Tag: security

Apple Should Rethink Face ID Settings for our Current Era

Posted on

From Phillip Michaels at Six Colors:

The central role that phones play in our lives coupled with uncertain times at home and abroad have people rethinking how they should approach Face ID. Apple needs to be doing the same.

One thing I’ve always appreciated about Android is how many automation apps exist that let you configure settings much closer to the metal than iOS Shortcuts allows. Tasker was my go-to for this back in the day. It could set DND based on calendar events, change deep settings based on location or WiFi network amongst other things. This allowed me to me keep my phone unlocked at home while requiring fingerprint authentication everywhere else.

I love Shortcuts and have a ridiculous number of automations set up myself, but there’s a handful of things I genuinely need to automate that Apple simply won’t let me touch. The most glaring one? Location-based security policies. You could imagine a world where users choose between no barriers at home, biometrics when out and about, and a long password at protests or border crossings. It’s not a wild ask. It’s just basic threat modeling.

Apple could open up APIs to make this possible via Shortcuts automations. In addition, they could create sensible defaults and ask users about their preferences when upgrading to a new OS. I know there are complexity costs and geolocation is only so reliable so there are risks involved. But the risks of imperfect geolocation seem a lot more acceptable than the alternative: leaving users vulnerable to compelled unlocking at protests, airports, or anywhere else someone with a badge decides your face is the key to your entire digital life.

Apple has built its recent brand on privacy. They run TV spots about keeping your browsing data safe. They’ve position themselves as the antidote to Big Tech surveillance. And yet, when it comes to giving users the tools to actually protect themselves from state-level threats, Apple’s response is basically “hold down some buttons and hope for the best.” They could do better. If Apple genuinely believes privacy is a human right, exposing more control here could go a long way to walking that walk.

The Case for Limiting Your Browser Extensions

Posted on

From Krebs on Security:

If you’re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going forward. Given the high stakes that typically come with installing an extension, consider carefully whether having the extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems like WordPress and Joomla.

The only extensions I use these days is an ad blocker (1blocker), add to instapaper, 1password and a rss subscribe button. Most everything else gives me the creeps when you read what it actually needs access to.

Hackers can remotely steal fingerprints from Android phones

Posted on

ZDNet, reporting on how Hackers can remotely steal fingerprints from Android phones:

The threat is for now confined mostly to Android devices that have fingerprint sensors, such as Samsung, Huawei, and HTC devices, which by volume remains low compared to iPhone shipments. But down the line by 2019, where it’s believed that at least half of all smartphone shipments will have a fingerprint sensor, the threat deepens.

and:

The researchers did not comment on which vendor is more secure than others. But, Zhang noted that Apple’s iPhone, which pioneered the modern fingerprint sensor, is “quite secure,” as it encrypts fingerprint data from the scanner.

The scary thing is that this isn’t exactly the sort of password you can change if things go wrong.