Security and identity as a service, and how Apple could lead the way

Security as a service, with Apple leading the way

As rumors keep swirling about the finger print scanner Apple will be introducing with the iPhone 5s, the subjects of mobile security and identity keep getting raised. Passwords are an absolute pain in the ass on mobile, and identity is a problem that not only hasn't been solved, but that some companies either lack interest in solving, or lack the trust necessary for us to want them to solve. Industry analyst Ben Bajarin - listen to him on the latest Vector podcast - think that leaves the door wide open for Apple. From Tech.pinions:

Security as a service could become a key differentiator for Apple products and a driving reason to choose Apple products over others. But even more interestingly, their competition (Google) doesn’t care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important.

It's important to distinguish between different meanings of the term "security". This isn't privacy protection on a governmental scale. Sadly, it doesn't look like any of the major players, Apple included, is willing or able to stand up to governments - legally, illegally, or questionably - demanding access to our communications and other data. (See the ongoing NSA scandal).

This is perhaps better termed authentication or identity as a service, where a mobile device ascertains with a certain standardized degree of certainty that we are who we say we are, and that's used to allow us access the device, and to our login systems, like iCloud keychain, payment systems like a future version of Passbook, and to other services linked to the chain.

It could be a huge business for anyone who can provide a sane, simple solution. Which are both among Apple's traditional strengths.

Check out the rest of Bajarin's article for more.

Source: Tech.pinions

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, ZEN and TECH, MacBreak Weekly. Cook, grappler, photon wrangler. Follow him on Twitter, App.net, Google+.

More Posts

 

13
loading...
15
loading...
41
loading...
0
loading...

← Previously

BioShock 1 and 2 sale - 50 percent off in the Mac App Store

Next up →

Turning Microsoft into Apple... on the way out

There are 67 comments. Add yours.

williamsbh76 says:

Uh oh Rene, lol you called out Google! Prepare to be besmirched by trolls! But seriously, I wasn't going to upgrade to the 5s but a finger print scanner may actually have me sold because I have a lot of sensitive info in my phone from personal finances to access to some work files. We will see.

Rene Ritchie says:

Google doesn't seem interested in security yet, that's not calling them out. I'd love for Google to make it a feature war.

richard451 says:

Google just encrypted their entire cloud (it was the top news story three days ago) How on earth is that not being interested in security?

Rene Ritchie says:

Different kind of security. I updated to make it more clear.

Also, encrypting a cloud and giving NSA a backdoor isn't really secure either ;)

richard451 says:

So now you are arguing that Google has no interest in " authentication or identity as a service", a feature they released over two years ago on Android?

Trappiste says:

It is a Rene's Apple piece, so facts get thrown out the window. Of course.

Rene Ritchie says:

Please don't troll here. You'll get removed. Make it personal, you'll get banned. Last warning.

Also, I'm not a conspiracy theorist, and I don't think this applies to Google alone (all major tech companies). But before you defend Google - and notice I'm at no point defending Apple when it comes to privacy - give this a read:

http://i.imgur.com/v375ssL.png

Don't defend companies that should be defending us. Don't take personal slight on behalf of companies that don't treat us like people.

iBlackdude says:

@René: I'm still not sure why you menacing this guy...

I don't think he's a troll...
Stop abusing people !!!

Without readers, this blog will be nothing !!!!
:(

williamsbh76 says:

I would also point out that security has not been a major concern for Google. Their whole issue is to catalogue the world's information and make money off of it. Not to mention, it was only a couple of weeks ago that all the media fall out occurred because "everyone" suddenly realized that Chrome doesn't encrypt passwords. Google blew the whole thing off as not an issue and therefore will not fix it.

williamsbh76 says:

I hear you and I with you. A feature war would mean better security and hopefully more convenient security for us, the consumer. I just knew that because you even mentioned Google or quoted someone else who has mentioned Google would bring the fall out, hence @richard451 's and @Trappiste 's comments below.

richard451 says:

thinking like this "But even more interestingly, their competition (Google) doesn’t care about security." is why analysts get mocked as being idiots. This guy is just the latest addition to the cesspool.

Rene Ritchie says:

They added Find my Phone this year. That's not exactly the fast track on their priority list. No need to be so defensive.

richard451 says:

"Find my Phone" has nothing to do with security. it's not being defensive, it's taking a stand against bad journalism.

Rene Ritchie says:

No, I'm failing to communicate and you're failing to read. I'll try to do a better job on my end.

richard451 says:

Your inability to generate a meaningful reply aside from "you're failing to read" isn't really helping your case. It's sad that you felt the need to spread such ignorance when you really should be taking guys like this out to bjj mat, but then again you also think "Find my Phone" has something to do with security and/or authentication.

