How Apple’s Stance on Privacy May Impact Device Security in the Near Future

How Apple’s Stance on Privacy May Impact Device Security in the Near Future

In recent months, Apple has taken steps to improve user security and privacy. In February 2020, Apple announced that they had joined the FIDO (Fast Identity Online) Alliance. The Alliance’s goal is to help augment less secure forms of identity verification (such as passwords) by pairing them with more secure forms of authentication such as security keys and biometrics. Though this is noteworthy, Apple is also one of the last large tech companies to join the Alliance, whose ranks already included Amazon, Google, Facebook, and Microsoft.

The release of iOS 14 last September brought with it improved security features, and though users have been overwhelmingly supportive of these changes, advertisers such as Google and Facebook are much less enthusiastic.

What is the FIDO Alliance?

FIDO Alliance was founded in 2012 by a group of tech companies, including PayPal and Lenovo, with a mission to create authentication standards that reduce society’s reliance on passwords by promoting the widespread adoption of multi-factor authentication U2F tokens and biometrics

The Alliance aims to replace password-only logins with more secure login experiences for both websites and apps by promoting other forms of authentication, including security keys and biometrics (such as voice authentication, fingerprint scanners, and facial recognition). 

Apple added the ability to use FIDO-compliant security keys during its 13.3 iOS update.

What New Features Does iOS 14 Bring With It & How Do They Aim to Improve Security?

iOS 14’s new security features include:

Camera & Microphone Use Alerts

Though all apps on iOS already had to explicitly ask for permission to use the camera and microphone, starting with iOS 14, you will now be alerted whenever an app is accessing your camera or microphone. This is done using a dot in the upper right-hand corner: A green dot means your camera is currently in use, and an orange dot means the app is using your microphone.

The goal of this feature is to ensure you are never recorded without your knowledge.

Limit Photo & Location Access

This update offers a more granular configuration for your photo and location settings. This allows you to specify whether an app can never access location data, always access location date, or only access this data when the app is open or when you have granted explicit permission. 

The new Precise Location toggle switch also allows you to grant an app permission to know your general location while keeping your exact GPS coordinates private.

This update also allows users to specify whether apps can access all, none, or a few select photos.

Flagging Bad Passwords

Though Apple has had the ability to sync your login credentials across various accounts on your Apple hardware via iCloud for a while now, they have now implemented a password monitoring system that will alert you if your credentials are spotted during a data breach. This helps ensure potentially compromised credentials can be changed as soon as possible.

Discouraging Wi-Fi Tracking

Whenever a device connects to the internet, it is assigned a MAC (media access control) address, which allows your local network to keep track of the device. In recent years, internet service providers and, by extension, advertisers have been using this data to determine the time and place of your device when you log in. 

To discourage this form of tracking, iPhones are now granted a new MAC address for each unique wireless network they connect to. This means your iPhone or other Apple device will have one MAC address for your home network, one for your work network, etc. 

This feature is enabled by default on every new network you connect to.

Keeping an Eye on Your Clipboard

Data grabbing apps have proliferated in recent years, snooping on your clipboard even if you haven’t given them permission to do so. iOS 14 means that you are alerted when an app accesses your clipboard: if you just copied or pasted something, that is fine, but if you haven’t, you now know the app you are using is likely gathering data without your permission for their own purposes.

Most app companies quickly re-configured their products to eliminate this form of unauthorized data collection once Apple implemented this feature during beta testing and made this behavior public, but this feature helps ensure that underhanded app companies are no longer tempted to snoop where they aren’t explicitly welcome. 

Privacy Reports from Safari

Though Apple has blocked cross-site tracking cookies in Safari for quite some time (a feature that makes it more difficult for advertisers to string together your browsing history across various websites), this feature has been improved in iOS 14 by adding the privacy report feature

This feature gives you more details regarding what effect this blocking has on your browsing by showing you how many individual trackers on each page have been blocked over the past month. The reports don’t have an interactive component but do provide helpful information.

Coming Soon – Limiting App Tracking 

Though pushback from advertisers means this feature won’t be fully implemented until sometime in 2022, there are still steps users can take now to curtail apps’ ability to track you outside of the actual app itself.

However, even if you don’t explicitly give an app permission to track you, they may still try to do so per their individual privacy policies, curtailing users’ ability to opt-out of advertising tracking until this new feature is fully implemented. 

Coming Soon – Improved Access to App Privacy Information 

Though this feature is also not yet live, Apple did announce that one iOS 14 feature that is also coming soon is app privacy cards. These cards are designed to give users a clear picture of the types of data each app collects and how that data is used.

What Does This Mean For Advertisers?

It’s become common wisdom that if a product or service is “free,” then the users (or, more specifically, the data they generate) is the real product. Apple’s approach to improved privacy and security, even with significant compromises on limiting app tracking, has the potential to severely impact the ad targeting business. While this is good news for users, advertisers are not as excited.

Facebook, in particular, has already pushed back hard, announcing that its Audience Network will no longer use IDFA (identifier for advertisers) gathered from iOS devices because they can no longer guarantee the quality of that data collected. Google has also announced that they will remove select forms of advertiser tracking technology from popular apps (including Maps and YouTube) in response to Apple’s decision. 

