Users may be weakest link in Apple ID, iOS security chain

Posted:
in iPhone edited June 2014
While Apple's robust security practices have made malware a virtual non-factor, iOS device owners should still take care to ensure that they themselves don't become the weak link in the security chain.

Apple ID


A study published this week by internet giant Cisco --?and tweeted by Apple marketing chief Phil Schiller -- paints third-party apps as a leading cause for concern when it comes to security on mobile devices.

"Many users download mobile apps regularly without any thought of security," the report says.

Malware is not Cisco's biggest worry when it comes to mobile apps, though. The honor goes instead to age-old social engineering techniques like phishing, in which malicious individuals try to dupe unsuspecting users into handing over personal information like usernames, passwords, and financial details by pretending to represent legitimate businesses --?the notorious "Nigerian prince" e-mail scam is one popular example.
"Many users download mobile apps regularly without any thought of security," according to Cisco.
The problem is compounded by the implicit trust users often place in content from the App Store. This week also saw Apple settle with the Federal Trade Commission over in-app purchases, a dispute which boiled down to parents blindly supplying their Apple ID password to their kids without taking the time to understand the implications.

In that case, the parents simply saw a few more charges on their credit cards. The same action in a different context could have much more far-reaching consequences, and this issue has been the subject of a recent kerfuffle in the iOS developer community.

Well-liked social calendaring app Sunrise has come under fire for asking users to enter their Apple ID credentials when adding iCloud calendars, rather than using iOS's built-in calendar access API. Sunrise uses this information for a legitimate purpose --?services running on their servers facilitate key features that would be difficult or impossible to implement without that access.

Sunrise Calendar
Sunrise calendar's iCloud setup pane | Screenshots by Marco Arment


The problem, as articulated by Instapaper creator Marco Arment, is that the Apple ID has become a de facto key to many iPhone and iPad users' lives. Consider what happens when an iOS device is restored from an iCloud backup: iMessages, keychain data, email accounts, calendars, contacts, and data-filled apps are all happily retrieved from the cloud.

Of course, users are notified when a new device is added to an account, but even if they take notice of the message, it may be too little too late. Wired reporter Mat Honan had such an experience in 2012:

"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook," Honan wrote.
Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.
The attack on Honan was overt, carried out by hackers whose aim was notoriety, and thus easily noticed. What if it were a more subtle assault, though? Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.

Attackers needn't even go to the trouble of sneaking a phishing app into the App Store. Many services store access credentials on cloud servers, which present an exponentially larger number of attack vectors --?Sunrise was the victim of an attack on its web infrastructure last November, and was forced to warn users to reset their iCloud passwords.

Fortunately, these potential problems are easily mitigated by the application of common sense. Just as users wouldn't provide their social security number to a stranger on the street, they should carefully evaluate which services have access to their Apple ID. Apple also allows for the use of multiple accounts on a single device --?one can be used for sensitive information such as iCloud keychain, while another could synchronize less important data like calendars.
«1

Comments

  • Reply 1 of 26
    MacProMacPro Posts: 18,359member
    Had to laugh, with the exception of Windows OS ... 'Users' have been the weakest link I have ever come across in 35 years in this industry! :D
  • Reply 2 of 26
    sflocalsflocal Posts: 4,685member

    So long as there is a human involved in any part of the security link, it will always be a point of failure.  Why is this even news?

  • Reply 3 of 26
    welshdogwelshdog Posts: 1,694member
    Apple ID problems are one of the most common drivers of calls to Apple support. Maybe even the number one issue. Apple IDs and the associated details can be confusing to people who are not used to managing computer security. There are so many ways users can screw up their Apple ID and the things it governs that it's a bit of a wonder to me how Apple keeps the system afloat. I was an iOS At Home Advisor for a brief period last year. One of the many reasons I could not handle the job was the never-ending calls from people who had forgotten their Apple ID, or changed it and forgotten it, or tried to use two of them with iTunes and got locked out for 90 days or reset the password and never got the validation email . . . or . . . or - on and on. Maddening.

    It would be easy to say Apple needs to revamp the whole Apple ID system, but that hardly seems practical or even worth the trouble. Apple knows exactly how confusing and problematic it can be and it's within their umbrella of acceptable costs to just leave it as is.
  • Reply 4 of 26
    dasanman69dasanman69 Posts: 12,985member
    Had to laugh, with the exception of Windows OS ... 'Users' have been the weakest link I have ever come across in 35 years in this industry! :D

    They should change the title to "users are the weakest link...."
  • Reply 5 of 26
    "Users may be weakest link..." There's no "may be" about it. WE are the weakest link.

    If parents are giving the password to thier kids for in-app purchases, they have no case.
  • Reply 6 of 26
    jungmarkjungmark Posts: 6,709member
    No shit. In fact users are the weakest link in almost everything.
  • Reply 7 of 26
    Quote:
    Originally Posted by lightstriker View Post



    WE are the weakest link.



