SecureMac, Inc.

Checklist 110: Security and Privacy in iOS 12

October 11, 2018

It’s finally here! On September 17, Apple introduced iOS 12, the latest version of the operating system that makes our iPhones and iPads tick. Packed with a ton of new features, there’s more to iOS 12 than new Animojis and screen time monitoring services. Even a quick look reveals that it’s filled with all kinds of security goodies, too. In this week’s discussion, we’ve taken a deep dive into the changes to see for ourselves what Apple has done to increase mobile security and privacy. What have they implemented …

Checklist 110: Security and Privacy in iOS 12

It’s finally here! On September 17, Apple introduced iOS 12, the latest version of the operating system that makes our iPhones and iPads tick. Packed with a ton of new features, there’s more to iOS 12 than new Animojis and screen time monitoring services. Even a quick look reveals that it’s filled with all kinds of security goodies, too. In this week’s discussion, we’ve taken a deep dive into the changes to see for ourselves what Apple has done to increase mobile security and privacy. What have they implemented to safeguard our devices further to keep those ne’er-do-wells away? We’ll answer those questions today. On our list for today:

  • Slick new security improvements
  • Privacy and safety changes
  • What you can do with iOS 12 right now

So, what do you need to know about what’s new in iOS 12?

Slick new security improvements

Most of us know just how vital two-factor authentication can be when it comes to keeping our accounts safe and secure from prying eyes. Even if someone manages to steal your username and password in a data breach, they won’t be able to penetrate your account if they aren’t able to get the one-time passcode sent to your phone when 2FA is enabled. While it’s not an impenetrable wall, it’s an excellent way to secure your accounts and apps right now. However, it can be a little annoying to use.

Let’s say you’re logging in to your bank’s website on your phone, and once you supply your password, the bank texts you a login code. If you weren’t fast enough to memorize the digits before the notification banner disappeared, you’d need to switch to your Messages app, copy the code, return to the browser, and then paste or type it in to the two-factor field. Not only time consuming, but it can sometimes create enough frustration that you wish you didn’t have to deal with it at all. With the new Security Code Autofill feature in iOS 12, you don’t have to worry about it anymore!

Now, when you receive your two-factor code from the bank via a text message, if you are still on the login screen requesting the code, your iPhone will paste the numbers automatically. That’s right: iOS will automatically detect the presence of a two-factor code and supply it to the website or app that needs it without any further interaction on your part. It’s that easy! Surveys have shown that there is an abysmally low rate of adoption for two-factor among most users, with ease of use being the biggest complaint people have. With this new iOS feature, Apple’s taken an important step towards encouraging more widespread adoption.

There are some concerns about it, though, primarily from researchers in Europe. Across the pond, banks confirm the validity of transactions ordered from user accounts by texting a one-time code known as a Transaction Activity Number. This number must then be input into a form on the bank’s site or app, confirming that a user wishes to send a particular transaction. Some are concerned that Security Code Autofill could grab this info and present it in a potentially vulnerable manner — though for now there is no clear indication of a risk, and US users won’t need to worry. This is something to keep an eye on, though.

Next up: Apple makes a move in iOS 12 to eliminate all your excuses for not using strong passwords. For a while now, the iCloud Keychain has been able to suggest passwords for you to use when you create an account on a webpage in Safari. Apple’s gone two steps farther now in an effort to help reduce the problems that weak passwords often create. First, auto-generated passwords generated by the Keychain will now be stronger, with a more complex generation method and more variety regarding the strings it produces. More importantly, though, Apple’s made two other changes: better integration for password management apps, and built-in duplicate detection.

In the latter case, if you primarily use Keychain as your method for securely storing logins in your iPhone, you’ll now be able to see where you’ve re-used passwords. Anyone who’s listened to The Checklist for a while knows this is one of our most frequently repeated pieces of advice: don’t re-use passwords anywhere! Every service you use should get its own separate, unique password. When viewing your stored Keychain passwords now, you’ll notice a small warning symbol near entries that contain duplicates. This is your hint to change them immediately.

Speaking of password management, though, are you a big fan of 1Password or a similar service? The convenience they offer is hard to beat, but until now, there’s been no direct way to access your password vaults in the same way as your Keychain. That changes with iOS 12, which now allows you to adjust your Settings to include access to your password managers’ vault right on the app or webpage. You’ll just tap the prompt that displays a picture of a key and the word “Passwords” to access your vault. With iOS 12, protecting your online presence and logging in securely is easier than ever.

On top of all this, Apple has also included plenty of bug fixes and security vulnerability patches in this version of iOS. In fact, it corrects such a wide number of problems that it would be worth the upgrade just to make your phone more secure on this basis alone. Some of the biggest bugs squashed in iOS 12 include:

  • A bug in iTunes in iOS that could have allowed bad guys to create fake password prompts after a user visited a website with the malicious code lurking on it
  • A vulnerability that would’ve let someone with direct access to your device use an exploit to view Messages you’d already deleted
  • A similar bug that affected deleted Notes and even browsing histories
  • And dozens of garden-variety bugs and loopholes that would allow ne’er-do-wells to run arbitrary code, steal data, or access parts of your system that should remain restricted

We could probably dedicate an entire show just to examining the security fixes implemented in iOS 12 — but you could just as easily glimpse Apple’s changelog for yourself to see the laundry list of reasons to hit the “update” button today.

