iOSDevSWE

I’m an iOS developer working for the government in the EU. Because of my job I often meet Apple that asks us about possible way to improve our use of iPhones. Last meeting I had with a woman that came especially from Apple London, the question of NFC came up. For us obviously we are not interested in using NFC for a payment solution but for writing NFC Desfire cards to replace keycards. That person told me it was not possible as it’s interfering with Apple Pay… and now they say they do not?
And please, keep away your comments “we hate Americans” because it is not true. I do not want to use Android phones but because of the way Apple has closed NFC we still have to use droid phones as well for some use cases (which sucks).
The solution is actually really easy as I mentioned to her: create a programme where companies get granted a special entitlement (like critical notifications) that can easily be revoked if a company is not following Apple’s guidelines. I’m still waiting for the response from Apple on this one. In the meantime I didn’t know they were going to trial because of that. I would say it’s a pity, Apple should listen more to its premium users and government agencies requests (as long as it’s reasonable like in my case, I’m not asking for backdoors in their iPhones 😉)

“Update not found” ... the quality of service has dropped at Apple...

Please AppleInsider, check your maths! If the battery on the Series 8 is 1.19Wh and the Ultra has 2.1Wh it is an increase of (2.1-1.19)/1.19 hence 76%! Not 60% 😉 However, the Series 8 is 60% smaller than the Ultra (because then you do (2.1-1.19)/2.1. Basic maths.
If you are not convinced, imagine a Series 9 that is 1.5Wh and a new Ultra that is 3Wh, then without calculating you know the new Ultra is 100% bigger than the Series 9, and you calculate it that way: (3-1.5)/1.5=100% whereas the Series 9 is (3-1.5)/3=50% smaller than the new Ultra.
Hope that was clear ☺️

Alexander Skarsgård, not Skarsgard. And “å” is pronounced “o” like in “hole”.
Tack så mycket!

JP234 said:

This stuff is way, way, way beyond my limited ability to comprehend. And it's obvious that no one posting on this forum can understand the tech either.

Well I do I’ve been a DRIE (Deep Reactive Ion Etching) process engineer for more than 10 years before changing completely my career and become an iOS developer. So I can tell you how amazed I was about reading about my field in this article where most of it is actually correct. An error is the sentence “While dry etching isn't strictly new, it's not used in much at present.” You would not have accelerometers or gyroscopes or sensitive pressure sensors without MEMS produced with DRIE (a sort of dry etching). Hence no Nintendo Switch, no funny games on the iPhone or IPad and so on. So what a mistake to say that dry etching is not used so much these days. The patent at the origin of it is called the Bosch process and it is from the 90’s! Airbags in cars have existed for decades thanks to dry etching!
And if you play again one of the keynotes where Apple was presenting Deep Trench Isolation (DTI) in order to avoid having pixels bleed into another it is using dry etching. So all of you are using components made with dry etching in the gadget you are currently holding 😃.

If you have questions about dry etching or working in a clean room making MEMS, just ask me, I’d be happy to explain.
More articles like this! Thanks 🙏 

PS: I’ve worked for Applied Materials Inc and have several patents on the design of DRIE chambers for MEMS. 

lkrupp said:

iOSDevSWE said:

wood1208 said:

No biggy. It's software bug so will be fixed in dot release.

You don’t seem to grasp the depth of this exploit. Any app could have been downloading everyone’s contacts. It is one of the worst exploit I’ve ever heard of. There is no way to get rid of it. Oh yeah: switch off your phone!

Bullshit. Give us your real name and security expert credentials and then maybe we’ll pay attention. Otherwise you are just an anonymous tech blog chicken little. How many times have we had to endure predictions of doom by a user claiming to have 30 years experience in IT and a literal God of the internet, only to find out those predictions were baloney?

Haha, your comment proves you are not a developer. You don’t need any of my credentials, you can try it yourself! Just do like me: you go to GitHub we’re the code is: https://github.com/illusionofchaos/ios-gamed-0day then install it on your iPhone. You are not a developer but you can install it on your phone by first downloading Xcode on your Mac (free). Then register an AppleID (free). As a non developer you are authorized to install max 3 apps which is enough here. When Xcode is installed open up the .xcodeproj file you downloaded from GitHub. Change in “Signing” to your “appleID”. After that can you try the app! You will see just like me several rows (a List since the dev wrote the code in SwiftUI). The first one links you to all your Contacts, interactions with them with many details. After that the row supposed to display “speedDial” fails so I can’t see any phone calls, instead comes a line pointing to pictures from your contacts. Later on details about your Game Center ID (AppleID, Full name and surname).
I’m not only an iOS developer, I’m also a mobile pentester with GIAC certification from my SEC575 sans.org course: I tried to use exploit to show info about the IMSI info (xpc service mmcs.plist) but did not manage it.
So no, I’m not alarmist, I just tried the code myself instead of just reading the info. 

Full program? Apple hasn’t released a single session yet. 

