iOS 11 security isn't a 'horror story', it's a balancing act for *your* protection

iPhone passcode
iPhone passcode (Image credit: iMore)

Fail safe vs. fail secure. Convenience vs. security. When you discuss issues like encryption and backups, these are the debates — and in some cases, massive divides — you encounter. Information security experts will insist that everything needs to be locked down so tightly that even you have trouble getting into it. Backup experts will tell you most people suffer from data loss far more often and devastatingly than they ever do data theft.

Bricks vs. windows

iOS was built to be more secure from the start. With iOS 7 and iPhone 5s, it became something akin to a crypto brick. More recently, though, Apple has taken a few deliberate steps back. In certain cases, the company has made the system fail safe instead of secure.

Personally, I don't like or agree with some of these changes. I grew up with computers and I'm a power user who understands encryption, uses unique, pseudorandom passwords, and has no trouble managing two-factor and device policies.

I do have enough perspective taking ability — and I've dealt with enough family and friends who've been locked out of their own devices, accounts, and data — to see the other side of the dilemma.

From ElcomSoft blog:

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user's life easier (as in "more convenience"), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.The passcode. This is all that's left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

The issues pointed out are predicated on an attacker having both physical custody of your device(s) and knowledge of your passcode. And that's as close as you can get to a "game over" scenario anyway, at least without additional roadblocks that can be extremely disruptive to customers.

Even then, with your device and your passcode, someone could access all your iCloud keychain items, use your email account and SMS to reset passwords from other systems, and could otherwise gain access to a degree that makes everything else sensationalized in the Elmsoft article functionally bullshit.

And without existing knowledge of your passcode? Well, you're looking at an attacker with intent and resources beyond what the FBI initially claimed it had in the San Bernardino case.

What's changed?

With iOS 11, the passcode — which can be as simple as 6 numbers — can be used to reset iTunes backup passwords and even Apple ID passwords.

Based on Apple's usage data and support logs, my guess is that they found mainstream customers were unable to access their own backups or accounts far, far, far more frequently than anyone was ever trying to illegitimately gain access. That was part of the reason for the change from the old two-step authentication system to the new two-factor authentication and for some of the policies around how iCloud Photo Library, for example, works.

Again, as a power-user, I don't like some of this. I don't like that passcode can reset Apple ID. But I've dealt with enough people who have no idea what their Apple ID is, that I understand the need to balance loss vs. theft. I understand that, for some of my friends, losing access to the photos of their children because they couldn't remember a backup or account password would hurt them far more than some theoretical attacker gaining access to them. And it is absolutely not my place or right to judge them or anyone else based on that difference in priorities.

Especially because security conscious people like myself have other options.

What can you do about it?

If you're at all concerned about passcode as an attack vector, switch from a 6-digit passcode to a strong alphanumeric password. You can do that in Settings > Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code.

It means sacrificing some convenience — because passwords are harder and take longer to enter — to regain security, but with Touch ID and Face ID, you won't have to enter it that frequently anyway.

If someone knows your strong alphanumeric password, they'll still be able to change your security settings, but the odds of someone being able to crack a strong alphanumeric password are far, far, far lower than a 6-digit passcode. (And if that's the threat level you're facing, you likely shook your head and walked away long before reading the article linked to here.)

See more

There are also mobile device management (MDM) solutions, including Apple's iOS Configurator and third-party, enterprise- and government-level tools that let administrators and organizations lock down iOS to a significantly higher degree than the consumer-oriented, built-in features allow. Which is why Apple started adding them back with iOS 2. (iPhone OS 2.0.)

Continuing the conversation

There are some interesting if overly sensationalized points raised by Elmsoft and this is an incredibly important discussion to have. It's also one that the security and backup communities have been arguing over since the inception of bits.

People and certainly the internet aren't often good at handling situations where multiple truths exist and the needs of different people are at odds with their own.

I do think we've swung between being too secure and too convenient over the years and that we continuously need to find both a better balance and better options for everyone. And that's why Apple's security team has been iterating so aggressively on all of this over the last few years.

I'd love to see an option to turn off passcode as a reset vector for those of us who don't want or need it, but then again, I use a password so I probably wouldn't want or need that setting anyway. And that's how these loops begin.

For now, iOS 11 is doing a good job making sure people don't lose access to their data while providing alphanumeric password and MDM options for those of us who want to make sure our data is better protected as well.