     

    Sorry, I couldn't help reading this and hearing Anne Robinson's voice. <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />

  • Reply 8 of 26
    Different apple id's won't support calendar and keychain because it's iCloud and only 1 I'd for that
  • Reply 9 of 26
    Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!
  • Reply 10 of 26
    Well, good news: Mac OS X and iOS aren't the weakest link.
  • Reply 11 of 26
    Way to state the obvious. Users always have been and always will be the weakest link...this isn't an insult this is a confirmed, tried, tested and true reality in the field of privacy and security.
    It's because they are lazy f*cks.
  • Reply 12 of 26
    Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!
    I'm not sure what you are talking about. I still sync locally. You set it up in iTunes. In fact, icloud is not a full backup.
  • Reply 13 of 26
    lkrupplkrupp Posts: 7,169member

    If you frequent the Apple discussion forums on a regular basis you soon notice user after user wanting to know how to turn off security features. From certificates to Flash, to Adobe Reader, they demand to be shown how to turn off anything that takes an extra step to do something. And I can just imagine what their passwords look like, as well as their total lack of a backup strategy. It’s amazing.

  • Reply 14 of 26
    dasanman69dasanman69 Posts: 12,985member
    lkrupp wrote: »
    If you frequent the Apple discussion forums on a regular basis you soon notice user after user wanting to know how to turn off security features. From certificates to Flash, to Adobe Reader, they demand to be shown how to turn off anything that takes an extra step to do something. And I can just imagine what their passwords look like, as well as their total lack of a backup strategy. It’s amazing.

    ASD123? :lol:
  • Reply 15 of 26
    jungmarkjungmark Posts: 6,709member
    dasanman69 wrote: »
    ASD123? :lol:
    Great.
    Now I got to change mine.
  • Reply 16 of 26

    That's just silly, it always comes down to human error being the weakest link. Especially some of the people I've seen.

  • Reply 17 of 26
    Quote:

    Originally Posted by Napoleon_PhoneApart View Post

     

    Sorry, I couldn't help reading this and hearing Anne Robinson's voice. <img class=" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />


     

    I recall a David Gilmour show from 2000 where he was taking a very long time tuning his guitar between songs and the audience was very quiet, until one guy loudly said 'you are the weakest link. Good night!', followed by huge laughter!

     

    It was pretty funny.

  • Reply 18 of 26
    Quote:

    Originally Posted by libertyforall View Post



    Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!

    what are you talking about? You still can sync locally. That never changed, I am looking at the sync settings in iTunes 11.1.3 now.

    Change sync from iCloud to "This computer". Couldnt be easier

     

    I really cannot stand people who speak FUD without looking first. THAT is bone-headed sir.

  • Reply 19 of 26
    @libertyforall

    You have hit the hammer on the head. Seriously, not having the option to to sync locally is really a major faux pas. The entire iCloud system is completely flawed. It is created for one individual, using numerous idevices. Unfortunately, iMacs are seldom used by individuals - macbook pros yes, but imacs No. The iMac is a Family Computer. And this is where the stuff gets confusing:

    1. If you have separate user id's on the one imac, then you have to buy songs/apps more than once. Solution: Use separate apple id's to log into each screen, but one Apple id for all to use with iTunes. That works, but it's cumbersome. And it's hit or miss if the iTunes log in also counts as the ID login for the session that you are in. Confused yet? Essentially, you can sometimes get that you are logged in as the screen login that you logged in with or logged in as the iTunes account holder.

    2. Secondly, if you try to use Facetime with this, the computer gets totally confused. You will get messages showing "id A is linked to this imac, id B is linked to this imac....." and so on. In addition you can text to whomever from the computer to someone with an iCloud id, but you may or may not receive a response, because that person may not be sending from an iCloud account. Ugh?

    3. Then there's the device issue. The Apple Geniuses will state that Apple id's are for identifying people using their devices and not iTunes. When I spoke with another about the confusion, he stated that this is just for Apple to send things to the right place. Not quite! Apple clearly states on their site that Apple id's control everything - iTunes, app store and essentially all communications with Apple. So if you use one Apple iD for everyone in your family, then everyone in your family will get your text messages, apps and just about everything. If you use separate iD's, then you have to find a way to get the right information through, while not paying for songs or apps twice.

    It's still hit or miss, and I proposed a real solution a long time ago. Something that Amazon appears to be implementing, albeit slowly: Create a Master ID. Let users within a family make Sub-ID's but have the Master ID make purchases etc. Attach all purchases to the Master ID. I think that this would solve the problem.

    Right now, it's just a confusing mess. iPhoto is another example of this, but that's for another day (ie. Is iPhoto using your ISP or iCloud?). Sorry for the length of this, but it's really gotten to me as well and I consider myself relatively knowledgeable.
  • Reply 20 of 26

    Like my mother used to say, the problem with building anything foolproof is that the Almighty keeps making better fools.

Sign In or Register to comment.