Rene Ritchie says:

Sorry, not sure how to reply when basic things aren't being understood? What about Find my Phone is so perplexing to you?

SockRolid says:

News flash - this isn't the Wall Street Journal here.
It's a blog. Bloggers are allowed to have opinions.

Funny how "journalism" and "expressing an opinion" are the same in some peoples' minds. Isn't it?

Rene Ritchie says:

Most people don't read, they just want point out someone else is wrong on the internet. It's sad and devalues comments. Hopefully people will invest a few minutes to raise the bar and increase the value of the discussion.

Also, yeah, "journalism" isn't well understood either :)

BB fan forever says:

Google is bad on security just like Apple. Both are getting better but i feel Blackberry is still the most secure. Plus, Blackberry is owned by a Canadian Company so i don't have to deal with all the NSA stuff. Any opinions or thought?

Rene Ritchie says:

I think no one is safe. Which makes me very sad.

scribacco says:

Since they handed the security key to almost every countries they operate in I do not see how that translate in security. BTW imessage is encrypted BBM is not

BB fan forever says:

BBM is actually encrypted. Look it up

birdman_38 says:

Didn't then RIM hand over BlackBerry Messenger transcripts to the authorities following the London riots a couple years ago?

SockRolid says:

Blackberry may not be Canadian for much longer.
Who knows where they'll be a year from now?

BB fan forever says:

They will still be around. Its still used widely in other countries. Plus, BB10 is still growing. Give it time IOS didn't jump up quick when it first launched the first iphone.

Adem Reka says:

I think Apple care much more at user experience than security. However icloud keychain is a good step in the right direction. As for google "doesn't care about security" put your fanboy glasses off. Android and Ios are the same at stealing data:

Report Highlights
The vast majority of free apps send and receive data to outside parties without encryption.
96% of total apps share data with advertising networks and/or analytics companies.
79% of the top 50 free iOS and Android apps are associated with risky behaviors or privacy issues. Overall, iOS
apps exhibited more risky behaviors than Android apps.
Entertainment apps were the worst offenders out of the top five categories, with the highest number of apps
that track for location and share data with advertising networks and/or analytics companies.
While 14% of iOS apps had access to a user’s calendar, none of the Android apps had similar access.
More than half of the total apps track for location by accessing the device GPS or using other location tracking
methods.
More than 80% of apps across categories come from different unique, individual developers.

New research from BitDefender shows that applications for Apple iOS and Google Android may have their digital eyes and hands on more user data than you think.

Using their Clueful app, researchers at BitDefender examined how apps for Android and Apple's iOS treated private data, such as location information and contact lists. What they found may seem startling -- of the 207,843 free applications for iOS, 45.41 percent have location-tracking capabilities, whether they used them or not. Of the 314,474 free applications for Android, the percentage was 34.55.

When it comes to having the ability to read contact lists, the numbers were 7.69 percent for Android and 18.92 percent for apps designed for iOS. An iOS app called "3D Badminton II" (v. 2.026), for example, reads contacts' emails and sends them to a server in Hong Kong.

"Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs/IMEI," according to the report. "This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report."

"About 14.58% of the Android applications may leak your Device ID and 5.73% of the total number of apps may leak your e-mail," the researchers note. "Again, iOS applications appear to be more focused on harvesting private data than those designed for Android."

Some examples for iOS include Ringtone Maker version 1.7, which sends the device ID to "adfonic.net," and 'aradise Island: Exotic (v. 1.3.14), which sends the device ID to a number of third-party websites. Meanwhile, an Android app called Logo Quiz Car Choices (v. 1.8.2.9) shares email addresses, the researchers found.

"Most people do not pay attention to the permissions required by the application they are about to install for a variety of reasons," observes Bogdan Botezatu, senior e-threat analyst at BitDefender. "They may not realize that those permissions are important in any way for the security of their device. They may not understand what each permission means and how it impacts the security of the terminal, or may not have other options but to accept the permissions if they want that application to run on their device. This is actually one of the most important shortcomings of Android -- the fixed permission model that asks you to go all in with the permissions or else you're not going to be able to run that application."

Android security has been in the spotlight during the past few days, as vendor Bluebox Security announced plans to release details of a serious Android vulnerability exploit at the upcoming Black Hat security conference in Las Vegas. According to Bluebox Security, the vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, enabling a bad actor to modify APK code without breaking the cryptographic signature. The vulnerability only comes into play, however, in the case of applications downloaded from third-party app markets.

