Insights For Success

Strategy, Innovation, Leadership and Security

IOS 8

Evernote releases document scanning app for IOS

technologyEdward KiledjianComment

There are dozens of document scanning apps for IOS but you have to stand up and take notice when document management titan Evernote jumps in. I have been testing it for months and it works really well. 

If you have a ScanSnap Evernote edition, you can even control it from the App ( but the app takes scans using your smartphone camera). I tested it with receipts, documents and cards. The app did almost perfect automatic improvements every time. 

Download it from iTunes (link)

IOS 8 means Apple can't unlock your device for law enforcement

technologyEdward KiledjianComment

The slow and consistent Snowden leaks about how everything we do is monitored, recorded and analysed is freaking some people out. And this extra customer push may be what was needed to finally improve on-device security for our most personal devices (aka smartphones).

Apple announced (link) that IOS 8 is a big move for IOS device security because it is now "technologically impossible" to access data stored on a passcode or TouchID locked device. Apple says they can no longer bypass device security. It is important to note that this only applies for on device information (contact, pictures, recordings, etc), anything stored in the cloud is fair game and can be handed over to authorities with a warrant or NSL.

Obviously law enforcement isn't too thrilled about this new hurdle because it (they claim) makes it easier for criminals to perform their nefarious activities and hide.

Why did Apple do this? Because if they can't technically provide the information, then they can  no longer be compelled to do so by a court. It reduces workload for them and improves customer perception. 

Now for the bad news. Renown security analyst Jonathan Zdziarski discussed these new measures on his blog (link) but threw in an important caveat :

What’s left are services that iTunes (and Xcode) talk to in order to exchange information with third party applications, or access your media folder. Apple wants you to be able access your photos and other information from your desktop while the phone is locked – for ease of use. This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump:

- Your camera reel, videos, and recordings
- Podcasts, Books, and other iTunes media
- All third party application data

Existing commercial forensics tools can still acquire these artifacts from your device, even running iOS 8. I have tested with my own private forensics tools, as well, and confirmed this. I dumped all of my third party application data (including caches, databases, screenshots, etc), as well as my camera reel and other media… all within a few minutes and from my locked iPhone running iOS 8 GM.

There is one big caveat though, but it’s not a big problem for law enforcement. This technique requires access to a trusted pairing record on a desktop / laptop machine that is paired with your phone, and as of iOS 8 requires physical access to the phone. What does this mean? This means that if your’e arrested, the police will seize both your iPhone and all desktop / laptop machines you own, and use files on the desktop to dump and access all of the above data on your iPhone. This can also be done at an airport, if you are detained.
— Jonathan Zdziaski

I don't want to undersell what Apple has done. Apple has helped make IOS users much safer by fixing many of the security issues present in IOS7. The above note by Jonathan is something to keep in mind. If you want to maintain the highest level of security protection, never connect your iPhone to a PC. 

What to expect from Apple's next desktop and mobile OS

technologyEdward KiledjianComment

At the 2014 World Wide Developer conference, we learned that Apple plan's to release a slew of new integration feature between its desktop operating system (Yosemite) and IOS 8. 

Many of my  "normal" users (less technical) users asked for a simple summary so here goes:

  • AirDrop - This is a file sharing feature that currently works mobile device to mobile device. Apple will open this feature up to its desktop platform making the exchange of files, photos and other digital assets as easy as drag and drop (as long as the devices are nearby on the same network).
  • Continuity - Apple understands that sometimes your phone is just out of reach which causes you to miss important conversations so with Yosemite and IOS 8, you will be able to answer calls from your Mac as well as send and receive SMS' using your phone. The only requirement is that they be on the same WIFI network and be newer model devices with bluetooth 4.0.
  • Handoff - Apple understands that users wants a seamless experience between its various device. Every Apple device you own will be aware of the work you are performing on the others and you will be able to quickly switch devices but continue working on the same file. As an example, you will be able to start creating a document on Apple Pages on your PC, then pick up you iPad and continue to working on it exactly where you left off without worrying about synchronization or copying of files. It will just work. Handoff will work with all Apple default applications (Mail, Safari, Pages, Numbers, Keynote, Maps, Messages, Reminders, Calendar and Contacts) but third party developers will also be able to add this feature to their apps.
  • iMessage - A slew of improvement are coming to iMessage including jutting the alerts on iMessages per conversation, a tap to talk feature and the ability to share your location, simple way to see all the attachment in a conversation (instead of scrolling through an interminably long list), and the ability to auto-expire content so your devices storage doesn't quickly fill up with old attachments (voice, pictures, videos).
  • Instant Hotspot - Many of the above features require a shared WIFI network between your phone and laptop but what happens where you are on the move or in a foreign environment? Your Mac will sense that that you are not connected to a WIFI hotspot and will automatically create a temporary one for your phone without requiring any intervention from you (all automatic).
  • Maildrop - Most email systems have a hard cap of 12-20MB for attachments. Considering that most modern dSLR cameras create 15MB files, that cap is starting to create a real problem for users. Apple's new MailDrop feature will automatically transfer files up to 5GB per message using iCloud. If the recipient is on Apple tech then they will see everything as they do today (except they will be able to send and receive attachment of up to 5GB in email). Non Apple recipients will receive you email which will contain a URL to download the large attachment.