“When Apple’s policy goes into effect, we will no longer use information (such as IDFA) that falls under ATT [the App Tracking Transparency feature] for the handful of our iOS apps that currently use it for advertising purposes. As such, we will not show the ATT prompt on those apps, in line with Apple’s guidance.“ Google Ads’ group project manager Cristophe Combette stated in the blog post responding to Apple’s changes.

Though GDPR and CCPA opened the door for more transparency into what information is gathered and used to track users, this change from Apple could represent a turning point when it comes to data security and privacy. Having agency over what data is collected (and how) is critical for any good cybersecurity posture by helping you maintain full visibility into your infrastructure by better monitoring endpoint activity. For more information about cybersecurity, or find out how your team can better safeguard your digital assets, please contact our team today.

The Ugly Reality of Randsomeware

The Ugly Reality of Randsomeware

This malicious software will kidnap your data, hold a gun to its head and say: your move. Some attacks go even further and plant incriminating evidence on your computer to prevent the authorities getting involved.
Ransomware exists in numerous forms and its methods are constantly evolving. Attackers employ this software to obtain leverage over you in the hope that you will pay to avoid the consequences. The new generation of cryptocurrencies, like Bitcoin, have enabled attackers to receive payments anonymously to continue wreaking havoc on personal and business computers across the world.
Untraceable Cryptoviruses
The FBI estimates that $21 million worth of revenue has been generated by the two leading Trojan viruses, CryptoLocker and CryptoWall. Many cyberattacks claim that your data will be lost unless you pay a ransom but this software actually follows through. These cryptoviruses encrypt multiple files on your computer – including videos, photos, and documents – and generate a strong encryption key that locks your data away.
The majority of these keys cannot be cracked, not even by the fastest supercomputers in the world – so your data is truly lost. Text files on the infected computer inform the user that their key will be destroyed after a short period of time. That is, unless you pay the ransom to retrieve the encryption key from the attacker’s server. The ransom is typically $400 and is paid via untraceable Bitcoin. Sometimes the data is returned after payment but the attackers are obviously under no obligation to return anything.
Leakware Threatens Company Reputations
An offshoot of ransomware, dubbed “leakware” has been targeting large businesses to obtain protected data. Leakware threatens to leak everything unless a ransom is paid. The healthcare and finance industries have been particularly targeted by these sort of attacks, since patient health records (which contain information like social security numbers, addresses, and medical records) are very high value and easily exploitable. A company’s financial records, along with all the employee information stored in the HR database, is another common target.
It gets worse. To further coerce the organization or individual to pay the ransom, illegal material, such as banned pornography or pirated content, is often planted on the computer. This deters users and businesses from reporting the incident to the police for fear of additional legal consequences or tarnishing their reputation.
Ransom Denial of Service Attacks
This last branch of ransomware will take down your websites instead of going after your data. For unprepared businesses, DDoS (Distributed Denial of Service) attacks can be even harder to protect against. DDoS attacks target your servers by overloading them with traffic. This traffic comes from botnets, which are large groups of infected computers across the globe. On such a large scale, it’s hard to distinguish which traffic is legitimate and which is not. This means traditional techniques like blocking single IP addresses don’t work.
While your websites are down and you’re scrambling to get them back up, the attackers will demand a ransom for them to stop. Businesses which rely on selling products or services through their website could potentially lose multiple days’ worth of revenue. Customer trust is also degraded when the uptime of your resources are affected.
Protecting Your Business From Ransomware Attacks
So what can you do to mitigate and prevent ransomware from affecting you? It all starts with your employees. Ransomware combines social engineering with malicious technology. The first step you can take is to educate your users to not open unknown files or attachments. In addition to this, they should not pay the ransom. It’s been reported that around half of the time, even after the victim pays the ransom, they don’t get the key to unlock their data. Bitcoin transfers are irreversible and attackers have no motivation to keep good faith.
It’s also critical to stress that every business has daily backups and a disaster recovery plan so that in the wake of an attack, they are able to restore their mission critical files. There are also NGES (next gen endpoint security) tools available to prevent the execution of ransomware in the first place. NGES solutions work by only allowing known good files and applications to run.
Furthermore, there are attacker deception technologies where traps or lures can be set up throughout your IT environment. These traps act as tripwires for the bad guys. Ideally, you insert so many traps that they outnumber your real assets, thereby making it more likely that ransomware will attempt to run on a fake/lure machine, which will alert your information security group to an attack.
Lastly, to mitigate against RDOS attacks, an organization would ideally have a two-prong strategy to deal with DDoS, a combination of an on-premise and a hosted data scrubbing solution. When an attacker realizes that an enterprise has DDoS mitigation in place, they will usually try their hand elsewhere.
It is important to realize that there is no magic bullet when it comes to information security – the best defense is the security-in-layers approach. To achieve a great security posture, an organization must take a security-focused mindset from the get-go and place as many deterrents as possible in all areas of their infrastructure.