Security and identity as a service, and how Apple could lead the way

Security as a service, with Apple leading the way

As rumors keep swirling about the finger print scanner Apple will be introducing with the iPhone 5s, the subjects of mobile security and identity keep getting raised. Passwords are an absolute pain in the ass on mobile, and identity is a problem that not only hasn't been solved, but that some companies either lack interest in solving, or lack the trust necessary for us to want them to solve. Industry analyst Ben Bajarin - listen to him on the latest Vector podcast - think that leaves the door wide open for Apple. From Tech.pinions:

Security as a service could become a key differentiator for Apple products and a driving reason to choose Apple products over others. But even more interestingly, their competition (Google) doesn't care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important.

It's important to distinguish between different meanings of the term "security". This isn't privacy protection on a governmental scale. Sadly, it doesn't look like any of the major players, Apple included, is willing or able to stand up to governments - legally, illegally, or questionably - demanding access to our communications and other data. (See the ongoing NSA scandal).

This is perhaps better termed authentication or identity as a service, where a mobile device ascertains with a certain standardized degree of certainty that we are who we say we are, and that's used to allow us access the device, and to our login systems, like iCloud keychain, payment systems like a future version of Passbook, and to other services linked to the chain.

It could be a huge business for anyone who can provide a sane, simple solution. Which are both among Apple's traditional strengths.

Check out the rest of Bajarin's article for more.

Source: Tech.pinions

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

BioShock 1 and 2 sale - 50 percent off in the Mac App Store

Next up →

Turning Microsoft into Apple... on the way out

Reader comments

Security and identity as a service, and how Apple could lead the way


Uh oh Rene, lol you called out Google! Prepare to be besmirched by trolls! But seriously, I wasn't going to upgrade to the 5s but a finger print scanner may actually have me sold because I have a lot of sensitive info in my phone from personal finances to access to some work files. We will see.

Google doesn't seem interested in security yet, that's not calling them out. I'd love for Google to make it a feature war.

Google just encrypted their entire cloud (it was the top news story three days ago) How on earth is that not being interested in security?

Different kind of security. I updated to make it more clear.

Also, encrypting a cloud and giving NSA a backdoor isn't really secure either ;)

So now you are arguing that Google has no interest in " authentication or identity as a service", a feature they released over two years ago on Android?

Please don't troll here. You'll get removed. Make it personal, you'll get banned. Last warning.

Also, I'm not a conspiracy theorist, and I don't think this applies to Google alone (all major tech companies). But before you defend Google - and notice I'm at no point defending Apple when it comes to privacy - give this a read:

Don't defend companies that should be defending us. Don't take personal slight on behalf of companies that don't treat us like people.

@René: I'm still not sure why you menacing this guy...

I don't think he's a troll...
Stop abusing people !!!

Without readers, this blog will be nothing !!!!

I would also point out that security has not been a major concern for Google. Their whole issue is to catalogue the world's information and make money off of it. Not to mention, it was only a couple of weeks ago that all the media fall out occurred because "everyone" suddenly realized that Chrome doesn't encrypt passwords. Google blew the whole thing off as not an issue and therefore will not fix it.

I hear you and I with you. A feature war would mean better security and hopefully more convenient security for us, the consumer. I just knew that because you even mentioned Google or quoted someone else who has mentioned Google would bring the fall out, hence @richard451 's and @Trappiste 's comments below.

thinking like this "But even more interestingly, their competition (Google) doesn’t care about security." is why analysts get mocked as being idiots. This guy is just the latest addition to the cesspool.

They added Find my Phone this year. That's not exactly the fast track on their priority list. No need to be so defensive.

"Find my Phone" has nothing to do with security. it's not being defensive, it's taking a stand against bad journalism.

Your inability to generate a meaningful reply aside from "you're failing to read" isn't really helping your case. It's sad that you felt the need to spread such ignorance when you really should be taking guys like this out to bjj mat, but then again you also think "Find my Phone" has something to do with security and/or authentication.

Sorry, not sure how to reply when basic things aren't being understood? What about Find my Phone is so perplexing to you?

