iOS 8 Adds Serious Security, Privacy Improvements

Credit: Apple, Inc.

(Image credit: Apple, Inc.)

Apple's new mobile operating system, iOS 8, comes with a whole bundle of security and privacy fixes, as well as a revamped privacy policy. The company says it will no longer unlock iPads and iPhones for law-enforcement officials, even those who come with search warrants, and has  quietly patched the so-called "backdoors" that forensic examiner Jonathan Zdziarski recently documented in iOS 7.

All these changes are impressing security experts, even those who have been critical of Apple in the past.

"Your iPhone running iOS 8, properly configured in 3 minutes, is most likely more secure than your laptop, and backed up regularly too," tweeted Nick DePetrillo, of New York security company Trail of Bits.

"If I were [Apple CEO] Tim Cook's second-grade teacher, I'd bump his grade up from a D to a B," Zdziarski told Tom's Guide.

MORE: 5 Essential iPhone Security Tips

The new security features include: a way to quickly "un-trust" all computers to which a device has been connected; the ability to limit the amount of data your apps collect from you; and the ability to change the default Web browser on the iOS Safari browser

The new privacy policy also assures that Apple will not monitor users' data to create advertising profiles.

"We don't build a profile based on your email content or Web browsing habits to sell to advertisers," Cook wrote in the updated privacy policy. "We don't 'monetize' the information you store on your iPhone or in iCloud. And we don't read your email or your messages to get information to market to you."

Perhaps best of all, these new changes won't significantly impact the iOS user experience. That's largely because iOS 8 enables most of its new security features by default instead of possibly confusing users by asking them to set up security measures on their own, as DePetrillo and colleague Jay Little, also of Trail of Bits, told us.

Users need only to manually implement the two-step verification for their iCloud accounts. Once they do, logging into iCloud will take a few seconds longer than it used to, but this extra layer of security will help prevent data theft such as the nude selfies stolen from female celebrities earlier this month.

"Apple hasn't sacrificed much in terms of usability, but I am very surprised nonetheless they made the concessions they did," Zdziarski said. "Overall, I think they're wise decisions, and show Apple's serious about security."

However, Apple could still do more to improve its transparency over security issues. "Apple releases their security and privacy policies in a manner which is difficult to compare to previous revisions. Apple should provide a summary of changes whenever they publish updates to these policies," DePetrillo and Little told us.

No search warrants allowed

Since Edward Snowden's NSA leaks began revealing in June 2013 that many tech companies assist government investigations by turning over suspects' data, privacy advocates have kept an eye on the access that Apple, Google and others have to user accounts and data.

In the past, Apple has complied with government investigations by turning over individual users' data. But as of its latest privacy policy, Apple says it will no longer do so. In fact, the way iOS 8 encrypts data should ensure that Apple won't have access to that data at all. 

To achieve this, iOS 8 stores users' encryption keys on individual users' own devices, not on Apple's servers. Nothing changes for customers using the phones, but all customer data that passes through Apple's servers will be encrypted from the moment it leaves the user's device to the moment it returns, and Apple will not be able to read or decrypt it.

MORE: Best Mac Antivirus Software

Even if Apple is served with a subpoena, search warrant or National Security Letter, it won't be capable of complying (with iOS 8 data at least), since it will have no information to turn over to law enforcement.

Apple certainly isn't the first company to think of placing encryption keys on user devices instead of on its own servers. As Zdziarski pointed out on his blog, law-enforcement agencies still have other means by which to access data on iPhones and iPads.

Other experts have pointed out that, should U.S. law change, Apple's policy may have to change as well.

"How long until they [Apple] are required to change this by law? A new CALEA?" tweeted security expert Cris Thomas, a.k.a. Space Rogue.

CALEA refers to the 1994 Communications Assistance for Law Enforcement Act, which mandates that telephone service providers and networking-equipment manufacturers build in backdoors to permit government wiretapping. For several years, the FBI has been seeking White House and Congressional approval to expand CALEA to cover Internet services such as those provided by Apple, Google, Facebook and the like.

Boarding up backdoors

Prior to iOS 8, Apple's mobile operating systems contained "backdoors" that let a knowledgeable party bypass Apple's security measures in order to access and download users' data.

Zdziarksi, who documented the backdoors, said of the discoveries in July: "I am not suggesting some grand conspiracy. There are, however, some services running in iOS that shouldn't be there, that were intentionally added by Apple as part of the firmware and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer."

Apple responded to Zdziarski, calling the backdoors "diagnostic functions [that] ... provide needed information to enterprise IT departments, developers and Apple."

Nevertheless, a good number of the backdoors have been patched (or perhaps "removed," depending on who you ask) in iOS 8. However, documentation for these changes is not included in the list of iOS 8 security improvements. That's because the backdoors were technically patched not in the final release of iOS 8, but in a beta version of iOS 8 pushed out to Apple developers earlier this month. 

MORE: Best Android Antivirus Apps

As Zdziarski documented on his blog, Apple did not fix every backdoor and flaw he discovered. Contemporary forensic tools can still be used to copy data from iPhones attached via USB cables to computers. (Previously, they could be accessed over Wi-Fi as well.)

Meanwhile, in Apple's updated privacy policy, Apple CEO Tim Cook wrote, "I want to be absolutely clear that we have never worked with any government agency, from any country, to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will."

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.