"Although this loophole has been present in Android devices since 2009 and is yet to be exploited by cyberthieves, the 'master key' is a major concern for consumers and also businesses, which are increasingly reliant on mobile devices for work and, moreover, accessing company data," says Grayson Milbourne, security intelligence director at Webroot. "An attacker being able to steal data or eavesdrop on calls or emails is clearly a major problem."

Judging by the extremely small number of malware incidents in the past years, most people would probably consider iOS much safer than Android, says Botezatu. However, this does not appear to be the case when it comes to privacy issues.

"We have two distinct operating systems that work differently and are built differently, and, yet, they attempt to get to the same kind of user information, as long as access to it is permitted by the application market," he says.

BB fan forever says:

Point is, It sucks to have your data given to the gov't. Pics, Vids, Text, Call, etc. I personally don't like people knowing all my info. Even if i'm not doing anything bad. Any comments would be great.

GeniusUnleashed says:

Ugh, Rene, Come on. "Security as a service, with Apple leading the way"? Seriously? By "supposedly" putting a finger print scanner on the phone that's leading the way? Where was this op-ed when Google put out Face Recognition?

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass.

"But even more interestingly, their competition (Google) doesn’t care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important." Yeah, because, like another poster above pointed out, Google didn't JUST encrypt all Cloud storage moving forward.

"Given everything from the NSA controversy" Last time I checked, no one has been more vocal than Google about demanding the right to share with the public just what information they shared. Sounds like what they gave out wasn't so bad and they want the American people to know it so they stop getting flamed by the press and iMore.

You're better than this article Rene.

BB fan forever says:

Hey, lets keep this nice dude. I think you went a little to far, But i do agree on the fingerprint scanner. I don't see a point but i guess some people like features.

GeniusUnleashed says:

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass :P

Is that better BB? It was just teasing, I know Rene isn't getting gassed logging into his iPhone.

GeniusUnleashed says:

Posts like this get me bummed on the site. Zero accountability going on and it keeps the flame wars alive.

Rene Ritchie says:

No, I wasn't clear and you misunderstood and chose not to be classy about it.

Passwords on mobile for mainstream users is a HUGE problem. Not understanding that is part of the problem. As computers become more mainstream, it needs to be fixed.

GeniusUnleashed says:

So now, teasing you, means I'm not classy? I really don't think typing a passcode on your phone is gassing you or making you break a sweat. Lighten up Rene, I know you get trolled a lot here, and I know I'm VERY direct on this site, but at this point I'd hope you'd know I'm not intentionally hurtful.

And you keep saying PW's are a huge problem but don't back it up by saying why or how. Please elaborate, why are they a huge problem? Everyone I know, iOS and Android use alike, uses a pw to unlock their phone and I've never once heard anyone complain about it. It's like complaining that you have to unlock your car door. "GAWD!!! I have to unlock my car door AGAIN!? I just unlocked it 12 hours ago! And it's parked in MY DRIVEWAY!!! The travesty!"

But then you switched your argument just now and say "computers". Are we talking about computers or are we talking about smartphones. Symantics aside, I'm the only person I know locking my computer with a PW, while, like I said, everyone I know uses one on their smartphone.

Please elaborate.

Rene Ritchie says:

I use a passcode. Your teasing, sadly, is systematic of a widespread problem in technology.

Are you aware of the percentage of users who use passcodes vs. those who don't? Those who backup vs. those who don't?

iCloud backup and Time Machine are attempts to mainstream backup. Apple is likewise attempting to mainstream authentication.

John Siracusa did a great job explaining the the incorrectness of your line of thinking on the last ATP podcast, it's worth a listen.

It's not dissimilar to automatic vs. manual cars.

Technology's job is to make things easier for people. There's no room for elitism.

GeniusUnleashed says:

"Your teasing, sadly, is systematic of a widespread problem in technology." OK, how about this. You try not to carry baggage from trolls when reading my comments, and I'll tone it down and throw in a lot more :)'s and :P's, so the trolls will know I'm kidding and won't feel emboldened to be douchy to you? Deal?

"Are you aware of the percentage of users who use passcodes vs. those who don't? Those who backup vs. those who don't?" I don't, in another space I asked you to poll it, I think it would be a great thing to ask. I've never once been polled on the subject. BUT, every single person I know who uses a smartphone uses a passcode so I'm not the best person to ask.

"iCloud backup and Time Machine are attempts to mainstream backup. Apple is likewise attempting to mainstream authentication.

John Siracusa did a great job explaining the the incorrectness of your line of thinking on the last ATP podcast, it's worth a listen."
I can't tell if these two thoughts were connected? Please elaborate on what you're referencing, not sure what you mean by "your line of thinking."