News flash - this isn't the Wall Street Journal here.
It's a blog. Bloggers are allowed to have opinions.

Funny how "journalism" and "expressing an opinion" are the same in some peoples' minds. Isn't it?

Most people don't read, they just want point out someone else is wrong on the internet. It's sad and devalues comments. Hopefully people will invest a few minutes to raise the bar and increase the value of the discussion.

Also, yeah, "journalism" isn't well understood either :)

Google is bad on security just like Apple. Both are getting better but i feel Blackberry is still the most secure. Plus, Blackberry is owned by a Canadian Company so i don't have to deal with all the NSA stuff. Any opinions or thought?

Since they handed the security key to almost every countries they operate in I do not see how that translate in security. BTW imessage is encrypted BBM is not

Didn't then RIM hand over BlackBerry Messenger transcripts to the authorities following the London riots a couple years ago?

They will still be around. Its still used widely in other countries. Plus, BB10 is still growing. Give it time IOS didn't jump up quick when it first launched the first iphone.

I think Apple care much more at user experience than security. However icloud keychain is a good step in the right direction. As for google "doesn't care about security" put your fanboy glasses off. Android and Ios are the same at stealing data:

Report Highlights
The vast majority of free apps send and receive data to outside parties without encryption.
96% of total apps share data with advertising networks and/or analytics companies.
79% of the top 50 free iOS and Android apps are associated with risky behaviors or privacy issues. Overall, iOS
apps exhibited more risky behaviors than Android apps.
Entertainment apps were the worst offenders out of the top five categories, with the highest number of apps
that track for location and share data with advertising networks and/or analytics companies.
While 14% of iOS apps had access to a user’s calendar, none of the Android apps had similar access.
More than half of the total apps track for location by accessing the device GPS or using other location tracking
More than 80% of apps across categories come from different unique, individual developers.

New research from BitDefender shows that applications for Apple iOS and Google Android may have their digital eyes and hands on more user data than you think.

Using their Clueful app, researchers at BitDefender examined how apps for Android and Apple's iOS treated private data, such as location information and contact lists. What they found may seem startling -- of the 207,843 free applications for iOS, 45.41 percent have location-tracking capabilities, whether they used them or not. Of the 314,474 free applications for Android, the percentage was 34.55.

When it comes to having the ability to read contact lists, the numbers were 7.69 percent for Android and 18.92 percent for apps designed for iOS. An iOS app called "3D Badminton II" (v. 2.026), for example, reads contacts' emails and sends them to a server in Hong Kong.

"Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs/IMEI," according to the report. "This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report."

"About 14.58% of the Android applications may leak your Device ID and 5.73% of the total number of apps may leak your e-mail," the researchers note. "Again, iOS applications appear to be more focused on harvesting private data than those designed for Android."

Some examples for iOS include Ringtone Maker version 1.7, which sends the device ID to "," and 'aradise Island: Exotic (v. 1.3.14), which sends the device ID to a number of third-party websites. Meanwhile, an Android app called Logo Quiz Car Choices (v. shares email addresses, the researchers found.

"Most people do not pay attention to the permissions required by the application they are about to install for a variety of reasons," observes Bogdan Botezatu, senior e-threat analyst at BitDefender. "They may not realize that those permissions are important in any way for the security of their device. They may not understand what each permission means and how it impacts the security of the terminal, or may not have other options but to accept the permissions if they want that application to run on their device. This is actually one of the most important shortcomings of Android -- the fixed permission model that asks you to go all in with the permissions or else you're not going to be able to run that application."

Android security has been in the spotlight during the past few days, as vendor Bluebox Security announced plans to release details of a serious Android vulnerability exploit at the upcoming Black Hat security conference in Las Vegas. According to Bluebox Security, the vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, enabling a bad actor to modify APK code without breaking the cryptographic signature. The vulnerability only comes into play, however, in the case of applications downloaded from third-party app markets.

