Inside Apple's move to ramp up security & privacy in iOS 12 & macOS Mojave
Apple used the Platforms State of the Union presentation to detail the privacy and security enhancements it will be including in macOS 10.14 and iOS 12, protecting even more types of user data and making it safer for users to download macOS apps away from the Mac App Store.
In iOS 12, users can be provided with strong passwords that are unique and complex, with the created password populating the password field automatically. The passwords will be offered in sign-up forms within apps, as well as through web forms in Safari, with the passwords synchronized across devices using the iCloud Keychain.
It will also be easier for users to retrieve their saved passwords, with a Siri request taking them to their password list. Users will also be warned if any of their self-created passwords have been reused on other existing accounts, minimizing the potential for an attacker leveraging credentials acquired from one service to access another.
Two-factor authentication will be more convenient, with iOS automatically copying the security code included in text messages to the required field in the app's log-in page. A new Password AutoFill extension will allow third-party password managers to supply passwords that can be quickly added with a tap.
Some elements will also be included in macOS Mojave, including Safari's automatic password creation, iCloud Keychain synchronization, and reused password flagging.
During the keynote, it was revealed users would need to provide permission to macOS apps in order to use an onboard camera and microphone, and to access data such as a user's Mail history and their Messages database. During the State of the Union, it was advised Apple is extending the need for permissions to cover Safari data, Time Machine and iTunes device backups, locations and routines, and system cookies.
Users will be able to make changes to permissions in the Security & Privacy section of their Mac's System Preferences.
For apps that are distributed outside the Mac App Store, Apple is introducing the option for developers to "Notarize" their apps. An extension to Apple's existing Developer ID program for verifying the creators of apps, developers can submit their apps to Apple for review, with notarized apps confirmed by the company to be free of malware and other hazards.
As well as providing an extra level of protection to users, notarizing apps will also make it easier to revoke specific compromised versions of apps compared to the existing signing certificate system, which can revoke all apps using the same certificate.
Apple advises that the notarization is not an app review process, but one that checks just for security issues. Developers are also warned that future versions of macOS will require Developer ID apps to be notarized before they can be installed.
For personal data protection online, Safari has an enhanced Intelligent Tracking Prevention feature that aims to reduce the number of data points advertisers can acquire. These make up a digital fingerprint, which can be used to track a user's movements online.
Safari's new protections include stopping social media buttons to "like" and "share" content from providing identifying information. Safari will also present advertisers with a set of simplified system information, one that makes the user's Mac look indistinguishable from other Safari users, increasing the difficulty of tracking users by making that data point practically unusable.
Apple has also confirmed macOS Mojave will be the last version of the operating system to support 32-bit apps "without compromises." Developers will need to migrate to 64-bit if they haven't already, if they wish for their apps to be usable with future macOS releases.
In iOS 12, users can be provided with strong passwords that are unique and complex, with the created password populating the password field automatically. The passwords will be offered in sign-up forms within apps, as well as through web forms in Safari, with the passwords synchronized across devices using the iCloud Keychain.
It will also be easier for users to retrieve their saved passwords, with a Siri request taking them to their password list. Users will also be warned if any of their self-created passwords have been reused on other existing accounts, minimizing the potential for an attacker leveraging credentials acquired from one service to access another.
Two-factor authentication will be more convenient, with iOS automatically copying the security code included in text messages to the required field in the app's log-in page. A new Password AutoFill extension will allow third-party password managers to supply passwords that can be quickly added with a tap.
Some elements will also be included in macOS Mojave, including Safari's automatic password creation, iCloud Keychain synchronization, and reused password flagging.
During the keynote, it was revealed users would need to provide permission to macOS apps in order to use an onboard camera and microphone, and to access data such as a user's Mail history and their Messages database. During the State of the Union, it was advised Apple is extending the need for permissions to cover Safari data, Time Machine and iTunes device backups, locations and routines, and system cookies.
Users will be able to make changes to permissions in the Security & Privacy section of their Mac's System Preferences.
For apps that are distributed outside the Mac App Store, Apple is introducing the option for developers to "Notarize" their apps. An extension to Apple's existing Developer ID program for verifying the creators of apps, developers can submit their apps to Apple for review, with notarized apps confirmed by the company to be free of malware and other hazards.
As well as providing an extra level of protection to users, notarizing apps will also make it easier to revoke specific compromised versions of apps compared to the existing signing certificate system, which can revoke all apps using the same certificate.
Apple advises that the notarization is not an app review process, but one that checks just for security issues. Developers are also warned that future versions of macOS will require Developer ID apps to be notarized before they can be installed.
For personal data protection online, Safari has an enhanced Intelligent Tracking Prevention feature that aims to reduce the number of data points advertisers can acquire. These make up a digital fingerprint, which can be used to track a user's movements online.
Safari's new protections include stopping social media buttons to "like" and "share" content from providing identifying information. Safari will also present advertisers with a set of simplified system information, one that makes the user's Mac look indistinguishable from other Safari users, increasing the difficulty of tracking users by making that data point practically unusable.
Apple has also confirmed macOS Mojave will be the last version of the operating system to support 32-bit apps "without compromises." Developers will need to migrate to 64-bit if they haven't already, if they wish for their apps to be usable with future macOS releases.
Comments
I thought that macOS High Sierra is the last OS to support 32 but apps?
The next slide said "Mojave is the last macOS release to support 32-bit apps".
"Without compromises" is in reference to High Sierra, exactly what Apple was saying last year. Mojave will run 32-bit applications, but with compromises. Apple has not said exactly what those compromises are.
The version after Mojave (presumably 10.15, due to be released in late 2019) will not run 32-bit applications at all.
2a) I like their changes to passwords and security, but I'm still not going to use Apple's Keychain. I do see there are improvements for 3rd-party password managers, which I hope that more 1st and 3rd-party apps will support, but I really doubt it since that options has been available for years and so very few apps are supporting it.
2b) One great addition is the app being able to tell Apple's password generator how complex the apps can be. I've been wanting something like that for many years for websites. I envision something public and standardized, like robots.txt, that any password manager extension can read to get the minimum, maximum, and character options usable for creating a password.
I wonder how many developers knew they were going to be breaking a different kind of sweat at WWDC?
I'm talking about program that run on a computer and doesn't connect to anything "outside". There are plenty with a lot of value, utility, and that do things that no paid for program does. Take a look over the wall in the garden, you may find that a whole world exists outside with some wonderful things in it!
I mean, sure, they can do whatever they want - their product. It's a pity that they'll lose the halo effect from all those students who would not otherwise be exposed to an Apple product.