SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 190: WWDC20, iOS, and Safari with Brett Terpstra

Posted on July 9, 2020

This week, we dive a bit deeper into some WWDC20 announcements with developer Brett Terpstra. Topics include:

We’ve already discussed the biggest macOS security and privacy news to come out of WWDC20, so this week we’re turning our attention to iOS. Joining us is Brett Terpstra, author, coder, and indie developer. Over the years, Brett has written for a number of prominent tech sites, including Engadget, TUAW, and Joystiq, among others. We asked him for his take on the changes announced by Apple over the past couple of weeks, starting with what stood out to him most of all:

BT: What really grabbed me was the focus on transparency that they’re kind of forcing onto third-party applications (things like the recording light indicator, tracking agreements that you’ll have to opt-in to, clipboard access notifications, stuff like that. It’s always felt like Apple does a pretty good job with privacy, but despite having a “walled garden” they didn’t take an iron fist with some of the developers — and I feel like they’re making strides in that area with this.

Apple has put a particular focus on making tracking behavior (both for apps and websites) more transparent, with new notifications and privacy information appearing in iOS 14, Safari 14, and even the App Store. However, some people have started to wonder if the sheer quantity of these notifications will actually undermine security and privacy, because users will just blindly accept whatever an app or website asks for (sort of like those Terms & Conditions notices that no one actually reads). Terpstra understands the concern, but feels that Apple’s implementation may prevent this from happening:

BT: I do think too many notifications just become “noise” after a while — anything repeated often enough becomes noise, especially if you just want to get past it to use the apps. But I think the corollary here (more than with Terms & Conditions) would be the Mac’s “Do you want to send feedback to the developer” pop-up that comes up the first time you use an app. It asks for permission to send crash reports and usage data to the developer, and I think these come up infrequently enough (because it’s just the first time you use an app, not every time) that people who are at all concerned or who don’t know what it means would instinctively hit “No”. You really have to know that you’re helping somebody out and you’re doing a good thing to want to hit “Yes”. And that seems safer to me.

The new iOS 14 notifications have already demonstrated their usefulness, with beta testers noticing an excessive amount of clipboard access alerts when they were using certain apps. It turned out that the popular video-sharing app TikTok was constantly accessing the iOS system clipboard in the background — a behavior which the app developers say was part of an anti-spam feature (which they have nevertheless promised to remove in future versions of their app). Over 50 other apps were also found to be checking clipboard data frequently, with some app developers claiming that this was happening accidentally. We asked Terpstra, as a developer, to weigh in on the issue — and to let us know if it was possible to block apps from accessing the clipboard:

BT: I have no idea how you would “accidentally” check the pasteboard. That’s a very intentional move. 

Some apps like Deliveries, which checks for a tracking URL in your clipboard, or like Pixelmator, which checks for image data in your clipboard, are completely legitimate. When I open up Deliveries, I want it to automatically notice that I just copied a UPS tracking URL and automatically add that package. I appreciate that convenience, and when that notification pops up, it’s like “Yeah, of course!” So there are legitimate reasons to access the clipboard, and in the case of, for example, “checking for spammy behavior”, if you were watching to see if someone was just copy-pasting a status repeatedly, I could see that being considered a legitimate use (but again, I can’t imagine how one would accidentally check the clipboard).

I haven’t delved into all of the available settings, but I don’t think there’s a way to block access to the clipboard wholesale — and I find it even less likely that there’s a granular way to deny a single app access. I think the option is to just stop using the app. This feels like something that Apple is eventually going to require developers to declare, in the same way they do for tracking now: to openly say “this app uses clipboard access for this purpose”. 

Terpstra also raised the point that sharing clipboard data between apps could allow for the creation of useful features and functionalities, but that there might be limits to how much of this Apple would be willing to allow — a reluctance that stems from an important distinction between macOS and iOS: 

BT: I have a ton of apps on my Mac that are always watching my clipboard for me (copying different things, causing different things to happen), and it’s a beautiful way to handle automation. Especially on an iPad Pro, it would be cool to have a clipboard that you could see a history in, and select from, but this would require constant clipboard watching across all apps — and I don’t think that’s ever going to happen. 

