Here are the limits of Apple's iOS 8 privacy features

Apple's new passcode-based encryption for the iPhone and iPad can be circumvented and provides only limited protection to data

The privacy improvements in the latest version of Apple's mobile operating system provide necessary, but limited, protection to customers, experts say.

With the release of iOS 8 this week, iPhones and iPads configured with a passcode would encrypt most personal data, making it indecipherable without knowing the four-number password.

By tying the encryption key to the passcode and making sure the key never leaves the device, Apple placed the burden on law enforcement to obtain a search warrant and go directly to the customer to get data from their device during an investigation.

"Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," Chief Executive Tim Cook said on the company's new privacy site. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

Rival Google reacted quickly to Cook's comments, and announced that it would turn on data encryption by default in the next version of Android. The OS has had encryption as an option for more than three years, with the keys stored on the smartphone or tablet.

On Friday, privacy experts said they supported Apple's latest move, which they viewed as putting more control over personal data in the hands of customers.

"The fact that they (law enforcement) now have to go directly to you, and can't do it without your knowledge, is a huge win for Apple's customers in terms of their privacy and security," Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, said.

However, experts also said the protection had its limits, since customers often store on iCloud a lot of the data encrypted on the device, such as photos, messages, email, contacts and iTunes content.

In addition, information related to voice communications, such as call logs, is stored with the wireless carrier, as well as on the smartphone.

Once in iCloud, law enforcement or government officials investigating national security cases could legally force Apple to hand over the data.

Apple's new privacy mechanism also has a weakness. Plugging the iPhone or iPad into a Mac or Windows PC that have been paired with the devices would circumvent the passcode-based encryption.

Unless the devices had been turned off, the password would not be needed to access data from the computers.

"This means that if you're arrested, the police will seize both your iPhone and all desktop/laptop machines you own, and use files on the desktop to dump and access all of the above data on your iPhone," Jonathan Zdziarski, an iOS forensics expert, said in his blog. "This can also be done at an airport, if you are detained."

Read more: iPhone 6 buyers must be wary of new security exposure: ThreatMetrix

Without naming Google, Cook made a point to emphasize that Apple's profits depended on selling hardware, not collecting customers' personal information and then selling it to advertisers.

"A few years ago, users of Internet services began to realize that when an online service is free, you're not the customer. You're the product," Cook said.

The privacy changes came after Apple suffered a black eye this month when cyber-thieves accessed celebrities' iCloud accounts and, in some cases, posted naked photos online. Apple found that the attackers did not compromise iCloud security, but obtained the credentials to the accounts some other way.

Apple beefed up iCloud security recently by introducing two-factor authentication, which was already available to people with an Apple account tied to iTunes and other services.

"Two-step verification is good, and long over-due," Rebecca Herold, a privacy adviser to law firms and businesses, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsioshardware systemsiPhoneoperating systemsprivacyiPadAppleconsumer electronicsGooglesecuritysmartphonestabletssoftwaredata protection

More about AppleElectronic Frontier FoundationGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts