Search

Most Recent Posts

Index of Older Posts

Saturday
Mar292014

iOS Security: Incredibly good!

Apple has recently been dragged through the mud for a very critical and easy to exploit problem that affected iOS devices as well as Macs running OS X.  It has now been patched, and the error has been analyzed (essentially an extra GOTO statement where it did not belong).  There has been question as to whether this was intentional, but I don’t think that’s even remotely likely.  Just a very big mistake.  Now fixed.  But you must upgrade to iOS 7.0.6 and OS X 10.9.2.

What has received much less attention is the white paper that Apple published in February, which is an in-depth explanation of how security works on iOS devices. You can find it here if you’d like to read for yourself, or you can find Steve Gibson’s three-part discussion of the security features.  I’m still working through it! 

Bottom Line:  iOS security is incredibly good.

But the most recent security flaw, discussed above, is an example of how the entire ecosystem must work together to protect the device.  A weak link anywhere in the chain from boot-up, to updates, software downloads, browser architecture, etc., etc., will allow potential exploits.  That’s why Apple controls the whole chain.

With what we know now from the white paper:

  • Security is both hardware and software on the most recent iOS devices.  Only devices with the A7 chip contain Secure Enclave and with it, the truly state-of-the-art security discussed in the white paper.
  • The A7 chip is contained in the iPhone 5s, but not the 5c or any of the iPhone 4 or 4s.  The iPad Air and iPad mini with Retina display have the A7.  Others do not.
  • If you have a device without the A7 chip then the security of the device is probably still pretty good, but you should be using an A7 device (iPhone 5s) if you are security conscious.
  • Android is a very distant competitor in terms of secure platform.
  • Fingerprint reading and recognition is very secure, and we shouldn’t have concerns

There is one very curious choice that Apple made which is just starting to be noticed:  everywhere in the systems they describe they use very strong cryptography which is, as far as anyone knows, not susceptible to any known attack.  Except for the Keychain.  For the Keychain, and only for the Keychain, they use a form of elliptic-curve cryptography that was developed and is championed by, guess who, the NSA!  Yep.  Many security analysts including Bruce Schneier and reporters with inside lines on the politics of the security world (Brian Krebs) assert that there is an NSA back-door in this scheme.  Most everyone else is either avoiding it, or not telling us about it.  And Apple chose to use it only for the master vault that keeps all the other keys on your keychain!!  Hmmm….

One wonders if Apple was “forced” to make this choice for a critical portion of their security infrastructure?   And it’s quite interesting that Apple has released this information.  Maybe they just wanted us to know without being obvious about the telling?  And, to be fair, the entire system is still light-years ahead of Android.  I haven’t figured out all the ramifications of this yet and, although I thought it interesting and worth pointing out, I am not very concerned and plan on using the incredibly convenient and otherwise excellent Keychain feature for many things other than websites and passwords for financial institutions and other very sensitive information, where I will continue to use Last Pass.

Unfortunately, the process of looking at secure cloud storage is taking much longer than anticipated as I'm having troube finding a solution that I really like, but more soon!

 

--Tiron

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
« Microsoft Updates Privacy Policy after taking heat for Searching Blogger’s Hotmail to Find Windows 8 Leak | Main | Privacy and Cloud Storage: The Keys are the Key! »