iOS 8 and OS X Yosemite: will they keep us safer?

It used to be Apple rarely highlighted security and privacy in its developer-focused WWDC keynote presentation. But over the past few years Apple has consistently highlighted new options to keep users safe from attackers and snooping eyes alike. Still, with a mere two hours to cover a wealth of advances in multiple operating systems and the corresponding developer tools, the security details in Monday's keynote were sparse.

Still, if you're a bit of (OK, a lot of) familiarity with Apple's platforms, the future of Mac and iOS security becomes a little clearer. And it's clear that for the next generation of products, "extension" is the name of the (security) game.

iOS 8: Prying open Touch ID and the sandbox

The inclusion of the Touch ID fingerprint reader in the iPhone 5s enabled users to have strong passwords with the convenience of nearly no password at all. According to Apple, less than half of iPhone users enabled a passcode before Touch ID. On the iPhone 5s, fully 83% now use this crucial safety belt.

Touch ID uses an interesting architecture. Currently, when you first turn on your iPhone, or after rebooting it, you enter your password, which is then stored in the special Secure Enclave portion of the A7 processor. Your fingerprint then unlocks and releases this password to the rest of the operating system. It doesn't remove the need for a password, but makes using one nearly effortless.

In iOS 8, Apple is extending this model to cover third-party application credentials. Apps that store their credentials in the iOS keychain will be able to use Touch ID to authenticate the user. This will likely be widely misunderstood as allowing banks and retailers to use your password for authentication instead of a password. Instead, Touch ID allows an application to keep your password locked away in the keychain until you release it with a fingerprint registered with the device.

The difference is subtle. You still need a password, you just won't have to enter it all the time. I also suspect the API will allow app developers to set certain restrictions on when Touch ID will be acceptable, and when it might require the user to re-enter the password. This improves application security by improving usability--Touch ID-enabled apps effectively ask users to authenticate (with a fingerprint) every time, without requiring them to always enter a password.

This won't improve the security of apps that currently require passwords every time you use them (such as my bank apps), aside from potentially inspiring users to enable better passwords if they know they won't have to constantly type them in. It could be a real boon for other apps that currently cache your password since they won't be afraid to authenticate users every time, since a fingerprint is so convenient.

It might also inspire more than a few parents to delete their child's fingerprints from their device.

Extensions to where?

The details of the other major security enhancement are a bit murkier. Apple is opening up direct communications between iOS apps through something called extensions. Apple has long restricted inter-app communications to maintain the security and integrity of the app sandbox. While this has frustrated some developers, sandboxes are a powerful security tool to limit the risks that one compromised app could compromise other areas of your device.

Based on the limited information available in the keynote, it appears that iOS 8 developers will now be able to open up their app to external communications. This extension is like a little receptor on the edge of the sandbox that receives a message and acts on it. Extensions register themselves with iOS, which mediates communications between apps.

Rather than opening up communications willy nilly, it appears that extensions still obey the rules of the sandbox. Any requests to do something new on your device, such as communicate over the network, will still require user approval (such as those prompts to access your camera or microphone currently in iOS). The fuzzy part is where that line will be, exactly. One option would be to require approval for every first-time request between two different applications. Based on the keynote demonstrations, I suspect it won't be quite that granular, but this is one area I would also expect to evolve considerably during beta testing.

What is clear is that iOS is the broker between application extensions, which likely keeps a fair bit of security in the process since apps won't be communicating and (potentially) attacking each other directly. Maintaining the iOS privacy controls also means that nifty new keyboard replacements won't be sending all your keystrokes to a black-masked attacker (as has happened on Android).

iOS 8 does opens up a host of other security questions that I simply don't have anything to base an informed judgement on. Shared file storage with iOS or third-party cloud services, the security model of Continuity, any details on the new enterprise features like Extended Data Protection, and the usual under the hood enhancements--they're all TBD.

Swiftly climbing in Yosemite

Apple said less about any security changes in OS X 10.10. In large part, this is due to the fundamental differences between a full desktop operating system and iOS. Apps can already talk to each other, even when sandboxed, and hook into the operating system at a deeper level. I suspect most of the security improvements are inside the OS X internals.

One advance with significant long-term implications is the introduction of the Swift programming language. As a part-time coder (okay, dabbler) myself, I never underestimate the challenge of building a secure language that wipes out all the little errors that could inadvertently open the doors to attackers. Apple stated Swift wipes out buffer overflows and a series of other security issues that plague most languages. This is a tough challenge, and while we've seen success with such efforts in other modern languages, we've also seen plenty of failures.

Only open combat on the Internet will let us know how well Swift's security model works, but it is likely an improvement over Objective-C and could, over time, help harden app security in both OS X and iOS.

Safari gains more usable privacy by allowing users to open a private browsing window without flipping the entire browser into private mode. This is the same as Google Chrome's Incognito model, which is much easier to use than Safari's current on-or-off model. I'm also curious as to how deep the privacy restrictions run; those pesky Web advertisers are quite devious at circumventing most privacy controls.

On a lesser note, I'm thrilled that we will soon be able to use the privacy-conscious DuckDuckGo search engine right from within the address bar. It's a nice touch for the privacy-minded.

Apple didn't mention anything more on OS X security and privacy, but every other version of the Mac OS has added a variety of unpublicized security and privacy controls. With months to hunt them out, I expect to find more.

iOS 8 and Yosemite appear to be less about adding new security and privacy features, and more about opening and extending them deeper into the app ecosystem. The more Apple enables security for developers--not just for the operating systems themselves--the better our devices will be able to withstand the dark side of the Internet.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleiOS 8wwdcsecurityOS X Yosemitesecurity software

More about AppleAustralian Pharmaceutical IndustriesGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Mogull

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place