from Hacker News

Apple Platform Security February 2021

by Ducki on 2/18/21, 8:10 PM with 44 comments

  • by naturalpb on 2/18/21, 9:15 PM

    Still waiting for Apple to provide end-to-end encryption on iCloud Backup for devices. Their documentation on this has always seemed intentionally vague.

    https://support.apple.com/en-us/HT202303

    End-to-end encrypted data -> - Apple Card transactions (requires iOS 12.4 or later) - Home data - Health data (requires iOS 12 or later) - iCloud Keychain (includes all of your saved accounts and passwords) - Maps Favorites, Collections and search history (requires iOS 13 or later) - Memoji (requires iOS 12.1 or later) - Payment information - QuickType Keyboard learned vocabulary (requires iOS 11 or later) - Safari History and iCloud Tabs (requires iOS 13 or later) - Screen Time - Siri information - Wi-Fi passwords - W1 and H1 Bluetooth keys (requires iOS 13 or later)

  • by saagarjha on 2/18/21, 9:04 PM

    Lots of interesting stuff this time. Short list that I’ll update as I go:

    Some sort of “checked C” in iBoot: https://support.apple.com/guide/security/memory-safe-iboot-i...

    Data is encrypted with your security policy, so if that changes (e.g. you disable SIP) it doesn’t expose it: https://support.apple.com/guide/security/sealed-key-protecti...

    Details on what the SRD is and how it works: https://support.apple.com/guide/security/apple-security-rese...

  • by Ennis on 2/18/21, 9:43 PM

    "For certain sensitive information, Apple uses end-to-end encryption" - there's a lot of important user generated data from Apple apps that is not end-to-end encrypted.

    Frankly, I'd like to see them go even further and put in place a policy that all user-created-and-consumable content can only leave the device in end-to-end encrypted format and have those keys managed by my AppleID so not even Apple can decrypt.

    They can introduce it at an API level without having to dictate storage providers. If a web-version of an app needs show my photos they can let the end-user browser decrypt it. This works for private data, 1:1 and 1:Many shared data.

    I should have a choice with who hosts my encrypted data, who manages my keys/identity and who provides a service that uses that data. Let's get back to providing value through services and away from leaching value through hoarding data and controlling protocols.

    Yes - this will force companies to change their business models if they rely on access to my data. Will it make for better software - Yes hands down. More companies can compete and we'll start to see more creative solutions.

  • by judge2020 on 2/18/21, 8:50 PM

    I don't see anything about the "Unlock your iPhone with your Watch" feature that 14.5 is going to have[0] - i'd be interested in reading the in-depth security considerations they had. It's also currently a mystery if this feature does a partial Face ID scan in addition to requiring an unlocked Watch.

    0: https://www.macrumors.com/2021/02/01/iphone-apple-watch-unlo...

  • by easton on 2/18/21, 9:16 PM

    It's nice to see that the Apple Security Research Device (i.e. the iPhone with root access) hasn't been forgotten about[0]. They even describe the additional security protections they had to do to ensure an attacker didn't give this device to someone that thought it was a regular iPhone (for example, the phone won't cold boot without being plugged into a charger, and if you plug it in, it shows the words "Security Research Device" before booting XNU in verbose mode)

    0: https://support.apple.com/guide/security/apple-security-rese...

  • by Ducki on 2/18/21, 8:22 PM

  • by someonehere on 2/19/21, 12:50 AM

    I’m bummed as an admin that the new M1s remove a function as an admin I always loved with remote management.

    From what a sales/dev person for a Saas MDM app for macOs told me, the M1s do not have a lock device feature. You can only wipe the device.

    If an employee was terminated, we could remote send a lock command with a numeric code. The only way to remove the lock is to get the code from us or have Apple reset it in person. The in person visit you have to prove you’re the owner or have authorization from the company to have Apple unlock it.

    My only option now is to wipe it. So now I have to find a cloud backup provider to back these devices up in case I need an important file from an employee who decides to go rogue.

  • by johnwayne666 on 2/18/21, 9:24 PM

    I’d like to know how I’m still logged in in Twitch even after deleting and installing the app. Or how Spotify offered me to link it to an Alexia device I was setting up after I installed the Alexa app.

  • by coldcode on 2/18/21, 9:21 PM

    Currently I have no non-apple kext running, not sure this is a big problem any more other than old legacy hardware or mostly esoteric usage.

  • by qrbLPHiKpiux on 2/18/21, 9:45 PM

    Is there a separate Law enforcement guide?

  • by tumult on 2/18/21, 9:05 PM

    Any news about the T2 chip ending up being a way to silently implant malware in all Intel-based Macs that have it? Refunds? Replacements? Anything? Bueller? https://arstechnica.com/information-technology/2020/10/apple...

    I don't really know why anyone would take Apple's hardware security claims at face value after this.

    edit: more links, though they're all pretty similar.

    https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jai...

    https://appleinsider.com/articles/20/10/05/apples-mac-t2-chi...

    https://www.zdnet.com/article/hackers-claim-they-can-now-jai...

    https://www.theregister.com/2020/10/08/apple_t2_security_chi...

    edit 2:

    If this is wrong, I'd like to know the truth! Really! Was it a hoax? Is there a patch? What happened?