As news stories show nearly every day, there’s a never-ending barrage of attempts to break into our online accounts, steal identities and cash, and hijack computers and mobile devices to use as bots in vast online armies. In the just-announced updates to iOS and macOS, Apple has tightened the security screws but also makes it easier for its users to engage in the best behavior with less pain.
Apple also attacked some privacy exploits and reduced the ability of third parties to track people even further than in previous releases.
Better password tools mean better passwords used
Security experts recommend that users employ a unique, strong password for every site or service, and enable two-factor authentication (2FA) wherever possible to prevent someone from using your login with the password alone. Apple has made this easier and stronger in iOS 12 and macOS 10.14 Mojave.
While Safari in iOS and macOS for years has suggested passwords when you’re asked to create a login at a site—and iOS 11 let developers tie into that system for apps—Apple plans to improve this. Precise details aren’t yet available, but the preview emphasizes that the two OSes can “create, autofill, and store strong passwords.” The generated passwords from previous would have been called strong, so Apple must be planning to improve the relative difficulty of cracking passwords it generates.
Apple has fallen short in previous releases by providing passwords that don’t meet the patterns stated on sites that require certain, often unnecessarily complicated password formulas, such as at least two digits and a special character. Password managers like 1Password can use information provided by a site in a webpage’s underlying HTML; Apple may be picking up on that too.
Like some third-party password-management systems, iOS 12 and macOS Mojave will flag passwords used in two or more times via the iOS password list or Safari for macOS’s list.
Apple gives a leg up for third-party password managers in iOS 12, by allowing integration directly in the QuickType bar in apps and in Safari. Previously, developers of these systems could use a Share item in Safari, allowing a user to tap Share, then the app icon, then authenticate to the app, and finally select a matching login or password or search for one. App developers could also integrate managers directly into their logins one at a time via those third-party companies’ programming interfaces. Now, the password managers can tap directly into the QuickType bar, saving steps, and also increasing the likelihood people will pick unique and better passwords.
Siri will play a role in passwords, too, with Apple noting you’ll be able to ask Siri to access your passwords. How that will play out for logins hasn’t been disclosed at this writing, as one imagines no one wants Siri to speak passwords aloud.
What goes hand-in-hand with strong passwords, however, is the ease of filling them in. The Safari for macOS and Safari/apps approach in iOS automatically offers passwords or lets a user bring them up. In the upcoming releases, Apple says its users will be able to share passwords among nearby devices, noting specifically only from iOS to iOS, to an Apple TV, and to macOS, but apparently not from a Mac to iOS or a Mac to an Apple TV.
Another boost for account protection is 2FA, which can protect an account from being examined or hijacked even when a password breach of a site occurs and crackers manage to extract the actual associated password. Without having access to the account’s corresponding phone number, phone, tablet, or computer, they can’t obtain the second factor.
Many 2FA systems rely on text messages (SMS), and when it’s received, a user has to rely on a fleeting notification or switch back and forth to the Messages app to grab the code, which can be several digits or characters long. In iOS 12, those codes will get extracted automatically from an incoming text message and placed into Autofill for selection.
This is clearly intended to assist users in turning on 2FA at more sites by reducing friction. However, this comes at a point when security experts says the time has passed for using SMS for 2FA codes, because it’s too easy to shift a phone number from one device to another or intercept text messages. Google’s Authenticator took an early lead in spreading app-based second factors, where you scan a 2D code to seed the code in the app, and then rely on it. These codes remain locked to a device, making physical possession a requirement as with SMS. With iCloud Keychain or its existing Apple ID 2FA system, Apple could offer a stronger method for third-party integration with 2FA that doesn’t rely on SMS.
Finally, Apple lets FaceTime offer multi-person video calls, which have end-to-end encryption just like the pre-existing one-to-one audio and video calls and multi-party audio calls.
Privacy improves on sharing, tracking, and peripherals
Apple continues its efforts to prevent third parties from obtaining information about a user’s online and on-device behavior. In the latest updates with the upcoming releases, Apple has locked out some additional methods advertisers use to track people in iOS and macOS.
In iOS 12 and macOS Mojave, Apple will tweak Safari to prevent tracking without permission from social sharing buttons on web pages, as well as comment widgets, those ubiquitous first-party and third-party units on articles and blog posts on many sites that are often tied together with millions or even tens of millions of related sites. In macOS, this is tagged as an upgrade to its Intelligent Tracking Prevention introduced in High Sierra.
Apple says Safari also now blocks access to iOS device’s “unique settings” and the “characteristics of your device” in macOS. Academics and corporate security researchers have published many reports over the last few years about how seemingly incidental capabilities of browsers could allow fingerprinting a unique user with a high degree of confidence. This includes such obscure tactics as using a browser-based function to render type invisibly, and then examine the results. Mitigations of that kind of fingerprinting can include blocking tracking certain kinds of specifics that are unnecessary to create rich web apps.
Third-party apps have long allowed Mac users to block, approve, or be alerted of any access to the microphone or videocamera. However, even though these tools can tap into system-level drivers with a user’s permission, it’s not the same thing as the operating system mediating access. MacOS Mojave will require permission for a device’s came and microphone. It also adds a permission requirement for apps to access Messages history and the Mail database.