Automatic vs. manual. People in Europe make fun of people who drive automatic, they say only handicap people drive automatics. I prefer manual, so much more fun to drive.

"Technology's job is to make things easier for people. There's no room for elitism." Please don't talk to me like I'm other people. I know the job of technology :P

I get the impression you think I don't like the finger print scanner. Let me go on record, I could care less. I use a finger print scanner at work and it SUCKS!!! I have to try to clock in 2-4 times a day before it takes. But if Apple has it locked down, I'm fine with it. I'd much prefer quick reply for text messages over a finger print scanner though :P

Iocane Powder says:

I think this is the point that is not highlighted enough in both tech and non-tech venues. Security is optional in most instances and when it is required the minimum threshold is generally useless.

Getting security right on the web and with hardware is difficult even for those who live in technology; it is abstruse, tedious and frustrating for everyone else.

If Apple, or anyone, could create a foundation upon which a higher standard of security is both mandatory and simple (just works), and then integrate that with existing hardware and services, then it will give them an enormous marketing advantage over those that once again are playing catchup.

I think the key thing here will be in proving that simple can be effective. People already do simple....PW = "password123"

SockRolid says:

Wow. *Already* getting defensive about the (rumored) iPhone 5S fingerprint sensor. Already pushing the fingerprint-sensor-sucks agenda, are we?

Just face it. Technology can sometimes make life easier.
Think about that for a second.

BB fan forever says:

I think we rely to much on technology witch is going to be bad later on.

GeniusUnleashed says:

Defensive? It doesn't exist. I'm calling him out for using a hypothetical security device. Everyone thought the new LG was going to have a finger-print sensor and it turned out to be the new volume rocker button. I love tech, butI love facts even more.

Let's debate what we have, not what we hope for.

GeniusUnleashed says:

I know I give you a lot of shit (read: tough love), especially on your op-eds, but the one thing I respect the most about you and the site, and what keeps me coming back after screaming at you through my monitor after said op-eds (:P), is the fact that you don't jump on rumors.

Still, I prefer not to debate hypotheticals. I know finger print scanners exist, but until an iPhone with it is on the market, I'd rather debate other things, no offense.

williamsbh76 says:

Passwords can be hacked, especially a four digit numeric password which could be hacked in just a matter of moments by even a half ass hacker. Not to mention someone simply looking over your shoulder. A fingerprint is next to impossible to replicate with out some serious tech. Not to mention the convenience of a quick swipe accessing your phone.

GeniusUnleashed says:

After a long time in Brooklyn and Detroit, I can attest that a finger can easily be cut off :P

GeniusUnleashed says:

I don't think that's Google MO. I think they are very upfront with how they are using our data if we use their free services. I personally don't have a problem with it because their own browser allows you to turn off the adds in Gmail, I don't get ANY spam from my gmail account addresses, and I don't get unsolicited spam sent to my house. So it doesn't really effect me so far. It's not like there's some guy at Google creating a data base of all our information and reading our most deepest darkest secrets. It's a computer looking at 1's and 0's to try to make our lives easier, whether it's working or not, is up to you. I use an Outlook.com email and emails from my own server and personal sites, but I forward everything to Gmail because I think it's the best, most intuitive email service around so far.

Read that PDF, Adem Reka, posted. It's pretty eye opening, if true, at just how little Apple cares for your personal information on your iPhone. It's funny, because Google, just today, changed the terms of service in the Play Store to make it even harder for apps to get your phones info.

Rene Ritchie says:

Yeah, privacy and authentication are different things. I updated the article to be more clear.

Rene Ritchie says:

Google hasn't done face recognition on iOS yet. When/if they do, we'll cover it. Android Central covered it on Android, and it a) didn't work and b) hasn't become mainstream, likely because of a.

Making your reply personal and attacking me personally is a good way to be given a time out across the network, so please address the points, and not me. We can discuss without name calling, right?

Most people don't use pincodes. It's technology's job to make that simpler and easier, so more people can have better authentication.

I'm linking to an article here. Go read the article and come back and engage in an informed discussion.

You won't get an argument from me about the NSA, but I don't think anyone, including Apple or Google can be put in any positive light whatsoever when it comes to protecting our privacy.

This article, however, wasn't about that. I wasn't clear, so I updated to make it more clear.

This is about authentication, not privacy, and not that Apple is leading the way, but that there's a business opportunity for them to take if they're willing and able.

GeniusUnleashed says:

You didn't link the article, unless you meant Barjarin's? If you meant Barjarin, I don't like to debate someone about someone else's "opinion". It's too hard because we're not basing anything on facts, but...wait for it...someone else's opinion.

