Editors note: this is a guest post from Guillaume Ross.
With iOS 10 coming up this fall, and WWDC announcements about it right around the corner, the web is now assaulted by tons of wishlist, requests and predictions articles.
As I like to be a part of every problem, I figured why not throw in some of my iOS 10 wishlist items, but only those that relate to security.
These items are all user-facing security and privacy features. For low-level encryption features, privacy protection from forensic investigation tools, I recommend reading Jonathan Zdziarski's blog, where he goes in detail about such features often.
Encrypted iCloud Backups
OK, I lied. I will mention one request that I have that would be better explained by Jonathan Zdziarski: iCloud backups are not currently encrypted with a password, and are therefore retrievable by Apple.
This can be used to defeat iMessage encryption, if, for example, you or the person you communicated with backs up one of their iMessage enabled devices to iCloud.
iTunes backups can currently be encrypted with a password configured by the user. Such an option would allow for backups that do not fundamentally reduce the security of applications that use secure protocols but store data in backups.
The ability to granularly select applications to backup to iCloud would also be a great security and space management feature, though it could introduce some complexity Apple wishes to avoid, in which case the ability to specifically exclude iMessage would already be a great improvement.
And if iCloud Drive got client-side encryption, I would definitely kiss Dropbox goodbye for most uses.
Read And Write Photo Permissions
The current iOS permission management system consists of mostly toggles, allowing the user to decide if an application can use a type of data or not.
While this is great to decide what application can use your calendar, photos, camera, microphone and more, a more granular approach is required.
Specifically, photos, which are highly sensitive for many people, are often used in a variety of apps, from photo manipulation apps to social network clients.
There should be a write permission for photos, allowing me to save a single photo received in Skype to my iCloud Photos without granting Skype read access to my photos.
The photo picker should be sandboxed, allowing me to grant an application like Tweetbot only access to the photo I just selected.
Without those features, I believe it's only a matter of time until we hear of some shady application uploading all photos without the user's consent, or with less than explicit consent hidden away in a EULA…
An interesting data store that is currently available to third party apps without specific permissions is the clipboard. While it is a convention that is an obvious legacy of the PC and Mac era, it has no place in the world of mobile devices with sandboxed applications.
With password managers becoming more and more popular, as well as with other types of data frequently being contained in the clipboard, from private URLs to snippets of text, applications should have to request access to read the clipboard unless the interaction is triggered by the user, such as by using the system's commands to paste. Restricting an app from reading the clipboard automatically would be a huge privacy gain given how current password managers work.
Again, this is a feature that is necessary to prevent shady applications from attempting to exfiltrate text snippets, including passwords.
Granular Location Access
iOS currently allows some granularity in how permissions are granted to applications, but only to allow an application to obtain location access while in the background, in the foreground, or never. An additional level of granularity, related to the precision of this information, would allow users to let some applications benefit from location information without revealing too much.
Example: I may want my airline's application to know what city I am in, and my news application to know what country I am in, but I certainly do not want them to know exactly where I am at all times.
Easier Way To Prevent USB Pairing
This feature is both a convenience and security feature. I personally never want to pair any computer but the one Mac where I would connect my phone to back it up.
Why would I want to see a dialog every time I connect it to some other computer via USB?
Preventing all pairing should be an easy thing to do, from the Settings app on the phone.
In the meantime, you can do it with Apple Configurator, if your device is supervised. This is a great security feature, but is way out of bounds of what a regular consumer should be expected to do, and considering a lot of people charge phones using whatever USB port is available, this is important.
Better Public Wi-Fi, VPN And SSL/TLS Handling
Why would I ever want Mail.app to ask me if I want to accept an untrusted certificate, all of a sudden, for my IMAPS email, simply because I'm on hotel Wi-Fi?
Again, this is a feature that can be configured via Apple Configurator, to prevent the acceptability of untrusted certificates, which has a slightly wider impact. But when connecting to a brand new Wi-Fi, wouldn't it make sense to at least temporarily reject encrypted communications that require a brand new, untrusted certificate?
With this feature, you would never accidentally click OK and then rush to reset passwords.
That being said, I am seriously considering starting a Kickstarter to donate money to every terrible Wi-Fi operator in the world so I never have to disable my on-demand VPN while going through their captive portals.
Wouldn't it also be nice to be able to clean previously accepted Wi-Fi networks, or maybe to join them only for a day? Wiping network settings is quite invasive, and is currently the best way to ensure your phone won't rejoin networks with SSIDs it has previously associated with. More granular control over what networks are saved, which should be deleted, and which should be temporary would be welcomed.
A very simple feature that I would find quite useful: the ability to set Airdrop to Everyone but for a limited amount of time. The UI in Control Center should actually only offer this as an option for Everyone, preventing you from forgetting Airdrop in a mode which can lead to some rather… interesting thumbnails from being beamed at you by anyone in the bus. Fewer things to remember to secure manually is always good.
Some wishes I have that are not necessarily worth a lengthy explanation:
- Don't prompt me for iCloud credentials for no reason!
- Ban apps that prompt for iCloud username and password. These make it so easy to get phished. Apple should start with the Apple Store app…
- More ruthless approval against privacy invading app analytics and advertising. I can dream, can't I?
- Revamped keyboard permission model. The current method of nothing or everything is not ideal.
- Harder to jailbreak. I know there are legitimate reasons for it, I even use jailbroken phones to perform security research, but a consumer's phone should not have such vulnerabilities.
- Smarter lock screen TouchID settings. Now that TouchID is ridiculously fast, it would be nice to be able to hide some information from it, similar to how Find my Friends currently does it.
- VPN toggle in control center please.
With WWDC season, requests, wishes and predictions never seem to run out of supply.
A few wishes that I have seen have made me think that security should be considered extremely meticulously before being realized:
Apple Provided Vpn
I've heard a few people say Apple should provide a VPN for iPhone users, or those with paying iCloud accounts. While this is a good idea in theory, I believe Apple will simply continue pushing developers to use good encryption in-transit, which has benefits for everyone without requiring added infrastructure on their end, but mostly without making them an even more interesting target for information about iOS users.
Geographically Based Security
A common request that is heard is the ability to customize the security behavior of devices based on geographical location.
Example: Lock only after 20 minutes when I am home, but after 2 minutes when I am not.
The line not to cross here, quite obviously, is allowing the unlocking of a device to be purely geographically based, as GPS information could be spoofed, and as it would require some heavy modifications to the encryption system used on iOS. With TouchID becoming faster and faster, I doubt we will ever see something more than minor profile changes based on location.
iMessage Previews/Rich Content
One of the key features of iMessage is end-to-end encryption. With the rise of other messaging platforms, and obviously of platforms such as Slack, people want more from iMessage.
It is important to remember the security and privacy implications that HTML email created, and to think about those in context of a messaging platform. What good is the ability not to send read receipts, if images or URLs are to be loaded automatically?
If such features are implemented, I believe a feature that caches common URLs and images, like Google does would be the bare minimum, but this augmentation of the attack surface surely would bring other interesting security challenges that would have to be solved creatively.
What I Predict
I predict that iOS 10 will indeed introduce many security features, and that iCloud encryption will probably be the most technically intense one. Recent hires show that Apple is serious about this, but a lot of foundational changes might have to wait until iOS 11.
What are some of your security wishes for iOS?
Let me know on Twitter (@gepeto42)!