Results 1 to 15 of 15
  1. #1


    Member Since
    Jan 01, 2014
    Posts
    210
    Specs:
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    iOS 11 is no longer the most secure mobile ecosystem?
    Elcomsoft is one of the leading providers of forensic tools, including iOS and macOS. The company does not have a favorable view of iOS version 11:

    IOS 11 Horror Story: The Rise And Fall Of IOS Security

    Quote:
    The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.
    Asides from this blog posting being an advertisement for Elcomsoft...

    The blogger may have a point about weakening the security of the iOS 11 beyond the PIN number. Especially, if it's taken in to consideration that iOS 10 did have additional security beyond the PIN number.

    While some of the configuration changes as described in the blog worked in my iPhone, such as adding/removing trusted phone numbers, resetting the Apple ID password did not. The latter one might be due to my iPhone settings, such as not using the "Wallet and Apple-Pay", iCloud, etc.

    But for others with more "standard" configurations, the step-by-step procedures listed in the blog could prove to be valuable resource in case the apple ID PWD is forgotten. Well, provided that the PIN number is not forgotten that is...

  2. #2

    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    3,149
    Specs:
    MBP 15" Mid 2015, iPhone 8, an iMac, plus ATVs, AWatch, MacMini
    Well, I read most (admittedly not all) of that article and was not impressed, frankly. They seem to be trying to raise the fear that somehow someone could get your iPhone AND your passcode and do all of that damage. Yes, if they have the passcode, they can do a lot, but that's true of just about every form of security. If you really want your iPhone to be secure, set at least a six digit passcode, or even better, change your passcode from four numbers to a custom alpha-numeric code and make it really hard to guess, then set the Erase Data to wipe the phone after 10 attempts. What was curious is the blog didn't even mention the alphanumeric codes that are now possible. Maybe they didn't do enough research?

    Bottom line: Any time you have a passcode and make it trivial, you are exposing yourself to being hacked. So make the passcode long and hard to guess. And keep track of the device. If it's gone missing, go to Apple right away and reset the phone remotely. It's better to have to restore the iPhone than to have to restore your reputation or bank account.

  3. #3

    Slydude's Avatar
    Member Since
    Nov 16, 2009
    Location
    North Louisiana, USA
    Posts
    12,396
    Specs:
    2.8 GHz 2008 MacBook Pro 10.11, 8 GB mem, iPhone 8+, 2015 iMac 16 GB 10.13 beta
    Top notch answer as usual Jake. I venture to say that the same level of problem can occur with most of the devices we use on a daily basis. With simultaneous access to the device and passcode the same problems could be caused with someone's Android device for example.
    "Got Time to breathe. You got time for music." Denver Pyle as Briscoe Darling

  4. #4


    Member Since
    Jan 01, 2014
    Posts
    210
    Specs:
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by MacInWin View Post
    Well, I read most (admittedly not all) of that article and was not impressed, frankly. They seem to be trying to raise the fear that somehow someone could get your iPhone AND your passcode and do all of that damage. Yes, if they have the passcode, they can do a lot, but that's true of just about every form of security. If you really want your iPhone to be secure, set at least a six digit passcode, or even better, change your passcode from four numbers to a custom alpha-numeric code and make it really hard to guess, then set the Erase Data to wipe the phone after 10 attempts. What was curious is the blog didn't even mention the alphanumeric codes that are now possible. Maybe they didn't do enough research?

    Bottom line: Any time you have a passcode and make it trivial, you are exposing yourself to being hacked. So make the passcode long and hard to guess. And keep track of the device. If it's gone missing, go to Apple right away and reset the phone remotely. It's better to have to restore the iPhone than to have to restore your reputation or bank account.
    In some respect, you might have missed the point of the blog post...

    The point the blog was trying to make is that iOS v10 had additional security beyond the the PIN/PWD that had been removed by iOS v11. Granted, it does not matter for people, especially the ones who don't even use PIN to lock their devices. But for people, who actually relied on the internal security of the iOS 10, it might be a game changer...

    Thanks for the "custom alpha-numeric code", I did not know that it's supported. On the other hand, the "Erase Data" had been enabled and had six digit PIN, soon to be alpha-numeric...

  5. #5

    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    3,149
    Specs:
    MBP 15" Mid 2015, iPhone 8, an iMac, plus ATVs, AWatch, MacMini
    No, I don't think I missed the point the blog post tried to make. But I think it went over the top in it's decrying of the change from 10 to 11 and missed the fact that 11 has features that actually make it stronger (alphanumeric PIN, for one) where it does have security. Apple is constantly balancing convenience and security, and I think they do it pretty well.

    Now, if I was a spy, or a hitman for a mob, then the change might worry me, but for the average user, not so much, and certainly not to the extent the blog made it sound.

    But it's all personal preference and desire, I guess. Some folks want total convenience, others total security. You pays your money and you takes your choice, as they say.

