AT&T, Sprint, T-Mobile and Verizon reveal plan for new phone-number based app authenticati...

Posted:
in iPhone
On Thursday the four major national U.S. carriers -- AT&T, T-Mobile, Sprint, and Verizon -- revealed plans for a new authentication platform that could add an extra layer of security for people using apps on Apple's iPhone and other mobile devices.




The nameless technology will provide a "cryptographically verified phone number and profile data" for people using supported apps, the companies said in joint announcement. To achieve this, the platform will also rely on data such as how long a phone number has been held, its account type, IP address, and SIM card details.

"In addition, advanced analytics and machine learning capabilities will be used to help assess risk and protect customers," the announcement added, without elaborating on the point.

Developers will have to submit apps through a blockchain-based system. Internal trials of the technology are slated to start in the next few weeks, in preparation for launch later in 2018.

The platform is aimed at countering problems like fraud and identity theft. iPhone apps can sometimes use a hodge-podge of security measures, since apart from iCloud and on-device systems like Face ID, Touch ID, and passcodes, apps connect to external systems beyond Apple's control.

Comments

  • Reply 1 of 16
    rob53rob53 Posts: 3,241member
    Don't understand why these cellular companies think they have any right to validating apps that are on my iPhone. They are a service and have nothing to do with my identity or my information. I can use my phone exclusively on a WiFi network and never touch cellular, therefore they have no reason to touch anything other than their cellular software. The last thing I want is for Verizon to be handing any type of security on my iPhone--just another way for Verizon, then the FBI/NSA, to get data off my phone. I don't see this as helping Apple in any way.
    SpamSandwichairnerddeepinsiderleavingthebiggsupadav03lepton
  • Reply 2 of 16
    TomETomE Posts: 172member
    Would like to see the 4 major companies get together and put a stop to telemarketing where the caller uses a Fake telephone number, location, etc.
    This needs to stop.
    airnerdkingofsomewherehotdeepinsiderretrogustoholmstockdzoetmbdipdog3arthurbasupadav03jony0
  • Reply 3 of 16
    SpamSandwichSpamSandwich Posts: 33,407member
    What the heck? Well, obviously no developers are going to allow the phone companies to act as an intermediary. LOL!
  • Reply 4 of 16
    seanismorrisseanismorris Posts: 1,624member
    Data slurp as a service?

    It sounds like the only one that benefits is the ISP’s... 
    airnerd
  • Reply 5 of 16
    airnerdairnerd Posts: 693member
    So I get a new wifi iPad and can't access some of my apps since i have no phone number tied to it?
    deepinsiderarthurba
  • Reply 6 of 16
    If someone who got their hands on your phone can defeat Touch ID or Face ID, how will this help?

    It won't. What a big bag of nothing.
  • Reply 7 of 16
    dewmedewme Posts: 5,332member
    This will in no way replace the app level authentication & authorization model used within Apple's ecosystem, which is based on a centralized authority. This could be layered on top of Apple's system with no loss in Apple's security posture. In fact, from a defense-in-depth perspective it would add another layer, albeit with some potential usability degradation.  Since it's blockchain based it wouldn't impair or override Apple's security model in any way. It also wouldn't be establishing any of the carriers as security authorities and they would not suddenly be capable of holding any of our secrets they don't already have through our subscriptions. This type of capability will be a big improvement over many existing username+password or simple hash capabilities on web based and mobile applications that don't have something like iCloud and AppStore behind them.

    The technology choices sound right but I'm more than a bit curious why this effort is being pushed through by a consortium of business vendors rather than a standards organization with government backing like IANA/CIS/NIST/etc. My guess would be that these vendors realize that without a drastic improvement in the overall security that their customers need (yesterday if not sooner) their whole business model could collapse. So while this is really something that governments and standards bodies should be addressing with a much greater sense of urgency - they just can't sit around and wait any longer. Action is needed.
    edited March 2018 netroxarthurba
  • Reply 8 of 16
    dipdog3dipdog3 Posts: 89member
    How about they work to stop spam and fraudulent calls using spoofed numbers instead?

