Buckle up, because we’re poised for another battle on digital security. The FBI has reputedly asked for Apple’s help unlocking phones belonging of the alleged shooter from the Pensacola air base incident last year. Apple, for its part, claims it has already turned over to law enforcement all the information it has access to.
If you feel like we’ve been here before, it’s because we have. Back in 2016, the FBI wanted Apple to unlock a phone belonging to the San Bernardino shooter; Apple declined to help, as doing so would have potentially compromised the security of all of its devices. Eventually, the bureau sought help from an Israeli-based cyber security firm who was able to hack into phone in question.
Leaving aside the dangers inherent in the creation of backdoors into the technology we all rely upon, I think this is as good a time as any for Apple to double down on its (already pretty solid) security focus. Because when it comes to digital information and our devices, what we need is not less security, but more.
It’s MIME time
Apple has long touted the end-to-end encryption of its iMessage and FaceTime systems, but when it comes to email, the company hasn’t made any commensurate moves.
Apple’s iCloud security overview states that though traffic between your Apple devices and the iCloud Mail system is encrypted, the data stored on the mail server is not encrypted, which the company describes as “consistent with standard industry practice.” And, of course, when your email message goes out to a recipient, the security is only as strong as the weakest link in the chain.
With social media, Slack, and other messaging apps, we might feel like we’re over email, but the fact remains that so much of our online lives still rely on it. Beyond just communicating with people, tools like password resets, user accounts, and other means of proving one’s identity continue to depend on the infrastructure of email.
As it happens, Apple does support an email encryption standard called S/MIME on iOS and macOS, but it’s not enabled by default—and setting it up requires some fairly technical know-how involving certificate generation and installing profiles that’s frankly beyond the capabilities or interests of most average users.
It seems, though, that if Apple really wanted to push for more secure email, it certainly has the clout to do so—at least between users of its mail service and perhaps even, with some cooperation, between big mail providers like Google and Microsoft too. The basics of the tools are already there; they just need to be implemented.
Two factor awakens
For those intent upon securing their data, two-factor authentication has become a must-have. Apple’s done a pretty solid job of both implementing TFA for its own systems and of making it easier to use the system in its most common form, via SMS text message, by providing an autofill feature.
However, it’s become increasingly apparent that SMS isn’t the most secure of vectors for authentication, thanks to the relative ease of spoofing phone numbers. Instead, users are better off taking advantage of authentication apps that can generate such codes locally on a device, such as Authy, Google Authenticator, or 1Password. The downside with this method is that it’s definitely less convenient than SMS, especially with the autofill feature.
So perhaps it’s time for Apple to expand its own TFA system to third parties, perhaps even a system where authenticator apps can hand off a code when prompted, à la the SMS autofill. This feature already exists to some extent: Authy, for example, can, in some cases, bring up a TFA code when requested. (I’ve only seen it for my Twitch account, which apparently uses Authy’s own API.) Apple seems well positioned to improve the TFA experience for its users, thus hitting that rare exacta of improved security and convenience.
Stick to its guns
But security’s not just about technology: it’s also about policy. It’s great that Apple has made security and privacy a priority, but going forward, it needs to reinforce that not only by sticking to its guns—such as making sure that governments can’t force it to unlock devices—but also by espousing such practices the world over.
And that’s going to be a challenge for the company, because one of its biggest markets—and the home of the majority of its manufacturing—is China. Apple’s already found itself in hot water by removing apps at the behest of the Chinese government; moreover, its iCloud service on the Chinese mainland is run by an in-country compnay, rather than by Apple itself, an attempt to thread the needle that looks more like trying to wash its hands of dealing with the situation.
Make no mistake: Apple’s put a lot of its eggs in the basket that is China, and that makes it particularly vulnerable to demands from that country’s government. While it’s not financially practical for Apple to take a principled stand—even if it wants to—the company had best be looking at ways to untangle itself from China over the long term if it wants to continue making privacy and security one of its competitive advantages. Otherwise it starts to look like the company can talk the talk, but not walk the walk.