Users may be weakest link in Apple ID, iOS security chain
While Apple's robust security practices have made malware a virtual non-factor, iOS device owners should still take care to ensure that they themselves don't become the weak link in the security chain.
A study published this week by internet giant Cisco --?and tweeted by Apple marketing chief Phil Schiller -- paints third-party apps as a leading cause for concern when it comes to security on mobile devices.
"Many users download mobile apps regularly without any thought of security," the report says.
Malware is not Cisco's biggest worry when it comes to mobile apps, though. The honor goes instead to age-old social engineering techniques like phishing, in which malicious individuals try to dupe unsuspecting users into handing over personal information like usernames, passwords, and financial details by pretending to represent legitimate businesses --?the notorious "Nigerian prince" e-mail scam is one popular example.
The problem is compounded by the implicit trust users often place in content from the App Store. This week also saw Apple settle with the Federal Trade Commission over in-app purchases, a dispute which boiled down to parents blindly supplying their Apple ID password to their kids without taking the time to understand the implications.
In that case, the parents simply saw a few more charges on their credit cards. The same action in a different context could have much more far-reaching consequences, and this issue has been the subject of a recent kerfuffle in the iOS developer community.
Well-liked social calendaring app Sunrise has come under fire for asking users to enter their Apple ID credentials when adding iCloud calendars, rather than using iOS's built-in calendar access API. Sunrise uses this information for a legitimate purpose --?services running on their servers facilitate key features that would be difficult or impossible to implement without that access.
Sunrise calendar's iCloud setup pane | Screenshots by Marco Arment
The problem, as articulated by Instapaper creator Marco Arment, is that the Apple ID has become a de facto key to many iPhone and iPad users' lives. Consider what happens when an iOS device is restored from an iCloud backup: iMessages, keychain data, email accounts, calendars, contacts, and data-filled apps are all happily retrieved from the cloud.
Of course, users are notified when a new device is added to an account, but even if they take notice of the message, it may be too little too late. Wired reporter Mat Honan had such an experience in 2012:
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook," Honan wrote.
The attack on Honan was overt, carried out by hackers whose aim was notoriety, and thus easily noticed. What if it were a more subtle assault, though? Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.
Attackers needn't even go to the trouble of sneaking a phishing app into the App Store. Many services store access credentials on cloud servers, which present an exponentially larger number of attack vectors --?Sunrise was the victim of an attack on its web infrastructure last November, and was forced to warn users to reset their iCloud passwords.
Fortunately, these potential problems are easily mitigated by the application of common sense. Just as users wouldn't provide their social security number to a stranger on the street, they should carefully evaluate which services have access to their Apple ID. Apple also allows for the use of multiple accounts on a single device --?one can be used for sensitive information such as iCloud keychain, while another could synchronize less important data like calendars.
A study published this week by internet giant Cisco --?and tweeted by Apple marketing chief Phil Schiller -- paints third-party apps as a leading cause for concern when it comes to security on mobile devices.
"Many users download mobile apps regularly without any thought of security," the report says.
Malware is not Cisco's biggest worry when it comes to mobile apps, though. The honor goes instead to age-old social engineering techniques like phishing, in which malicious individuals try to dupe unsuspecting users into handing over personal information like usernames, passwords, and financial details by pretending to represent legitimate businesses --?the notorious "Nigerian prince" e-mail scam is one popular example.
"Many users download mobile apps regularly without any thought of security," according to Cisco.
The problem is compounded by the implicit trust users often place in content from the App Store. This week also saw Apple settle with the Federal Trade Commission over in-app purchases, a dispute which boiled down to parents blindly supplying their Apple ID password to their kids without taking the time to understand the implications.
In that case, the parents simply saw a few more charges on their credit cards. The same action in a different context could have much more far-reaching consequences, and this issue has been the subject of a recent kerfuffle in the iOS developer community.
Well-liked social calendaring app Sunrise has come under fire for asking users to enter their Apple ID credentials when adding iCloud calendars, rather than using iOS's built-in calendar access API. Sunrise uses this information for a legitimate purpose --?services running on their servers facilitate key features that would be difficult or impossible to implement without that access.
Sunrise calendar's iCloud setup pane | Screenshots by Marco Arment
The problem, as articulated by Instapaper creator Marco Arment, is that the Apple ID has become a de facto key to many iPhone and iPad users' lives. Consider what happens when an iOS device is restored from an iCloud backup: iMessages, keychain data, email accounts, calendars, contacts, and data-filled apps are all happily retrieved from the cloud.
Of course, users are notified when a new device is added to an account, but even if they take notice of the message, it may be too little too late. Wired reporter Mat Honan had such an experience in 2012:
"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook," Honan wrote.
Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.
