uroshnor

Given that Apple has had documentation on its public web site for 5+ years that explains what it can and can't provide to law enforcement , and what information requires a warrant. it's not clear to me why this is news.

It doesn't for example prove receipt of a message, only that a particular identity was looked up in the "To" field. That would typically be more useful to police as intelligence (i.e. information that influences decisions in an investigation, but does not directly impact the argument to prove guilt) , than as evidence.

The original article is at an almost absurd level of paranoia - similar to "Banks track customer spending patterns" or "Grocery store knows what's in your shopping basket" or "Post Office knows when you have mail".

The central directory of identities , that holds public keys, and deals with the issues around multiple devices per user, has been a key feature of iMessage & why it's been easy to use since launch. 

zimmermann said:

rob53 said:

Why does everyone keep demanding something entirely different every year? What's wrong with simply delivering something that just works? People don't realize how difficult (and unnecessary) a total re-design is. Changing a design to meet the frivolous demands of customers and (especially) crazy analysts does not produce a better product only a different looking one.

I want something entirely new, that is crazy better and just works.

Pick two.

blitz1 said:

Soli said:

AdBrit said:

In the end, all this is Apple trying to avoid paying taxes, something all of us do compliantly without begging for exception. Apple and other Corporations are simply moochers of a countries wealth whether that be the consumer's dollars or the consumer's labour. They are transient welfare bums.

What should a corporation do? Pay taxes beyond what they are legally obligated to pay in order to appease you? I certainly have accountants looking for every possible way I can reduce how much I legally owe the gov't. You don't do that?

Legally obligated to pay in Ireland is 12,5%.
Not 1%, not 0.005%

Thats not the legally obligated tax rate, that's the base company tax rate. It's highly unlikely that any manufacturer who sells in Ireland pays 12.5% - your legally obligated tax rate will very from the base, depending on many factors.

Ireland does not have an issue with how much tax Apple paid. Ireland have publically stated they disagree with the decision.

Apple has had this setup in Ireland since 1980, and after 36 years, the EU has retrospectively ruled it's illegal state aid.

Its an interesting issue of sovereignty , and the retrospective nature of the ruling is understandably worrying. It's one thing to say : this stops now, and completely different to go back 15-20 years and require back payment. 

cnocbui said:

I have been using Australian banks for decades.  I have never had an issue with their integrity or security.  They were doing security when Tim Cook was still in nappies.

Who do Apple trust to store their Billions?  Do they have their own vaults somewhere or do they run their own bank or do they actually trust banks?  It's pretty illogical to say you don't trust banks with security and that you only trust Apple with it when Apple Pay relies entirely on banks and the infrastructure they developed, provide and maintain.

Oh yes, and accusing Australian Banks of greed and mentioning Apple in the same sentence as if they aren't, is hilarious.

Tap & Pay allows you to use your compatible smartphone and the CommBank app to make contactless purchases in store. Simply tap your phone on any contactless terminal the next time you are shopping+.

Tap & Pay is available using your compatible Android phone and the CommBank app. You can link Tap & Pay to your transaction account or credit card so you can make purchases at any contactless terminal using just your phone – even overseas.

Compatibility:
Tap & Pay is available on compatible devices running Android 4.4 (KitKat) or above, with inbuilt NFC enabled.

So where are the security breaches?  It's an NFC chip, a short range radio.  Do iPhone users not trust banks with security and communications to the point they don't access their bank accounts or do other banking tasks over wifi and cellular connections?   There is no logic going on here beyond Apple good, everyone else bad.

ApplePay is EMVCo certified as a card present transaction equivalent to chip & pin, NOT paywave.

The difference with ApplePay , is that the transaction is tokenised, and the POS system itself can be compromised, and the risk you are exposed to at most, is that transaction (and even then only for a narrow time window). 