And I think you are 100% wrong if you think most people aren't using a passcode on their smartphones. But it's a waste to debate it. Why don't you guys throw up a survey about it, I think it would be great so we can have a reasonable debate about it. I know the people who go to this site, aren't always the "average" iPhone user, but I think it would give us more to go on when we are on opposite sides of the coin on this.

As to your other points, we're talking on a couple threads, so read my other responses to them and we can move forward from this point, hopefully with you knowing Im' not trying to hurt your feelings. I'll try to put in more :)'s and more :P so you know I'm kidding. It's a tech site, not a march on Washington, let's try to be able to joke around a little.

Rene Ritchie says:

The surveys have been done. Google is your friend :)

GeniusUnleashed says:

Only one I could find said slightly over half don't use pass codes and that was done in 2011.

Honestly, if someone tells me that using a pass code is too cumbersome for them, I'll ask them where they park their car. Lazy people deserve to have their shit stolen. I know that's harsh, but it's such a stupid American response, when the rest of the world is doing all they can to protect their lives. Sure in a perfecrt world, no one would steal, and Antelope would be able to kick a Lion's ass and not get eaten by it. American's complain about data not being secure from the NSA and then don't take basic precautions like using a 4 digit passcode.../facepalm.

And before you say it, it's not other people's responsibility to use technology to allow people to be lazier and dumber. The job of technology is to allow us to use our brains for higher functions and be smarter.

Oletros says:

Still trying to grasp how Google doesn't care with security

Oletros says:

Yap, this is what Bajarin and you have done. He has started from a wrong and false claim and has arrive to a conclusion he had since the beginning.

Rene Ritchie says:

What's wrong and false about it?

GeniusUnleashed says:

The grass is always greener...

Oh, we're not throwing out random idioms?

Come on Rene, Oletros made a serious comment. You didn't backup your "google doesn't care about security" with any data as to how you came to support this statement.

You changed the article to be more about accessing a phone, I get that. All Android phones have the choice between passcodes or designs to enter. And they even made it better by dragging the unlock pic to an app to auto launch that app. It took years just to get Apple to let us launch the camera app faster. Please elaborate.

Rene Ritchie says:

I didn't say Google doesn't care about security.

GeniusUnleashed says:

Your support of Bajarin's quote implied you agreed with it, my bad if you don't think that.

Oletros says:

"Google doesn't seem interested in security yet"

Then someone hacked your account because you wrote this

Dino Rodriguez says:

Why does everyone seem to be so excited about Apple's alleged fingerprint authenticator? Hasn't Motorola already done this a little over two years ago with the Motorola Atrix?

Mind you, if rumors are true, good for Apple but, this isn't at all groundbreaking if an OEM has already implemented this type of security onto one of their devices. Where was the press then?

GeniusUnleashed says:

This is an Apple site, a walled garden site. They refuse to comment on the enemy :P

Rene Ritchie says:

I use Google as much as I use Apple. However, I don't feel the need to troll Android sites, that's something I don't even really understand.

People did tablets before Apple too. Apple is almost never first when it comes to ideas, their success has been due to mainstream friendly implementations.

Dino Rodriguez says:

I'll definitely agree with you about Apple not always necessarily being first with new technologies or software.

But, as for the trolling... Uh, I actually never feel the need to troll iSites ~ most of us use news aggregators with keywords such as "Android" so, when I saw the title of your article, I felt the need to read about Apple's latest "new" feature and thought it odd there's never [ever] any mention about Motorola ever implementing the fingerprint scan on one of their older devices.

Anyway, no trolling here, I hope my comment didn't give you that impression. I simply wanted to inform the many iFollowers here thatApple wwasn't the first to have this feature.

williamsbh76 says:

The difference is that Apple has the name branding and brand recognition to bring it mainstream, especially if they advertise it from the point of view of security alongside convenience. Call it luck or timing, but with all the NSA info stealing, Chrome password encryption, and media/government attention to phone theft going but Apple may have timed this just right.

Sadly, for Motorola, no one cared at the time or saw the security benefits of what they were trying to bring to the table. I hate it too because Motorola was always at the top of the heap on push to talk technologies that lost their way because the networks they partnered with refused to grow. Combining PTT, and a convenience/security feature like a fingerprint scanner, and developing their own hybrid version of the Android OS with more security features could have put them in the heart of enterprise sales and service.

BB fan forever says:

Wow Rene, I think this article is going way out of hand. I think the fingerprint scanner would be a good way for the gov't to get fingerprints from people. It's neat but it's also 1 more way to get stuff from the people really easy. What do you think?