The attack on Honan was overt, carried out by hackers whose aim was notoriety, and thus easily noticed. What if it were a more subtle assault, though? Surely many people would blanch at the thought of a stranger collecting weeks or months of sensitive iMessage conversations.
Attackers needn't even go to the trouble of sneaking a phishing app into the App Store. Many services store access credentials on cloud servers, which present an exponentially larger number of attack vectors --?Sunrise was the victim of an attack on its web infrastructure last November, and was forced to warn users to reset their iCloud passwords.
Fortunately, these potential problems are easily mitigated by the application of common sense. Just as users wouldn't provide their social security number to a stranger on the street, they should carefully evaluate which services have access to their Apple ID. Apple also allows for the use of multiple accounts on a single device --?one can be used for sensitive information such as iCloud keychain, while another could synchronize less important data like calendars.
Comments
So long as there is a human involved in any part of the security link, it will always be a point of failure. Why is this even news?
It would be easy to say Apple needs to revamp the whole Apple ID system, but that hardly seems practical or even worth the trouble. Apple knows exactly how confusing and problematic it can be and it's within their umbrella of acceptable costs to just leave it as is.
They should change the title to "users are the weakest link...."
If parents are giving the password to thier kids for in-app purchases, they have no case.
WE are the weakest link.
Sorry, I couldn't help reading this and hearing Anne Robinson's voice.
" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
It's because they are lazy f*cks.
If you frequent the Apple discussion forums on a regular basis you soon notice user after user wanting to know how to turn off security features. From certificates to Flash, to Adobe Reader, they demand to be shown how to turn off anything that takes an extra step to do something. And I can just imagine what their passwords look like, as well as their total lack of a backup strategy. It’s amazing.
ASD123?
Now I got to change mine.
That's just silly, it always comes down to human error being the weakest link. Especially some of the people I've seen.
Sorry, I couldn't help reading this and hearing Anne Robinson's voice.
" src="http://forums-files.appleinsider.com/images/smilies//lol.gif" />
I recall a David Gilmour show from 2000 where he was taking a very long time tuning his guitar between songs and the audience was very quiet, until one guy loudly said 'you are the weakest link. Good night!', followed by huge laughter!
It was pretty funny.
Of course Apple deleted iTunes ability to do sync locally and separate from iCloud -- forcing everything into the cloud. This is one of the most bone-headed moves Apple has made in a long time! Hope they restore it!!!
what are you talking about? You still can sync locally. That never changed, I am looking at the sync settings in iTunes 11.1.3 now.
Change sync from iCloud to "This computer". Couldnt be easier
I really cannot stand people who speak FUD without looking first. THAT is bone-headed sir.
You have hit the hammer on the head. Seriously, not having the option to to sync locally is really a major faux pas. The entire iCloud system is completely flawed. It is created for one individual, using numerous idevices. Unfortunately, iMacs are seldom used by individuals - macbook pros yes, but imacs No. The iMac is a Family Computer. And this is where the stuff gets confusing:
1. If you have separate user id's on the one imac, then you have to buy songs/apps more than once. Solution: Use separate apple id's to log into each screen, but one Apple id for all to use with iTunes. That works, but it's cumbersome. And it's hit or miss if the iTunes log in also counts as the ID login for the session that you are in. Confused yet? Essentially, you can sometimes get that you are logged in as the screen login that you logged in with or logged in as the iTunes account holder.
2. Secondly, if you try to use Facetime with this, the computer gets totally confused. You will get messages showing "id A is linked to this imac, id B is linked to this imac....." and so on. In addition you can text to whomever from the computer to someone with an iCloud id, but you may or may not receive a response, because that person may not be sending from an iCloud account. Ugh?
3. Then there's the device issue. The Apple Geniuses will state that Apple id's are for identifying people using their devices and not iTunes. When I spoke with another about the confusion, he stated that this is just for Apple to send things to the right place. Not quite! Apple clearly states on their site that Apple id's control everything - iTunes, app store and essentially all communications with Apple. So if you use one Apple iD for everyone in your family, then everyone in your family will get your text messages, apps and just about everything. If you use separate iD's, then you have to find a way to get the right information through, while not paying for songs or apps twice.
It's still hit or miss, and I proposed a real solution a long time ago. Something that Amazon appears to be implementing, albeit slowly: Create a Master ID. Let users within a family make Sub-ID's but have the Master ID make purchases etc. Attach all purchases to the Master ID. I think that this would solve the problem.
Right now, it's just a confusing mess. iPhoto is another example of this, but that's for another day (ie. Is iPhoto using your ISP or iCloud?). Sorry for the length of this, but it's really gotten to me as well and I consider myself relatively knowledgeable.
Like my mother used to say, the problem with building anything foolproof is that the Almighty keeps making better fools.