That’s one way of doing it, but in real life apps we use remote configurations and strings usually come from a Content Management System (like Episerver). That way strings may be modified after the app has been shipped.
However for apps that do not require a backend, you are right, that’s the way to go.
It’s good you mentioned the case of strings plural as Apple has done a good job localising strings for the plural form. Particularly good that you get in English “0 cars” while in French “0 voiture” and in Swedish “0 bilar”. For some languages 0 brings a plural form which is quite counter intuitive. 

kmarei said:

i've learnt that lesson a long time ago
i don't jump versions on my devices, if i get it with 15, i will update to the latest 15 and not go to 16
already ruined 2 devices when i upgraded iOS to the next number up and the devices became unusable
had to basically throw an ipad away that worked great the night before on the older iOS
even browsing to a website would take like 2-3 minutes on the new one

plus i have rarely noticed the difference between iOS versions
ok i get a few more emojies, big whoopie

Wow so many things to comment in just one post, so I’ll explain why this is a really bad behaviour:
1. What used to work “a long time ago” does not work anymore. The hardware in the newer phones doesn’t behave like the one in an iPhone 6, 8 or X.
2. You can’t throw away a device the day after its update to a newer iOS version because it’s getting slower: it takes maybe a week depending on your usage, to optimise the OS after an upgrade. This is why the battery is getting worse after each upgrade and although it is a known fact, you can hear each year people complaining about it 😔. Just plug your device to a socket and leave it there, it will get fixed faster.
3. even if YOU can’t see what’s new with a new iOS version, we, the developers, see a huge difference: Apple does a fantastic work each year in improving the SDK so that things get more performant and/or takes much less code to perform an action. This has a huge impact on both security within apps and code quality leading to fewer bugs. Basically having to take care of several iOS versions for an app can be extremely time consuming and requires having devices on all those versions too.  It is often not justified economically to support old iOS version just because some few % of the user base doesn’t care upgrading there device to the latest version. This is why I force my users to upgrade through information about deprecation of support of there old iOS version quickly: they have time to update so they don’t lose functionality. Furthermore with newer iOS versions, the improvements lead to better battery management hence it is not smart to stay on an old iOS version.

But of course, if you don’t use apps on your iPhone and just use it to ring, you can go on doing what you do. The majority of us are doing the opposite: we mostly use apps and don’t call hence security and latest SDK features are the greatest concern. (And also newer emojis 😂)

Let’s go through some misconceptions in your articles:

”Apple's Secure Enclave is a protected area on Apple's devices which holds keys, encrypted data, cards, and other security information.”

No! The Secure Enclave doesn’t hold anything else than Private keys. Those keys can’t even be retrieved from its protected space. The place where you “store” things is called the Keychain. Basically what you do is you create a private key in the Secure Enclave and use it (through its data representation as you can’t get the key out of Secure Enclave) and encrypt data into Keychain. People often do this mistake of confusing Keychain with Secure Enclave because they are using low level queries with Keychain to save passwords or sensitive data from their app. Instead the iOS developer should use CryptoKit. That way it is clear what you can and can’t do by simply using autocomplete in Xcode with “SecureEnclave.P256.” as a start. For the curious reader, P256 is the only type of elliptic curve used with Secure Enclave that enables NIST P-256 signatures and key agreements.

“[…] it uses AES cryptography to encode information so it's not plain-text readable without decryption.“

Encoding and encrypting are two completely different things. Encoding is to “write differently” something. For instance you can use ascii, utf8, utf16 etc… An example -> the following string has been encoded in base64: QXBwbGVJbnNpZGVy. I will let the reader choose whichever online base64 decoding tool to read what I encoded 😉. Anybody can “decode” that string to its original utf8 form, but if I encrypt it with my own Secure Enclave key on my iPhone 15 Pro, you will need exactly that key on my phone to read it without brute force. I would recommend you go through your article and replace all occurrences of “encode” to “encrypt”.

“One of the major uses of Secure Enclave is to encode, store, and retrieve your sensitive data and passes in the Apple Wallet app for later use.”

No, the major and only use of Secure Enclave is to encrypt or sign data. Nothing else.

“Apple wallet limitations”

Precisely! The limitations are on the Apple Wallet app, not Secure Enclave. However, if you’re like me, very intrigued about how Secure Enclave works, you should watch Ivan Krstic’s talk at Black Hat USA in 2016 (available on YouTube). It is possible to exhaust the number of private keys you can create in the Secure Enclave (listen particularly to the questions at the end of the video). But Apple doesn’t communicate what this limit is. The curious/intrepid developer could write an app that abuses Secure Enclave and creates many private keys until they exhaust. I have no idea what happens then, perform at your own risk…

I hope that now people will understand more clearly what the Secure Enclave really is: it is not Keychain!

Secure Enclave documentation: https://developer.apple.com/documentation/cryptokit/secureenclave

CryptoKit documentation: https://developer.apple.com/documentation/cryptokit/