NFC tap and go systems are not tokenised, and are vulnerable to replay attacks or a compromised reader  (where each attempt is capped at AUS $100 per transaction, with an aggregate up to your daily limit). Such attacks have happened in Australia.

On iOS, even IF your phone was compromised , it does not contain your card details.

the banks want to a) implement their own systems to bypass Apple's fees
b) want to preserve their investment in their existing systems (which are domestically developed and are to the typical poor quality standard you'd expect eg a few years ago when we evaluated the banking Apps from the big 4 for use on company owned devices (we explicitly whitelist App Store Apps) , and they all failed our baseline requirements , some of them at rookie mistake level.

I'm pretty much convinced the banks security concept  is framed around fraud management and loss prevention, rather than placing the end users' privacy & security front and centre.

cropr said:

sennen said:

Apple, whatever fingers it may want to have in the pie, is still providing the most secure solution for it's customers. I'll take that over whatever service Australia's banks want to push onto me.

My bank is offering financial service since 1945, Apple started 2 years ago
The financial services of my bank are audited yearly by an independent organization, Apple isn't
I take me 15 minutes to get an appointment with a bank representative, I cannot get an appointment with someone from Apple
All the data of my bank is stored in a national data center,  Apple stores its data in a foreign data center,  If have a dispute with Apple, I have no chance to access my data and to prove I am right
My bank supports heavily open standards,  Apple has a closed iOS ecosystem
My bank is expensive.  Apple is expensive

And you want me to believe that Apple is a more trustworthy partner than my bank. You must be kidding

Not at all.

Apple is considerably more trustworthy than any of the major banks in Australia, and has vastly superior customer service. Australian banks get bulk data breaches all the time, Apple has currently had zero (passwords being re-used or phished is not a bill data breach). Although some people have alleged in speculation that bulk breaches have occurred , Apple is legallly required to provide notification if such a thing happened , and they never have had to notify.

In the specific instance of Apple Pay , the Secure Element and NFC hardware was added just for payments, just with ApplePay. It is not used for anything else. There are no APIs to touch the NFC hardware , outside of Apple Pay, for anything else in iOS - there's no "Samsung bump" or similar uses for App developers , Apple internal or App Store.

So Apple is not giving ANY developer access to. NFC , for ANY purpose. They are not singling out the banks.

Apple provides Bluetooth 4.2 to developers if they want short range low power radios. There is exactly nothing you can do on NFC that you can not do with Bluetooth ( and BT does more than NFC). It's just that there is a historical installed base of NFC readers is dominant in payment tech.bot that Apple only supports a handful (6-8 depending on device) of the 30+ Bluetooth profiles, so it limits what 3rd party dev's can do with it.

The banks falsely assert NFC is unique in iOS devices, in that it's not open to developers, and all other radios are. The banks statement is false : Apple does not provide direct access to ANY radio on the device : Bluetooth, GPS, Cellular , and Wi-fi are all completely restricted , and abstracted from the developer with  high level , abstract APIs that do not give direct access to the hardware. 

HID started shipping BT door locks in addition to their NFC ones a few years ago, as one example of hardware vendors moving with the times.

NFC is ancient, with commercial deployments dating back to the late 1980s.

The NFC Secure Element functionally duplicates a subset of what Apple provides in the Secure Enclave.

My best guess is Apple are only temporarily including the NFC with Secure Element , and are planning to abandon it in favor of an API sitting on top of Securd Enclave, but still capable of NFC (several component vendors are starting to deliver NFC / BT chipsets )

If the current hardware is transient and single purpose , then it's not unreasonable it's not open to 3rd parties.

i'd add that ever applet Apple allows to be installed on the Secure Element means they need to re-certify with EMVco, so it's a non-zero cost to them to maintain certification with potentially 3000 - 4000 different bank's applets, and the cost of doing that is also a deterrent to it being opened up to 3rd parties. How do they certify the good banks but keep out the bad ones (and there are plenty of bad banks globally)