. There is no OAuth or similar functionality in CalDAV or IMAP protocols, so there's nothing to do. Either you trust the developer or don't use their app.
post #23 of 27
Quote:
Originally Posted by theipd View Post

@libertyforall

You have hit the hammer on the head. Seriously, not having the option to to sync locally is really a major faux pas. The entire iCloud system is completely flawed. It is created for one individual, using numerous idevices. Unfortunately, iMacs are seldom used by individuals - macbook pros yes, but imacs No. The iMac is a Family Computer. And this is where the stuff gets confusing:

1. If you have separate user id's on the one imac, then you have to buy songs/apps more than once. Solution: Use separate apple id's to log into each screen, but one Apple id for all to use with iTunes. That works, but it's cumbersome. And it's hit or miss if the iTunes log in also counts as the ID login for the session that you are in. Confused yet? Essentially, you can sometimes get that you are logged in as the screen login that you logged in with or logged in as the iTunes account holder.

2. Secondly, if you try to use Facetime with this, the computer gets totally confused. You will get messages showing "id A is linked to this imac, id B is linked to this imac....." and so on. In addition you can text to whomever from the computer to someone with an iCloud id, but you may or may not receive a response, because that person may not be sending from an iCloud account. Ugh?

3. Then there's the device issue. The Apple Geniuses will state that Apple id's are for identifying people using their devices and not iTunes. When I spoke with another about the confusion, he stated that this is just for Apple to send things to the right place. Not quite! Apple clearly states on their site that Apple id's control everything - iTunes, app store and essentially all communications with Apple. So if you use one Apple iD for everyone in your family, then everyone in your family will get your text messages, apps and just about everything. If you use separate iD's, then you have to find a way to get the right information through, while not paying for songs or apps twice.

It's still hit or miss, and I proposed a real solution a long time ago. Something that Amazon appears to be implementing, albeit slowly: Create a Master ID. Let users within a family make Sub-ID's but have the Master ID make purchases etc. Attach all purchases to the Master ID. I think that this would solve the problem.

Right now, it's just a confusing mess. iPhoto is another example of this, but that's for another day (ie. Is iPhoto using your ISP or iCloud?). Sorry for the length of this, but it's really gotten to me as well and I consider myself relatively knowledgeable.

Bolded Above: technically, that's what Apple does now with the App/iTunes STORE ID (Master).. and the Apple ID (Slave) is for all of the members of a household. Not to forget: App Store purchases can be used on up to 5 devices. Larger families that have went all in on Apple devices may find that they have to purchase any given App twice. Now THAT's where it starts to get really difficult.

I definitely agree with you: Apple should look into making this all far easier to understand for everyone... including those like myself that have to try and explain it to people.

NOTE: I like your "Master and Slave" ID naming idea and will be using it next time I have to explain this. Just need to be sure I'm using it in the right time and place... 1smoking.gif
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #24 of 27
Quote:
Originally Posted by theipd View Post

@libertyforall

Right now, it's just a confusing mess. iPhoto is another example of this, but that's for another day (ie. Is iPhoto using your ISP or iCloud?). Sorry for the length of this, but it's really gotten to me as well and I consider myself relatively knowledgeable.

I will agree that it is a bit confusing for most people. Especially iPhoto.

I've been hoping that Apple would find a far more elegant way using libraries, or at the very least, have a sort of "mini-server" built in. However, I run across a lot of small businesses that still don't understand User Privileges (ACLs), server folder permissions, Multi vs. Single User accounts, etc. So I'm sure Apple's engineers have and are looking into this... it definitely is a tricky undertaking.

Explaining the premise of "libraries" rather than self maintained folder structures will start a legendary fight with most people. In fact it is the #1 reason that most people tell me they prefer Android, Windows, whatever: they understand the idea up plugging something into a computer (or inserting a USB stick or SD card) and seeing a folder structure to drag things into.

Managed libraries on the other hand cause just about everybody I meet to go cross-eyed, because they don't understand the power of having 1 piece of data (such as a picture or music title), meta-tagged properly, then searching and adding it to as many structured lists of their choice they want i.e. Collections, Albums, Playlists, etc., bypassing the simple name, date, color, etc. file structure of a folder... all from only ONE actual data file. Basically: a far more powerful and "obvious" advantage to simply creating "aliases" all over the place... which I might add, that many people also don't know how to use properly... if at all. As an example, I can walk into most ad agencies or print shops and clean half a hard drive from exact duplicates, replacing them with aliases, and the designers go, "Huh!?".

Last but not least: this leads me to teaching folks how to get the most out of "tags" in Mavericks. I love 'em(!)... but probably because I've been using 3rd party software solutions for years now.

My apologies for getting side-tracked. Just wanted to make a point how difficult it is for Apple to recreate the library approach, when many (most?) don't understand how to use it now. Apple is certainly doing their best by staying stubborn and forcing people on iOS devices to accept the lack of folders and get them ready for the future. Because IMHO, the main reason they are sticking to their guns, is they know that eventually... folder structures WILL be the thing of the past and no longer be "front facing" for the user.

And before you start to bash Apple: Microsoft and Google know this too and are also working towards abolishing folder structures. Think: meta-data(base)... 1smoking.gif
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #25 of 27
Originally Posted by theipd View Post
Seriously, not having the option to to sync locally is really a major faux pas.

 

Don’t just listen to people without knowing for yourself. He’s wrong.

 

It is created for one individual, using numerous idevices.

 

Yeah, that’s why it’s called an account, not “an accounts”.

