In iOS 11, Apple offersa better way to know what apps are users, which will hopefully lead to apps that are better behaved. This is seemingly an outcome from Uber (and potentially other apps) gathering information from users when the app isn’t in use (although in Uber's case, they may not have crossed a line).
Apple’s guidelines for background location services allow for updates of specific needs, such as with navigation or fitness apps. But there’s no realistic way for Apple to know precisely how apps are tracking data, so the company has to rely on outside reports. A couple of academic efforts to let users track in-app information flow revealed that location (and other private data) may be sent without appropriate disclosure. While Apple provides a small visual cue in the status bar, users have to be paying attention to spot it and might not know what the tiny arrow that appears and disappears means.
The new sophistication and user-interface elements in iOS 11 should make this all a lot clearer. Apple is offering a carrot and stick and cudgel to move the ecosystem further along.
Read more »
In macOS High Sierra, third parties will have a more difficult time sharing any tracking information via Safari. It’s all part of Apple’s approach to privacy, and it's not just lip service. While such policies certainly helps the company from a marketing standpoint, they're also routinely turned into product features.
The new feature seems to have the potential to make it harder for unrelated sites to follow you around the internet. But some experts believe that, while a noble technology to deploy, the action has already shifted to a different front that Apple can’t help with directly.
You’re the product
Read more »
Of all the problems iMessage has, Apple says it plans to solve a persistent one: having access to all your conversations on every device, instead of messages and data lying scattered across all the Macs, iPhones, and iPads you use. But is this the right problem to solve?
Apple’s Craig Federighi explained at the 2017 Worldwide Developers Conference that iMessage will be stored in iCloud with “end-to-end encryption,” but provided no other details. Later, he mentioned that Siri training will sync across iCloud instead of being siloed on each of your Apple devices, and that training and marking faces in Photos’ People album will do the same—and with end-to-end encryption.
Despite that encryption promise, this concerns me. It’s better to have the least amount of personal and private information pass through other systems, instead of directly between two devices. It’s especially good to have the least amount of private data stored elsewhere, except if the encryption for that data is firmly under your control or fully independently vetted.
Read more »
Summer is here, and that means vacation travel is up. At U.S. borders, customs officers may ask for your passwords to unlock your devices, or provide access to online accounts, especially social media.
According to many experts, you can refuse, but your devices could be seized and retained for an extended period of time and/or the data copied (even if it’s encrypted and effectively unretrievable). If you’re not a permanent resident of the U.S., you might be denied entry.
If you're worried that you might have to hand over a device with valuable information, then consider this: the less data on hand, the less risk of exposure you have. With this in mind, you could choose to agree to allow device inspection, because there would be nothing of importance to disclose.
Read more »
HTTP over Transport Layer Security, also know as https, can go a long way to improving the security and privacy on a website. When you see a site's URL with
https://, that site exercises good care on its internal security to protect user data and against break-ins
Here are several approaches you can take to improve web security in the way you browse, share links, and configure your own sites, using https.
Install HTTPS Everywhere in Firefox and Chrome. HTTPS Everywhere from the Electronic Frontier Foundation (in conjunction with the Tor Project) automatically redirects from an insecure to a secure site wherever possible. The browser plug-in is available for Chrome, Firefox, and Opera, and Firefox for Android. Safari (and Internet Explorer) aren’t supported because of design choices in the extension architecture in those browsers.
Read more »
I’m glad to see a positive security trend: more companies have software available for hosted backups and cloud-based storage access that incorporates user-owned encryption. With these products and services, you are the only person or entity that controls the encryption key or passphrase that unlocks the key. The company that makes the software or runs the service not only never sees it, they have no way to access it.
Apple engages in this only with iCloud Keychain and iMessage. While Apple doesn’t know your Apple ID password, you do have to enter it for the company to transform it into a cryptographically securely formed version that it can compare against what it has stored for you.
But with iCloud Keychain, it doesn’t have enough information to extract information from the middle, because it uses a process that creates encryption keys on the endpoints on your devices. The data sent through Apple’s services is locked away from its eyes. I wrote about how AgileBits and LastPass used a similar approach for their synced services. (Apple’s system could be changed in such a way that it would be able to sniff that data, which is one of the weaknesses of its current model that needs to be and could be changed.)
Read more »
When is an “a” not necessary the “a” you think it is? When a browser shows it as part of the URL in the location or smart-search field. Due to the late entry of non-Roman characters to domain names, a backwards-compatible method of representing them aids phishing.
Unicode allows the representation of nearly all the glyphs—characters, symbols, ideograms, script element, and more—that form the basis of language and other written subjects, like math and games, in use around the world. While the Unicode Consortium started its work decades ago, but it’s only in the last few years that it’s finally permeated operating systems, browsers, and apps to the point where you can almost rely on it working almost everywhere.
But the Domain Name System (DNS) that operating systems use to turn human-readable location and resource names into the numeric and other data needed to make a connection dates back even before Unicode. And because of its ubiquity, making any change could break compatibility for hundreds of millions of people and devices—maybe more. This is why some sensible improvements, like having a cryptographic component to a domain name that prevented its being spoofed by a party that didn’t own the domain, has still not been rolled out.
Read more »