"Although this loophole has been present in Android devices since 2009 and is yet to be exploited by cyberthieves, the 'master key' is a major concern for consumers and also businesses, which are increasingly reliant on mobile devices for work and, moreover, accessing company data," says Grayson Milbourne, security intelligence director at Webroot. "An attacker being able to steal data or eavesdrop on calls or emails is clearly a major problem."

Judging by the extremely small number of malware incidents in the past years, most people would probably consider iOS much safer than Android, says Botezatu. However, this does not appear to be the case when it comes to privacy issues.

"We have two distinct operating systems that work differently and are built differently, and, yet, they attempt to get to the same kind of user information, as long as access to it is permitted by the application market," he says.

Point is, It sucks to have your data given to the gov't. Pics, Vids, Text, Call, etc. I personally don't like people knowing all my info. Even if i'm not doing anything bad. Any comments would be great.

Ugh, Rene, Come on. "Security as a service, with Apple leading the way"? Seriously? By "supposedly" putting a finger print scanner on the phone that's leading the way? Where was this op-ed when Google put out Face Recognition?

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass.

"But even more interestingly, their competition (Google) doesn’t care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important." Yeah, because, like another poster above pointed out, Google didn't JUST encrypt all Cloud storage moving forward.

"Given everything from the NSA controversy" Last time I checked, no one has been more vocal than Google about demanding the right to share with the public just what information they shared. Sounds like what they gave out wasn't so bad and they want the American people to know it so they stop getting flamed by the press and iMore.

You're better than this article Rene.

Hey, lets keep this nice dude. I think you went a little to far, But i do agree on the fingerprint scanner. I don't see a point but i guess some people like features.

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass :P

Is that better BB? It was just teasing, I know Rene isn't getting gassed logging into his iPhone.

No, I wasn't clear and you misunderstood and chose not to be classy about it.

Passwords on mobile for mainstream users is a HUGE problem. Not understanding that is part of the problem. As computers become more mainstream, it needs to be fixed.

So now, teasing you, means I'm not classy? I really don't think typing a passcode on your phone is gassing you or making you break a sweat. Lighten up Rene, I know you get trolled a lot here, and I know I'm VERY direct on this site, but at this point I'd hope you'd know I'm not intentionally hurtful.

And you keep saying PW's are a huge problem but don't back it up by saying why or how. Please elaborate, why are they a huge problem? Everyone I know, iOS and Android use alike, uses a pw to unlock their phone and I've never once heard anyone complain about it. It's like complaining that you have to unlock your car door. "GAWD!!! I have to unlock my car door AGAIN!? I just unlocked it 12 hours ago! And it's parked in MY DRIVEWAY!!! The travesty!"

But then you switched your argument just now and say "computers". Are we talking about computers or are we talking about smartphones. Symantics aside, I'm the only person I know locking my computer with a PW, while, like I said, everyone I know uses one on their smartphone.

Please elaborate.

I use a passcode. Your teasing, sadly, is systematic of a widespread problem in technology.

Are you aware of the percentage of users who use passcodes vs. those who don't? Those who backup vs. those who don't?

iCloud backup and Time Machine are attempts to mainstream backup. Apple is likewise attempting to mainstream authentication.

John Siracusa did a great job explaining the the incorrectness of your line of thinking on the last ATP podcast, it's worth a listen.

It's not dissimilar to automatic vs. manual cars.

Technology's job is to make things easier for people. There's no room for elitism.

"Your teasing, sadly, is systematic of a widespread problem in technology." OK, how about this. You try not to carry baggage from trolls when reading my comments, and I'll tone it down and throw in a lot more :)'s and :P's, so the trolls will know I'm kidding and won't feel emboldened to be douchy to you? Deal?

"Are you aware of the percentage of users who use passcodes vs. those who don't? Those who backup vs. those who don't?" I don't, in another space I asked you to poll it, I think it would be a great thing to ask. I've never once been polled on the subject. BUT, every single person I know who uses a smartphone uses a passcode so I'm not the best person to ask.

"iCloud backup and Time Machine are attempts to mainstream backup. Apple is likewise attempting to mainstream authentication.