All in all I think Apple is making the right moves. Its environment is becoming increasingly powerful and is being simplified at the same time. Apple is trying to convince users that its products are better when used together (Mac, iPad and iPhone).

IOS from the eyes of a security person

technologyEdward KiledjianComment
Image by  Donald Lee Pardue  under Creative Commons License

Image by Donald Lee Pardue under Creative Commons License

When I read Apple's 33 page IOS Security Paper I was blown away (link). Not because its perfect security but it is as close to perfect as it can get in a generally usable commercial product. This unprecedented look inside the Apple security hive mind answered many of my questions and reaffirmed my belief that Apple makes the most secure general use electronics around.

At WWDC, I had high hopes and Apple exceeded even my wildest expectations. First they clearly know their competition and are actively listening to their customer complains. The biggest, and most surprising revelation, was the new more open stance they are adopting with IOS 8 (translating to 4,000 new application programming interface calls (API)).

Developers will be able to write extensions to Notification center, build third-party keyboards (like Skwype or Swiftkey) and add inter-application data sharing. None of these are industry leading firsts but they are unexpected gifts Apple is bestowing on its adoring public.

But I'm not a regular user

Over the years, I have stayed with Apple smartphones (over Android and Windows Phone) not because I'm a fanboy but because it has always taken security more seriously. It has always allowed for more granular control of my device security settings which is a must with me.

This more open Apple, these new features are wonderful for users but as a security professional, I worry about the new attack vectors they will open up. Apple did say that they purposely waited to add these features (even though customers had been demanding them for some time) because they wanted to find secure ways of implementing them. They chose to start with extreme restrictions then slowly open the spigot as they found safe ways to get the job done.

One problem is the gold rush I expect to see shortly. This is where new and existing developers start writing apps and widgets for these newly opened services without paying attention to proper security controls. Many will want to be first hoping for a huge payday and couldn't care about ensuring their apps are secured. Did Apple implement enough controls to ensure this doesn't lead to new vulnerabilities?

The second problem is that Apple is launching cool new platforms for home automation control (Homekit) and healthcare (healthkit). These new additions will significantly increase the value of the information stored on your device thus motivating "more bad actors" to work harder at breaking into and stealing your information. Apple will become a bigger target and will have to react faster to security vulnerabilities and exploits. 

Additional protection in IOS 8

Apple has created a new programing language called Swift (link). Apple toutes that Swift:

Swift eliminates entire classes of unsafe code. Variables are always initialized before use, arrays and integers are checked for overflow, and memory is managed automatically. Syntax is tuned to make it easy to define your intent — for example, simple three-character keywords define a variable (var) or constant (let).

If Swift works as advertised, then it will definitely make future IOS applications more secure by automatically handling many of the situations that lead to vulnerabilities. Unfortunately developers will still be able to use the older  Objective-C which doesn't provide these better automatic control which could lead to vulnerabilities.

The major SSL Vulnerability IOS devices experienced due to a programming bug (the Go to fail bug.) This issue is fresh in many researchers minds and here's hoping Apple does what it has to do to keep protecting its users.

Verdict

Ultimately I believe Apple's IOS platform is still the most secure mobile operating system available today and I hope Apple continues investing to keep it that way. These new features are clearly a response by Apple to Android's growing popularity and they have to be careful not to fall into the quick response hastily planned vulnerable new feature trap.

I am eagerly waiting for an updated security whitepaper