But let me know what you think.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • This sounds very, very strong to me: "If you use two-step verification and you sign in on a device running iOS 11 or macOS High Sierra, your Apple ID is automatically updated to two-factor authentication. After your account is updated, you have the option to generate a new recovery key. "When you generate a new recovery key, you turn off other account recovery methods. Then THE ONLY WAY TO RESET YOUR PASSWORD OR REGAIN ACCESS TO YOUR ACCOUNT IS TO USE YOUR RECOVERY KEY."
  • It appears there is no such option. I’m still looking but not finding.
  • Well, that’s settled then. There is no way to generate a recovery key. This option was only available to those that were automatically upgraded to 2FA. As per MacWorld... “Apple will let those who went through this two-step to 2FA upgrade process use a Recovery Key, even though it’s not available to any new account users or anyone who manually switched from two-step to 2FA before now.” This means that the only thing one can do now to protect themselves in the event of a security breach is to limit the damage as much as possible to iOS and Apple devices only. There is no way to prevent it. If somebody gains access to your iOS device and password your Apple system is permanently compromised, period.
  • Just read the whole ElcomSoft article. I was not even aware that such radical changes were made to the security layer in iOS 11. I do not believe that these were invited by user need so much as an answer to mounting pressure by law enforcement to provide a single point of access that would avoid the headaches they experienced up to date. In other words, it is the equivalent of providing a back door that isn’t obviously open but still relatively easy to crack. For my part, after reading the blog, I am thoroughly unimpressed by the changes. Part of the reason why I choose iOS over Android is because of its security. So much of our life is on our smart devices these days and this means that losing such a device or having it in the hands of somebody malicious can be devastating. iOS has the protections in place that at least offered one the ability to recover from such a loss in a reasonable way. The new changes make it very likely for the malicious party to be able to gain full access not only to your device but to *everything* Apple that you own. Depending on how extensive is your use of Apple and it’s comvemiece features, the *everything* might also involve all other services not related to Apple, like your Google account, Facebook, Instagram, cloud storage, work accounts, everything - literally. Not only gain access, but control too. This is a horribly scary prospect. Rene, I feel like your piece downplays the magnitude of these changes. For me, it appears that I will now have to start adopting some of the same strategies I use on Android to protect my data against potential intrusion. No more iCloud Keychain for one, and now I have to set up the recovery key (if possible, as suggested in the comment above) to prevent reset without this key. Funny that this seemingly convenient change would cause me more inconvenience.
  • I had absolutely no idea of these changes. I'm sorry, but giving you the ability to reset your Apple ID password (and change 2FA trusted phone numbers on top of that) from a single device passcode, without the need for security key or backup password, is simply daft beyond belief, whichever way you look at it. I'll probably need to spend a day or two thoroughly reviewing my Apple-related security settings and practices again.
  • Daft is an understatement. Why even bother with 2FA when you have a single point of failure now? These changes are astoundingly thoughtless at best, amateur and downright stupid at worst.
  • > I'll probably need to spend a day or two thoroughly reviewing my Apple-related security settings and practices again. Yes, this. I am going to have to enable touch-id simply because I can no longer risk using my passcode in public. I may also consider simply signing my phone out of everything iCloud. For starters, I have turned of iCloud Keychain. A "horror-show" is exactly the right description of this situation.
  • If memory serves, at one point in the not-too-distant past you needed your passcode for certain things and your Apple ID password for other things. If the two are now effectively equivalent then this represents a change (and a significant one). Pretending that nothing has changed is not helping anything.
  • "But is Apple balancing it right?" Nope.
  • I was shocked after I downloaded IOS 11 to find that Passwords and Accounts showed Passwords in plaintext!
  • Rene, correct me if I'm wrong. I have 15+ alphanumeric passphrase that nobody knows. If that password, remains only with me, then there really is no harm here, right?
  • From the podcast: "It sounds terrible" - that is because it is terrible. It's 100% accurate. Dismissing it as bullshit is criminal. Just because there are a "lot of things" you can access with a passcode does not mean that it is right to just give away everything else. Even with the passcode, the device is encrypted and access to data is (was!) mediated by the software. Apple giving away the Apple ID account is awful and needless. Resetting the backup password means the software control is completely bypassed. Anything on the device is now free to access where it was not before. If you preferred to use a passcode to unlock your device (because Touch-ID is too easily forced) you might no longer want to do that because the passcode is now the basket containing all the eggs - you dare not use it in public. I get that Apple may have had to make alterations to accommodate its customers, trade-offs happen all the time. To pretend that the security architecture of iOS has not be radically altered (and diminished) is pure misinformation.
  • Looking forward to Health Records. Hoping my hospital utilizes this fairly quick.
  • “...hoping my hospital utilizes this fairly quick”. I think you mean implement. The word, “utilize,” is often used in a pretentious-sounding sentence “If you utilize this brand of printer, you will go far.” A sentence like that sounds fluffy and overly important, and it gives readers the impression that you’re trying too hard. Most of the time you can avoid the verb “utilize”; “use” works just fine. So if you’re in marketing or PR, you can just use “use”; it’s probably not a good idea to utilize “utilize.” In a similar vein, please avoid the word “utilization.” It does your sentence no good. Surprisingly, “utilize,” a 19th-century loanword from French, does have very specific and valid uses, mostly in the scientific world. The word “utilize” often appears “in contexts in which a strategy is put to practical advantage or a chemical or nutrient is being taken up and used effectively”. For example, according to the /American Heritage Guide to Contemporary Usage and Style,/ you might hear “utilize” properly used in a sentence such as “If a diet contains too much phosphorus, calcium is not utilized efficiently”. So if you're a science writer, you might find yourself using the word “utilize.” If you’re just a regular person writing a regular sentence, you should probably just stick with the word “use.”