There’s this difference between Mac and iOS in that iOS is very much (obviously) a mobile platform, so the idea of having something watching your clipboard insinuates that the data is not staying on your device; that it’s going to some kind of cloud server, or to something that interprets it. Whereas on my Mac, I’m not worried at all — I don’t automatically assume that something watching my clipboard is going to be sharing my data.

Apple also announced a major overhaul to Safari at WWDC20, including a new feature that would allow developers to integrate FaceID and TouchID authentication into their websites. According to Apple’s documentation, the new Web Authentication API will allow users to turn on FaceID or TouchID authentication once they have completed a traditional login. Web developers will be able to display a pop-up inviting users to switch to biometric authentication as the default login method on their next visit to the site. 

We asked Terpstra for his take on the new API from a developer’s perspective — and in particular, to give us a sense of just how hard or easy it would be for web devs to enable the new feature. We also asked him to hazard a guess as to how willing web developers will be to implement a feature that can only be used by a fraction of their site visitors (namely, users of Safari on iOS or iPadOS):

BT: If you already have an authentication system, and you’re already storing credentials securely, adding this to your site takes maybe 20 lines of code. That’s a rough guess, but the API is pretty fleshed out and all of the UI stuff is automatically handled by Safari, so all you have to handle is detecting that the user has a device capable of biometric logins. There’s a single call you can make from the API that will tell your website that the user is on a device that has TouchID or FaceID, and so you do the “old-school” login and after that offer them the option to add biometric logins. Once you’ve stored that as a server-side cookie, the next time they come to the site you can just automatically default to TouchID or FaceID if it’s available (obviously you can offer a regular login if they’re on their Mac and not on their phone). 

I like this idea a lot. Using FaceID to log into a site means that two-factor authentication isn’t necessary; it’s part and parcel of the authentication system. You know, the PayPal app — I cannot get it to remember my device. Every time I log in, I can log in with FaceID, but then it still wants to use two-factor, and so I have to wait for a text message to come, and it drives me nuts! So this kind of thing, if it were properly implemented, especially through a web portal, could be really nice.

In terms of willingness to implement, if it’s easy enough — and I do think it’s easy enough — it would be to a website’s benefit to add it, even if it’s only for Safari users. 

Apple continues to make changes aimed at enhancing user privacy, and there were some fairly important privacy announcements at this year’s WWDC20. While we’ve generally been pleased with the direction Apple is moving, we asked Terpstra if he felt that there were still some areas for improvement that the company had failed to address:

BT: I like privacy. I advocate for it. But I’m not as smart about it as I should be — and it seems like every time Apple adds new security features, I realize after the fact that I should have been concerned about that earlier! So I’m not the guy to be second-guessing Apple’s next move: There are way smarter people than me working on that. 

One thing, though, is that I still don’t know where we stand with Siri recordings. There was a whistleblower complaint about a year ago now; and it was a guy who had been listening to hundreds of hours of random, intimate snippets from people’s lives [as part of a development program aimed at improving Siri’s performance], and basically he felt like it was a huge invasion of privacy. 

Apple came out and said “OK we’re privacy focused, we’re going to do better”; and so they made it possible to delete all that data, and you had to opt into sharing those recordings — but it kind of went silent after that, and it’s the one thing that kind of freaks me out. Like, I know that Amazon is listening anywhere that I have an Echo, but do I have to worry about Siri? 

They did clarify that there was no identifying data attached to it (and this wasn’t a change, it had always been that way). And to run an intelligent assistant that’s accurate and can handle all kinds of inflections and accents, well, yeah, you’re going to need humans to listen to some stuff and give it that third-factor interpretation. 

So I’m not opposed to it, and I do feel safe with what Apple said, but then I’m just suspicious … and it’s a nagging paranoia because while I feel secure in everything that I intentionally do on my Mac, and I know my Mac isn’t watching and listening to me all the time, I don’t know that about my watch and my phone, and it makes me paranoid!

The Checklist would like to thank Brett Terpstra for his time and his insights. If you’d like to learn more about his work, you can visit his website or follow him on Twitter

That takes us to the end of this week’s Checklist. Do you have questions about upcoming changes to macOS or iOS — or just questions about security and privacy generally? Drop us a line! We’d be happy to answer you by email, or on a future edition of the podcast. 

Join our mailing list for the latest security news and deals