John Siracusa did a great job explaining the the incorrectness of your line of thinking on the last ATP podcast, it's worth a listen."
I can't tell if these two thoughts were connected? Please elaborate on what you're referencing, not sure what you mean by "your line of thinking."

Automatic vs. manual. People in Europe make fun of people who drive automatic, they say only handicap people drive automatics. I prefer manual, so much more fun to drive.

"Technology's job is to make things easier for people. There's no room for elitism." Please don't talk to me like I'm other people. I know the job of technology :P

I get the impression you think I don't like the finger print scanner. Let me go on record, I could care less. I use a finger print scanner at work and it SUCKS!!! I have to try to clock in 2-4 times a day before it takes. But if Apple has it locked down, I'm fine with it. I'd much prefer quick reply for text messages over a finger print scanner though :P

I think this is the point that is not highlighted enough in both tech and non-tech venues. Security is optional in most instances and when it is required the minimum threshold is generally useless.

Getting security right on the web and with hardware is difficult even for those who live in technology; it is abstruse, tedious and frustrating for everyone else.

If Apple, or anyone, could create a foundation upon which a higher standard of security is both mandatory and simple (just works), and then integrate that with existing hardware and services, then it will give them an enormous marketing advantage over those that once again are playing catchup.

I think the key thing here will be in proving that simple can be effective. People already do simple....PW = "password123"

Wow. *Already* getting defensive about the (rumored) iPhone 5S fingerprint sensor. Already pushing the fingerprint-sensor-sucks agenda, are we?

Just face it. Technology can sometimes make life easier.
Think about that for a second.

Defensive? It doesn't exist. I'm calling him out for using a hypothetical security device. Everyone thought the new LG was going to have a finger-print sensor and it turned out to be the new volume rocker button. I love tech, butI love facts even more.

Let's debate what we have, not what we hope for.

I know I give you a lot of shit (read: tough love), especially on your op-eds, but the one thing I respect the most about you and the site, and what keeps me coming back after screaming at you through my monitor after said op-eds (:P), is the fact that you don't jump on rumors.

Still, I prefer not to debate hypotheticals. I know finger print scanners exist, but until an iPhone with it is on the market, I'd rather debate other things, no offense.

Passwords can be hacked, especially a four digit numeric password which could be hacked in just a matter of moments by even a half ass hacker. Not to mention someone simply looking over your shoulder. A fingerprint is next to impossible to replicate with out some serious tech. Not to mention the convenience of a quick swipe accessing your phone.

I don't think that's Google MO. I think they are very upfront with how they are using our data if we use their free services. I personally don't have a problem with it because their own browser allows you to turn off the adds in Gmail, I don't get ANY spam from my gmail account addresses, and I don't get unsolicited spam sent to my house. So it doesn't really effect me so far. It's not like there's some guy at Google creating a data base of all our information and reading our most deepest darkest secrets. It's a computer looking at 1's and 0's to try to make our lives easier, whether it's working or not, is up to you. I use an email and emails from my own server and personal sites, but I forward everything to Gmail because I think it's the best, most intuitive email service around so far.

Read that PDF, Adem Reka, posted. It's pretty eye opening, if true, at just how little Apple cares for your personal information on your iPhone. It's funny, because Google, just today, changed the terms of service in the Play Store to make it even harder for apps to get your phones info.

Google hasn't done face recognition on iOS yet. When/if they do, we'll cover it. Android Central covered it on Android, and it a) didn't work and b) hasn't become mainstream, likely because of a.

Making your reply personal and attacking me personally is a good way to be given a time out across the network, so please address the points, and not me. We can discuss without name calling, right?

Most people don't use pincodes. It's technology's job to make that simpler and easier, so more people can have better authentication.

I'm linking to an article here. Go read the article and come back and engage in an informed discussion.

You won't get an argument from me about the NSA, but I don't think anyone, including Apple or Google can be put in any positive light whatsoever when it comes to protecting our privacy.

This article, however, wasn't about that. I wasn't clear, so I updated to make it more clear.

This is about authentication, not privacy, and not that Apple is leading the way, but that there's a business opportunity for them to take if they're willing and able.