 

Unfortunately, iMacs are seldom used by individuals - macbook pros yes, but imacs No. The iMac is a Family Computer. 
 

So each member of the family has their own account. Not that hard to understand.

 
1. If you have separate user id's on the one imac, then you have to buy songs/apps more than once. 

 

Totally incorrect.

 
Solution: Use separate apple id’s…

 

Your local username is NOT an Apple ID.

 
…but it’s cumbersome.

 

No, it isn’t.

 
And it's hit or miss if the iTunes log in also counts as the ID login for the session that you are in. 

 

No, you just don’t have the SLIGHTEST clue what you’re talking about.

 
Essentially, you can sometimes get that you are logged in as the screen login that you logged in with or logged in as the iTunes account holder.

 

No. This can never happen. Because your local username IS NOT AN APPLE ID.

 
So if you use one Apple iD for everyone in your family, then everyone in your family will get your text messages, apps and just about everything.

 

Yeah. That’s because ONE account is meant to be used with ONE person.

 

It cannot be hard for you to understand.

 
…while not paying for songs or apps twice.

 

Except no. Because you don’t have the right to do that. Because it’s illegal. Suck it up and pay for it.

 
 Right now, it's just a confusing mess.

 

No, YOU’RE confused because you lack very crucial information.

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply
post #26 of 27

Vociferous reply, but I stand my points made above.  I think that if you have the ability to skirt these problems, you should post a guide on how to circumvent these issues, such as setting up 1 iTunes account to cover a family.

 

In regards to the login screen name, I think that you will find in Mavericks that the login screen name is one thing, and as you have stated correctly not related to your iTunes login ID, but once you use the iTunes login, that becomes YOU.   In other words, I could have a screen name called Squiggly, and an iTunes name called Woodward, but Woodward is the main beast.  Another confusing iteration. 

 

I think that many would not agree with your premise that a family of four should have to buy an iTunes purchase 4 times, just to satisfy some whim.  This is completely against Apple's edict from day one.   When there was just one iD nobody purchased an item 4 times.   The separate iD's were not supposed to create separate purchasing accounts, but they do now.   That is a major issue.

 

I don't mind you flaming me, nor do I mind you insulting the hell out of me, but what would be nice is if you explained in plain English just how you would propose to resolve these issues.   You can call the rest of us idiots who don't understand and that's fine, but just remember that it's IDIOTS like me who support Apple by buying their products which are supposed to be easy to use.  Additionally, if you have a family or multiple people signing into your account, please put up how you resolved the issues that I discussed above.   If not, then I would say that you are not understanding the issues brought up in my original post.

 

Respectfully.

post #27 of 27
Originally Posted by theipd View Post

In other words, I could have a screen name called Squiggly, and an iTunes name called Woodward, but Woodward is the main beast.  Another confusing iteration. 

 

I fail to see at all how that could possibly be confusing.

 
I think that many would not agree with your premise that a family of four should have to buy an iTunes purchase 4 times, just to satisfy some whim.

 

Yeah, the “law”; what a whim that is¡ :no:

 
When there was just one iD nobody purchased an item 4 times.

 

Your implications that 1. the law has changed since the creation of iCloud and 2. that separate accounts have ever magically had the ability to redownload things for free are utter nonsense.

 
 The separate iD's were not supposed to create separate purchasing accounts, but they do now.

 

Are you crazy? OF COURSE THEY’RE SEPARATE PURCHASING ACCOUNTS. THEY’RE SEPARATE IDS. Separate IDs for separate people under laws that restrict–and have always restricted–the purchase of an item to ONE PERSON.

 

This has never not been the case.

 

what would be nice is if you explained in plain English just how you would propose to resolve these issues.


If you have four accounts, you buy the content four times. Can’t possibly be that hard to understand.

 

The thing about iTunes and iCloud is that they’re a cinch to manage separately. I’ve had an iTunes Music Store account since 2003. I say “iTunes Music Store” because that’s what it was called way back then. And since Apple has had to manage these accounts for over a decade now, the introduction of iCloud had to mesh with them.

 

If you’re a user new to Apple, you get an iCloud account, use it to manage your syncing and buy content, and boom, done. As simple as possible.

 

If you’ve had an iTunes account previously, you get to make a choice. Either you now use your iCloud account for purchases and everything else, or you keep using your iTunes account for purchases and your iCloud account for syncing.

 

I–and many others–have chosen the latter. Because that’s the second simplest thing to do.

 

So how does that work? Couldn’t be easier. You input your iCloud information into iCloud and turn on everything that iCloud does. Then you put your iTunes account information into iTunes. OS X and iOS understand that they’re separate. OS X and iOS understand that you mean to have purchases tied to the iTunes account. OS X and iOS do not confuse the two accounts, even though you, the user, might.

 

Since the beta of iCloud, I have not once had a single mishap in tying content to one account or the other. Because there’s no possible way TO have a mishap. iTunes saves my iTunes information. iCloud saves my iCloud information. iCloud, having always been used for syncing, is known to me subconsciously as my sync service. iTunes, having always been used for buying, is known to me subconsciously as my buying service.

 

As to having a “family” iCloud account, you’ll have to decide what content is applied to that account. Since the service is explicitly not designed to do this, anything you try to do with it will be considered a workaround.

 

The easiest things to do with a “family” iCloud account are using it as a communal media box and a communal calendar. Just input the iCloud information into each device’s iTunes store. Mail, Contacts, Safari, Keychain, and Photos make little sense to sync, so turn those off on the relevant devices. Calendar, Notes, and Reminders might have purpose to you, so keep those on.

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Users may be weakest link in Apple ID, iOS security chain