SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 156: Watches and Warnings

Posted on September 26, 2019

This week on the Checklist, we’ll take a look at a serious security issue affecting iOS users who rely on third-party keyboards. We’ll discuss what it means to strike a balance between consumer protection and government overregulation. And we’ll take a look at the privacy implications of a watch that’s “always on”.

Here’s this week’s Checklist:

  • A third-party keyboard warning from Apple
  • How much is too much consumer protection?
  • Apple Watch privacy in an always-on world

A warning about iOS keyboards

Last week Apple released a fairly strong warning about third-party keyboards for iOS. It turns out that there’s a pretty huge flaw in the way iOS handles these keyboards. If a keyboard is designed to request full access—which can include things like password tracking and account tracking—then iOS 13 and iPadOS may grant it that access without a user ever having authorized it.

That’s not to say that the makers of these third-party keyboards are up to no good. The point of a third-party extension requesting full access is to offer additional functionality that requires network access—and the special features delivered by these keyboards (things like swipe typing, which was only just recently added to the native iOS keyboard) are a big part of the reason people use them.

But whenever word of a security vulnerability like this goes public, it opens the door to ill-intentioned folks to take advantage of it. If you trust the developer of your app or extension, then there’s not necessarily any cause for alarm—but we’ve seen enough stories of sketchy App Store apps to make us err on the side of caution.

There is good news, however: Apple took quick action and, according to the iOS support document, the release of iOS 13.1.1 and iPadOS 13.1.1 fixes the bug—so if you haven’t updated yet, take a moment to do so now.  

If you can’t remember whether or not you may have installed one of these keyboards, it’s easy enough to check. Go to Settings, and then General > Keyboard > Keyboards. That should give you a list of all installed keyboards on your device. If you see something there you don’t recognize, or something that’s just been hanging around unused and forgotten for ages, you can delete it by tapping Edit, which will then give you the option to delete the keyboard.

Too much of a good thing?

In recent years, the EU has introduced a number of data privacy and consumer protection measures regulating online businesses and organizations. The most notable of these is GDPR. Other regulations govern the use of cookies by websites and the refund of online purchases on ecommerce platforms.

Now, in addition to this, European regulators are implementing “Strong Customer Authentication” (SCA). SCA mandates that companies accepting payment online request an additional authentication factor from the buyer—a knowledge, ownership, or inherence factor—before finalizing a transaction. In essence, this is government-enforced two-factor authentication. The stated aim of the regulation is to make payments more secure and reduce online fraud. 

But not everyone is happy with SCA. In an opinion piece on The Next Web, Mark Thompson, the co-founder of an ecommerce startup called PayKickstart, criticized the new regulation as “a step too far”, saying “What’s just one extra step for the consumer—a click to accept cookies, receive marketing emails, or confirm a transaction—that’s another obstacle for the seller to closing a sale or getting the lead. This can significantly impact the business’ conversion rates and revenue.” 

On the one hand, it’s true that we’re always looking for a better, more convenient experience as consumers, both online and offline as well. But on the other hand, the regulations that the EU is implementing address exactly the kinds of consumer protection issues we’re talking about all the time: data privacy; timely data breach notifications; the ability to use apps without being tracked or profiled; secure and safe online transactions.

There is, it seems, a balance between convenience and security—and where you want to see the line drawn probably depends on your own political leanings. Those who see a role for robust government regulatory bodies generally (for example in areas like finance, banking, and labor) are more likely to be sympathetic to EU-style regulation of online business. Others, who favor a less intrusive approach, may prefer the government to take on more of a watchdog function, where laws are written to punish the worst offenders while allowing the good guys the freedom to work unhindered by excessive rules and regulations.

In the end, emerging technologies like biometric authentication may end up solving some of these issues for us. For example, Apple Pay using Face ID as authentication is about as secure as it gets when it comes to online payments. And when every consumer’s device is up to those security standards, it may no longer be necessary for governments to dictate to businesses how to ensure their customers’ security—because the customers themselves will already have the issue well in hand.

What is your Watch saying about you?

When Apple announced the latest version of Apple Watch, one of the biggest reveals was that the Series 5 was going to offer “Always-On” functionality.

But that also raised a question: What if something pops up on that “always-on” display that you don’t want anyone else to see? 

Apple Watches do much more than tell time, obviously, and the Retina display can show everything from personal appointment reminders to texts and messages to heart rate data—not necessarily things you’d want the whole world to see.

So how can you enjoy your Series 5 Apple Watch as well as your privacy?

First, you could just turn “Always-On”…off. 

To do this, you’d need to press the Digital Crown on your Apple Watch, and then find and tap the Settings app. Once there, you’d need to scroll down to Display & Brightness, and give that a tap. You’ll see the new Apple Watch Series 5 settings right below the Brightness slider. Just tap Always On, and you can toggle the always-on display to turn off.

The second option is a bit less absolute: Just set your Apple Watch to hide sensitive information when your wrist is down.To accomplish this, you need to toggle the Hide Sensitive Complications setting, which is located just beneath the Always On setting described above. According to Apple, this will ensure that things like “calendar events, messages, and heart rate” stay private (unless you lift your hand to look at them). So don’t worry—your date won’t know how nervous you are, and your boss won’t find out about that job interview you’ve booked for your day off!

Join our mailing list for the latest security news and deals