You didn't link the article, unless you meant Barjarin's? If you meant Barjarin, I don't like to debate someone about someone else's "opinion". It's too hard because we're not basing anything on facts, but...wait for it...someone else's opinion.

And I think you are 100% wrong if you think most people aren't using a passcode on their smartphones. But it's a waste to debate it. Why don't you guys throw up a survey about it, I think it would be great so we can have a reasonable debate about it. I know the people who go to this site, aren't always the "average" iPhone user, but I think it would give us more to go on when we are on opposite sides of the coin on this.

As to your other points, we're talking on a couple threads, so read my other responses to them and we can move forward from this point, hopefully with you knowing Im' not trying to hurt your feelings. I'll try to put in more :)'s and more :P so you know I'm kidding. It's a tech site, not a march on Washington, let's try to be able to joke around a little.

Only one I could find said slightly over half don't use pass codes and that was done in 2011.

Honestly, if someone tells me that using a pass code is too cumbersome for them, I'll ask them where they park their car. Lazy people deserve to have their shit stolen. I know that's harsh, but it's such a stupid American response, when the rest of the world is doing all they can to protect their lives. Sure in a perfecrt world, no one would steal, and Antelope would be able to kick a Lion's ass and not get eaten by it. American's complain about data not being secure from the NSA and then don't take basic precautions like using a 4 digit passcode.../facepalm.

And before you say it, it's not other people's responsibility to use technology to allow people to be lazier and dumber. The job of technology is to allow us to use our brains for higher functions and be smarter.

Yap, this is what Bajarin and you have done. He has started from a wrong and false claim and has arrive to a conclusion he had since the beginning.

The grass is always greener...

Oh, we're not throwing out random idioms?

Come on Rene, Oletros made a serious comment. You didn't backup your "google doesn't care about security" with any data as to how you came to support this statement.

You changed the article to be more about accessing a phone, I get that. All Android phones have the choice between passcodes or designs to enter. And they even made it better by dragging the unlock pic to an app to auto launch that app. It took years just to get Apple to let us launch the camera app faster. Please elaborate.

"Google doesn't seem interested in security yet"

Then someone hacked your account because you wrote this

Why does everyone seem to be so excited about Apple's alleged fingerprint authenticator? Hasn't Motorola already done this a little over two years ago with the Motorola Atrix?

Mind you, if rumors are true, good for Apple but, this isn't at all groundbreaking if an OEM has already implemented this type of security onto one of their devices. Where was the press then?

I use Google as much as I use Apple. However, I don't feel the need to troll Android sites, that's something I don't even really understand.

People did tablets before Apple too. Apple is almost never first when it comes to ideas, their success has been due to mainstream friendly implementations.

I'll definitely agree with you about Apple not always necessarily being first with new technologies or software.

But, as for the trolling... Uh, I actually never feel the need to troll iSites ~ most of us use news aggregators with keywords such as "Android" so, when I saw the title of your article, I felt the need to read about Apple's latest "new" feature and thought it odd there's never [ever] any mention about Motorola ever implementing the fingerprint scan on one of their older devices.

Anyway, no trolling here, I hope my comment didn't give you that impression. I simply wanted to inform the many iFollowers here thatApple wwasn't the first to have this feature.

The difference is that Apple has the name branding and brand recognition to bring it mainstream, especially if they advertise it from the point of view of security alongside convenience. Call it luck or timing, but with all the NSA info stealing, Chrome password encryption, and media/government attention to phone theft going but Apple may have timed this just right.

Sadly, for Motorola, no one cared at the time or saw the security benefits of what they were trying to bring to the table. I hate it too because Motorola was always at the top of the heap on push to talk technologies that lost their way because the networks they partnered with refused to grow. Combining PTT, and a convenience/security feature like a fingerprint scanner, and developing their own hybrid version of the Android OS with more security features could have put them in the heart of enterprise sales and service.

Wow Rene, I think this article is going way out of hand. I think the fingerprint scanner would be a good way for the gov't to get fingerprints from people. It's neat but it's also 1 more way to get stuff from the people really easy. What do you think?