  6. #6

    mrplow's Avatar
    Member Since
    Oct 01, 2007
    Location
    UK
    Posts
    7,158
    Specs:
    Mac Mini i5 (2014 High Sierra), iPhone X, Apple Watch, iPad Pro 12.9, AppleTV (4)
    This is worth a read too for balance. It postures the balance between end user security/likelihood/usability and also brings in the subject of Mobile Device Management tools for environments where on device security needs to be enhanced beyond the OS

    https://www.imore.com/ios-11-real-st...-accessibility

    Please use the reputation system if you think you've been helped - bottom left of this post

  7. #7

    ferrarr's Avatar
    Member Since
    May 21, 2012
    Location
    Pawtucket, RI, USA
    Posts
    3,649
    Specs:
    L2014 Mac mini macOS 10.13, iPhone 6 iOS 11, iPad Pro 1 12.9" iOS 11,  Pencil 1
    I have been using an alpha numeric passcode for quit a while, I don’t think it is a recent addition. I started using it when I got my iPhone 6 in Feb/March 2015.
    -- Bob --
    Please backup. Everything has a life cycle, unexpected and warning free. Nothing will last as long as you want it to.

  8. #8

    dtravis7's Avatar
    Member Since
    Jan 04, 2005
    Location
    Modesto, Ca.
    Posts
    29,244
    Specs:
    iMac 2010 27" QuadI7 OS10.13 iMac 2008 OSX10.11, MBP Late2011OS10.13 , iPad Pro 10.5", iPhone 5s,
    What is so called Added security in IOS10 that 11 does not have?

  9. #9

    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    3,149
    Specs:
    MBP 15" Mid 2015, iPhone 8, an iMac, plus ATVs, AWatch, MacMini
    Quote Originally Posted by ferrarr View Post
    I have been using an alpha numeric passcode for quit a while, I don’t think it is a recent addition. I started using it when I got my iPhone 6 in Feb/March 2015.
    Yeah, It wasn't really new with 11, but the article didn't address it at all, nor did it talk about the "erase after 10 tries" feature that's been around a while, either.

  10. #10

    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    3,149
    Specs:
    MBP 15" Mid 2015, iPhone 8, an iMac, plus ATVs, AWatch, MacMini
    Quote Originally Posted by dtravis7 View Post
    What is so called Added security in IOS10 that 11 does not have?
    The article in Post #1 covers it. Basically, the argument is that by allowing a user to reset their AppleID through the iPhone using only the security code on the iPhone that anyone with physical access to the device AND your passcode can take complete control over your entire AppleID account, including things like Keychain to get to all your other passwords. Before 11, you needed to remember your AppleID to be able to change it, now all you need is your iPhone and the passcode on it. So Apple reduced the overall security of iOS, according to the article. IMHO, the whole article was a bit overblown and hyper, even if true. It also ignored the factors I've talked about, the alphanumeric code ability and the "erase after 10 tries" feature that wipes out the iPhone if someone tries brute force to crack the code.

  11. #11


    Member Since
    Jan 01, 2014
    Posts
    210
    Specs:
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by MacInWin View Post
    The article in Post #1 covers it. Basically, the argument is that by allowing a user to reset their AppleID through the iPhone using only the security code on the iPhone that anyone with physical access to the device AND your passcode can take complete control over your entire AppleID account, including things like Keychain to get to all your other passwords. Before 11, you needed to remember your AppleID to be able to change it, now all you need is your iPhone and the passcode on it. So Apple reduced the overall security of iOS, according to the article. IMHO, the whole article was a bit overblown and hyper, even if true. It also ignored the factors I've talked about, the alphanumeric code ability and the "erase after 10 tries" feature that wipes out the iPhone if someone tries brute force to crack the code.
    The article referenced in the first post is certainly overblown, no question about that. Arguably, iOS 11 did reduce overall security of the system, rather the Apple eco-system, by removing additional authentication requirements. For most people this does not make much of a difference, as mrplow's link showed earlier.

    On the other hand, this will make a difference for law enforcement. Once they gain access to the PIN/PWD, they will have access to the whole Apple eco-system, including all the passwords in the Keychain. And there are number of ways law enforcement can gain access to the PIN/PWD. They can ask you nicely (or not so nicely), get a court order, or just crack it off-line like they've done previously.

    Did Apple made the changes in iOS 11 to reduce support calls, accommodate law enforcement, or a little bit of both? At this point, we don't know and will not become known for quite awhile. And for all practical purposes, how do we know that with iOS 11, cracking the PIN/PWD did not become easier? As Billy Joel once said:

    https://www.youtube.com/watch?v=6yYchgX1fMw

  12. #12

    mrplow's Avatar
    Member Since
    Oct 01, 2007
    Location
    UK
    Posts
    7,158
    Specs:
    Mac Mini i5 (2014 High Sierra), iPhone X, Apple Watch, iPad Pro 12.9, AppleTV (4)
    I agree to a point. But I don't think there's any evidence of capitulation to law enforcement here.
    They can ask you nicely (or not so nicely), get a court order, or just crack it off-line like they've done previously.
    - this hasn't changed as a result of iOS11.