    Google has somehow managed to curb spam getting into my inbox, why can't the wireless carriers prevent scammers in third world countries from calling my phone with a spoofed number in order to steal my information?
    edited March 2018 bonobob
  • Reply 9 of 16
    aricbaricb Posts: 27member
    This is likely either a sneaky cash grab by the phone companies by opening the door to surcharging for apps, an NSA scheme, or both. I second the idea about telephone number spoofing needs to be solved.
  • Reply 10 of 16
    As is practice today, if an app requires authentication you disagree with, don't use the app. It's like every app that requires you to log in to Facebook first: I simply don't use them. They've lost a customer by taking away my choice.
    tallest skil
  • Reply 11 of 16
    dewmedewme Posts: 5,332member
    thisisasj said:
    As is practice today, if an app requires authentication you disagree with, don't use the app. It's like every app that requires you to log in to Facebook first: I simply don't use them. They've lost a customer by taking away my choice.
    I totally agree. But that's only one aspect of the larger problem. Another part of the problem that these companies are trying to solve is to block nefarious apps from getting on to their customer's devices in the first place. As we know, Apple does a pretty good, but not perfect, job with this already on iOS and to a lesser degree on macOS. Other systems are not so great. With more always-connected devices and computers being on the horizon these companies want to get out ahead of what could be a big impediment to their business model. In many ways what they are proposing only further validates the benefits that Apple has with the App Store / "walled garden" model. Apple staked their future to the walled garden more than a decade ago and has always had to defend. Now these companies are suddenly seeing the light in terms of the benefits the walled garden provides and are trying to capture some of its qualities without having to do all of the work and make the investments that Apple has made. Keep in mind that they are only talking security and authentication. There's nothing in there about fitness, quality, usability, compatibility, etc., which are all values that Apple provides. They just want to be able to tell their customers - "this app probably won't kill you." It may still totally suck, but that's not something they care about. Apple cares.
    arthurba
  • Reply 12 of 16
    TomE said:
    Would like to see the 4 major companies get together and put a stop to telemarketing where the caller uses a Fake telephone number, location, etc.
    This needs to stop.
    UGH, YES! x1000000000 - its so annoying, and what is the gov doing to these scammers that are violating the DO NOT CALL List.
    dipdog3bshank
  • Reply 13 of 16
    mac_dogmac_dog Posts: 1,069member
    Read the fine print. Look for governmental involvement and/or oversight.*

    *it the only kind of oversight they will be diligently pursuing. 
  • Reply 14 of 16
    Beware of "security methods" that put someone other than you in control, especially for no apparent reason.
    SpamSandwich
  • Reply 15 of 16
    vmarksvmarks Posts: 762editor
    dewme said:
    This will in no way replace the app level authentication & authorization model used within Apple's ecosystem, which is based on a centralized authority. This could be layered on top of Apple's system with no loss in Apple's security posture. In fact, from a defense-in-depth perspective it would add another layer, albeit with some potential usability degradation.  Since it's blockchain based it wouldn't impair or override Apple's security model in any way. It also wouldn't be establishing any of the carriers as security authorities and they would not suddenly be capable of holding any of our secrets they don't already have through our subscriptions. This type of capability will be a big improvement over many existing username+password or simple hash capabilities on web based and mobile applications that don't have something like iCloud and AppStore behind them.

    The technology choices sound right but I'm more than a bit curious why this effort is being pushed through by a consortium of business vendors rather than a standards organization with government backing like IANA/CIS/NIST/etc. My guess would be that these vendors realize that without a drastic improvement in the overall security that their customers need (yesterday if not sooner) their whole business model could collapse. So while this is really something that governments and standards bodies should be addressing with a much greater sense of urgency - they just can't sit around and wait any longer. Action is needed.
    Please explain the vulnerability that users are suffering under worldwide which requires this sense of urgency.

  • Reply 16 of 16
    vmarksvmarks Posts: 762editor
    dewme said:
    thisisasj said:
    As is practice today, if an app requires authentication you disagree with, don't use the app. It's like every app that requires you to log in to Facebook first: I simply don't use them. They've lost a customer by taking away my choice.
    I totally agree. But that's only one aspect of the larger problem. Another part of the problem that these companies are trying to solve is to block nefarious apps from getting on to their customer's devices in the first place. As we know, Apple does a pretty good, but not perfect, job with this already on iOS and to a lesser degree on macOS. Other systems are not so great. With more always-connected devices and computers being on the horizon these companies want to get out ahead of what could be a big impediment to their business model. In many ways what they are proposing only further validates the benefits that Apple has with the App Store / "walled garden" model. Apple staked their future to the walled garden more than a decade ago and has always had to defend. Now these companies are suddenly seeing the light in terms of the benefits the walled garden provides and are trying to capture some of its qualities without having to do all of the work and make the investments that Apple has made. Keep in mind that they are only talking security and authentication. There's nothing in there about fitness, quality, usability, compatibility, etc., which are all values that Apple provides. They just want to be able to tell their customers - "this app probably won't kill you." It may still totally suck, but that's not something they care about. Apple cares.
    Apple does a near-perfect job of preventing malware on the user's device.
    Google does a pretty good, but not perfect, job of it.
    Microsoft did a fantastic job of it, by deleting their app store, and then Windows Phone.
    Tizen likewise does a great job by having no customers.

    There is no practical exploit in the wild that requires this nonsense.

    This is about the carriers trying to make themselves gatekeepers again. We know what happens when they're gatekeepers. They have control, and they use it ostensibly to protect their network, by crippling the user's ability to use it. When all updates for Android devices had to be approved by individual carriers who took months to evaluate and approve them, users were actively harmed by not getting timely security updates and features. It trained the device manufacturers to not bother with updates, because the carriers were simply too rigid as gatekeepers to be useful. They lost that control with Apple and Google over apps, and have lost it with Google over updates for the most part. When they have this control, they use it as a weapon against consumers. 
    bshank
Sign In or Register to comment.