Privacy and safety changes

Security isn’t the only thing that that iOS 12 does better than its predecessors. Beyond making it easier to use the web safely, though, Apple has also continued honoring its commitment to user privacy with everything from the full rollout of USB Restricted Mode, something we’ve discussed a few times on the show, to several other privacy and safety-related features. USB Restricted Mode has come up on the show a few times, but in case you’ve missed out, here’s a brief refresher:

Apple began developing this mode after it became clear that third-party devices, like the GrayKey, were being used by law enforcement to break into iPhones that were locked with a passcode. Because it’s still not clear precisely how these “black box” devices work, Apple chose to simply close off their primary infiltration route: The Lightning port. With USB Restricted Mode, no “USB accessories” can transmit data over the Lightning port after 1-hour elapses from the last time you unlock your phone. You can still charge the device, but not use any accessories.

Now with iOS 12, Apple is not only talking more about the setting, but they’ve gone so far as to enable it by default. In spite (or perhaps because of) the fact that law enforcement agencies were the ones primarily using GrayKey (see Episode 88 of The Checklist, GrayKey’s Anatomy), they say that it’s just another move meant to make users safer. Apple told TechCrunch the following:

We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”

Whatever the reason, you can now rest assured that if your locked iPhone falls into the wrong hands, you don’t have to worry about someone breaking into it — for now.

What else? Web browsing is getting more private than ever, and that’s in the wake of some already substantial improvements Apple has made in previous revisions of iOS. Tracking cookies, those pesky little bits of data that advertisers use to see where you go on the Web so they can target you with ads more effectively, have already been locked down in Safari on iOS for some time now; many are blocked by default, and first-party cookies created by websites you trust are only retained for 30 days.

However, social media giants like Facebook have another way to track you around the web: the ubiquitous “share” and “like” buttons you see practically everywhere you go online today. Apple says “enough is enough” in iOS 12, completely blocking these boxes and their functionality when you aren’t directly interacting with them. You’ll get the option to allow them if you do use them, of course, but you won’t need to worry about looking over your shoulder for the all-seeing eye of Facebook

Similarly, Safari will work to put an end to “fingerprinting” as you browse the web. With no tracking cookies to use, advertisers start looking for other ways to identify user browsing habits — and fingerprinting a specific device is one way to do that. Each device has a unique combination of information, from browser type to iOS version and more, that can be used to build a broader profile of your activity. iOS 12 will more strictly control the transmission of this info. It’s becoming easier to browse on your phone with less concern about inadvertently leaking private information!

What you can do with iOS 12 right now

So, with all these changes, what can you do to make your iPhone more secure right now? The good news is that pretty much all these settings are already enabled by default in iOS 12, and the new behavior they introduce will be easy to spot. For example, password integration with your manager apps will occur directly in password prompts, and you won’t need to do a thing to make sure that your web browsing in Safari is precisely what Apple intended it to be with this release. However, for those who like to tinker with settings, there are a few places you can look to make sure everything is as you like it.

Want to check on USB Restricted Mode, or need to temporarily disable it to be able to use one of your USB accessories for an extended period? Visit the Settings app, then tap on Touch ID & Passcode. A slider near the bottom labeled “USB Accessories” is what you’re looking for; it’s disabled, meaning authentication is required to use accessories after one hour. Flip the switch if you want USB accessories to have access all the time, but keep in mind this mode is not recommended.

Apple has also thrown in a convenient automatic update feature, bringing to iOS a tool that’s more common on desktops. Now, when the company releases bug fixes and security updates in between major versions, you can allow your phone to download and install them all on its own. No more worrying about whether you have protection from the latest threats! If you want to check the setting, or if you need to turn it off to ensure that you don’t go over your data plan, within Settings, tap General, followed by Software Update. The setting is toggle-able from this screen.

Don’t have two-factor on your Apple account yet? Take advantage of it and the new Security Autofill by tapping your Apple account name in Settings, then visiting the Password & Security screen. From here, you can quickly enable two-factor. With the amount of info attached to our iCloud accounts these days, adding 2FA can’t hurt.

As a final word of advice, if you’d like to take advantage of the new ability to view duplicate passwords stored in your Keychain, it’s easy to take steps to enhance your security. Visit “Website and App Passwords” under the “Passwords and Accounts” pane, then plug in your keychain password. Afterward, you’ll be able to see all the passwords you’re allowing your device to manage currently. Any sites that have a duplicate password from another entry will be identified with a small warning sign — take this as the perfect opportunity to change your passwords and test out the new generation capabilities Apple introduced. This way, you can enjoy the ease of access to your data everywhere, without the concern that comes from weak passwords.

With these tips in the bag, we’ll bring this week’s discussion to a close. It’s certain that we’ll see more tweaks and changes whenever iOS 12.1 eventually makes it out to the public, but for now, enjoy the enhancements and additions you can experience right now. If you haven’t upgraded yet, what are you waiting for?

While you tinker and play around with the new settings your phone gains upon upgrading to iOS 12, why not catch up on some episodes of The Checklist you might’ve missed? You can also head back into our archives to check out shows on an array of topics we mentioned today, including two-factor authentication, tracking cookies, GrayKey, and more. Alongside the full show notes, you’ll find an easy way to listen to every show we’ve done up to this point — and you’ll find future shows there, too!

Get the latest security news and deals