    I think what needs to be considered is that if someone has your phone and the passcode/password to access it they have access to your email, likely you're primary 2 factor authentication device and much much more. That the passcode can now reset the Apple ID exposes very little else that couldn't be achieved already.

    The bottom line is that IT security is not black and white. It's every shade of grey and every colour of the spectrum. There's a strong balance to be struck between usability and rock-hard security. Would I prefer an option to remove the use of passcode to reset my Apple ID? Yes. However, anecdotally, I'd wager that more people have lost data through device failure/loss and not being able to access an encrypted backup etc because they forgot the password or locked themselves out of there Apple ID, than have lost data through direct device and passcode compromise. I've nothing to back that up other than experience of supporting a large family/friend 'ecosystem'.

    Apple have supported MDM solutions for ~8 versions of iOS. Consumers and business alike can, if they choose, implement one of these to tailor the security on the device. But most consumers don't need or want this. How many of us know people that, despite all advice and warning, use the same or very similar passwords across multiple platforms? Most people want the usability and want the security to fade into the background.

    What consumers and professionals alike don't need is more clickbait headlines supported but incomplete information and a sales pitch. It doesn't do any end-user any favours.

    Please use the reputation system if you think you've been helped - bottom left of this post

  13. #13


    Member Since
    Jan 01, 2014
    Posts
    210
    Specs:
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by mrplow View Post
    I agree to a point. But I don't think there's any evidence of capitulation to law enforcement here.
    - this hasn't changed as a result of iOS11.
    No, this has not, but the result did change for law enforcement and to a certain extent for Apple. With iOS 11, there is no need for court order to get access to the Apple eco-system, once the PIN/PWD known…

    Quote Originally Posted by mrplow View Post
    I think what needs to be considered is that if someone has your phone and the passcode/password to access it they have access to your email, likely you're primary 2 factor authentication device and much much more. That the passcode can now reset the Apple ID exposes very little else that couldn't be achieved already.
    In most cases, yes… Going through the steps on my iPhone for adding an additional trusted phone number for 2FA and removing mine had been easy with the PIN. Since I practically have access to the added trusted number 24/7, I did not add mine back. Not as if it matters much, since I do not really use Apple’s eco-system. Cloud storage is not an option for me, regardless who provides it. On the rare occasion I download a free app, like Ghostery browser, I need to enter the password for my Apple ID.

    On the other hand, emails have no protection after the iDevice is unlocked. So, going through all of this is useless in some respect. There are ways to hide emails, but they are too cumbersome to do. Maybe if I have one email account I might consider it, but not with five business email accounts…

    Quote Originally Posted by mrplow View Post
    Most people want the usability and want the security to fade into the background.
    And that’s what we see with all system and evidently with Apple as well The difference is that with Apple, there are still ways for making the device more secure than any others...

  14. #14

    mrplow's Avatar
    Member Since
    Oct 01, 2007
    Location
    UK
    Posts
    7,158
    Specs:
    Mac Mini i5 (2014 High Sierra), iPhone X, Apple Watch, iPad Pro 12.9, AppleTV (4)
    These things can go back and forth forever

    But the crux of the point is iOS11 vs previous versions:
    With iOS 11, there is no need for court order to get access to the Apple eco-system, once the PIN/PWD known…
    My point being that in reality once the PIN/Password is known there is little value in going beyond that. In most cases you have full access into photos, messages, email, location data, app data - i.e. all the 'good' stuff law enforcement would want. This state hasn't changed with iOS11.

    My point being is that having the apple ID password or the ability to reset it doesn't give you much in the way of additional data that you can't access directly an unlocked phone.

    Please use the reputation system if you think you've been helped - bottom left of this post

  15. #15


    Member Since
    Jan 01, 2014
    Posts
    210
    Specs:
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Quote Originally Posted by mrplow View Post
    These things can go back and forth forever
    Not, if I stop, before I agree to most of your points...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. IOS 11.2 and Apple Pay
    By ImDrRichard in forum iOS and Apps
    Replies: 1
    Last Post: 12-03-2017, 12:55 AM
  2. iPad pro 10.5 comes with iOS 11?
    By dienosong in forum iOS and Apps
    Replies: 11
    Last Post: 12-01-2017, 04:49 PM
  3. IOS 11 and USB Drive
    By willie45 in forum iOS and Apps
    Replies: 3
    Last Post: 12-01-2017, 10:33 AM
  4. Replies: 5
    Last Post: 11-23-2017, 11:59 AM
  5. Calendar entry no longer editable on iPhone after Mobile Me Sync
    By SeanMcRae in forum iPad Hardware and Accessories
    Replies: 0
    Last Post: 08-14-2011, 12:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •