Apple Invites Researchers to Apply for Special iPhone Designed for Finding Vulnerabilities

[jaworq]

I hope they will finally look into Scren Time issue.

Why a thief knowing 6-digit passcode can change our iCloud password and block us access to cloud forever?

Many people thought that additional screen time passcode prevents a thief from doing so but no. Screen time passcode reset option points you straight to iCloud password reset xD

https://forums.macrumors.com/thread...e-full-control-and-apple-cannot-help.2388366/

Page 15 is crucial.

 

[Mousse]

I think folks don't fully understand the security risks side loading may introduce to them even if they choose not to. For example, suppose you and your family are happy iPhone users. You may share the same Apple ID or,

Is there a reason a family would share the same Apple ID? I cannot think of a legitmate reason a family would share one Apple ID/iCloud account.

My wife has an Apple ID and my daughter has a seperate Apple ID. I see zero reason for sharing the same Apple ID unless it's for different devices used by the same person (my wife's iPhone and iPad uses the same Apple ID). My daughter has a seperate Apple ID because we respect her privacy. Her photos, messages and so on won't pop on my wife's iCloud.

 

[3530025]

Because the change being discussed is basically making it like the Mac, where the steps will be: Download, disable one flag in settings like the picture shows on the howto page, click the app, hit a dialog. Steps that will be NORMALIZED by honest to goodness companies like Netflix, MLB, Epic Games, etc.

Again, there are not any specifications how it will be implemented. We don't know. We don't know how many flags there will be and I doubt it will be like on the Mac.

So again, this is either just your assumption and thus making all your statements invalid and subjective matter. Or you have some source to your claims.

Otherwise it's just word against the word. You think something, I think something else. And without factual check it's just all your assumption which can be either totally wrong or right. As already said in my previous reply.

What makes you think your assumptions are correct when I don't think so? I've already clearly backed why I don't believe your assumptions.

I've already said how uncle Jim can sideload just today. Just sign in with your apple id and connect your phone to your Mac. Boom, self-signed and sideloaded. You yourself talked about scam, what makes you think no scam can misuse this already today?

 

[MrENGLISH]

Apple should put a security feature in iOS anyone tries to hack it, Tim Cook just pops up on screen saying 'Goooooood moooooooorning' over and over.

Even better...

 

[Jensend]

I think folks don't fully understand the security risks side loading may introduce to them even if they choose not to. For example, suppose you and your family are happy iPhone users. You may share the same Apple ID or, more likely, share various Apple services such as iCloud Storage. You think side loading is unsafe and tell everyone they shouldn't. But does your daughter listen? Of course not. She side loads an app from a questionable app store and now has some malware on her iPhone. That malware then gets to all your shared data and services and, potentially even spreads to the other phones via the shared services.

You daughter can already access all the iCloud services on a device that can load apps that aren't approved by Apple: her Mac.

 

[MrTemple]

Again, there are not any specifications how it will be implemented. We don't know. We don't know how many flags there will be and I doubt it will be like on the Mac.

So again, this is either just your assumption and thus making all your statements invalid and subjective matter. Or you have some source to your claims.

Otherwise it's just word against the word. You think something, I think something else. And without factual check it's just all your assumption which can be either totally wrong or right. As already said in my previous reply.

What makes you think your assumptions are correct when I don't think so? I've already clearly backed why I don't believe your assumptions.

Here’s how I know you’re discussing in bad faith.

You are making it seem like Apple will make it super difficult to sideload apps.

While at this same time (your quote below) lying about how simple it is today to sideload an app.

If it’s so easy today (easier it seems than the change you’re advocating), why are you advocating for a change? 🤔

I've already said how uncle Jim can sideload just today. Just sign in with your apple id and connect your phone to your Mac. Boom, self-signed and sideloaded. You yourself talked about scam, what makes you think no scam can misuse this already today?

You missed about 75 instruction steps here that Grampa Jim would need to follow. One of which involved paying $100 to create a developer account. 🙄

That is many orders of magnitude more difficult for the non-tech savvy than the example case of installing apps from untrusted devs on Mac. Effectively impossible for our Grampa Jim.

You’re not being self-consistent. You’re not discussing in good faith.

You’re not gonna bait me with your troll tactics any longer.

 

[ThomasJL]

Apple should have a similar department for finding and getting rid of bugs. iOS 16 is at or almost at its final version, yet is still a buggy mess. Get a clue, Clueless Cook!

 

[Unregistered 4U]

But can you see how it creates this vector for malware which didn’t exist before and which WILL be successful?

It’s surprising how many people think that making exploits easier to produce and deliver won’t yield more exploits. My guess is that they don’t really believe that, they don’t want to accept the fact that there IS something bad about any implementation of a simple way to deliver malicious code to a customer’s device. From what we’ve heard, sideloading IS going to happen, communicating the realities of it isn’t going to make the EU rescind their regulation.

Just call an insecure spade an insecure spade!

 

[Unregistered 4U]

I hope they will finally look into Scren Time issue.

Why a thief knowing 6-digit passcode can change our iCloud password and block us access to cloud forever?

Many people thought that additional screen time passcode prevents a thief from doing so but no. Screen time passcode reset option points you straight to iCloud password reset xD

https://forums.macrumors.com/thread...e-full-control-and-apple-cannot-help.2388366/

Page 15 is crucial.

You mean a thief knowing the passcode to a person’s phone AND having physical access to the phone?

Sounds like being surprised that someone with access to the keys to my car AND my car can drive away in it.

 

[Unregistered 4U]

You missed about 75 instruction steps here that Grampa Jim would need to follow. One of which involved paying $100 to create a developer account. 🙄

You are, of course, correct. No clearer way to put it. I would hope that Apple would be allowed to maintain some level of locked down capability to the phone, but I’m not hopeful. This won’t affect me in any way because I won’t enable it. My concern is for the millions of folks, millions of families that, having taken steps to lock down their older relative’s computer, will now how to lock down their phone as well.

 

[Unregistered 4U]

Is there a reason a family would share the same Apple ID? I cannot think of a legitmate reason a family would share one Apple ID/iCloud account.

There WAS a time, not too long ago, where they didn’t have Family Sharing. If someone wanted access to someone else’s music library, there wasn’t an easy way to do so, so they shared an Apple ID. I would guess that there’s still a number of folks that never enabled Family Sharing and just kept using things the way they’re used to.

Sure, for those buying into the Apple ecosystem now, TOTALLY different story.

 

[Jimmy Bubbles]

Allowing RCS in text messages will solve a lot of security issues
Fun fact: When you text an Android user (green bubble), Apple uses the same security protocol from 1994 when the SMS came out.

Now, people will shout and say buy an iPhone, but iPhone is predominate in the USA only; most countries in the world its 20% or less with some counties at 7% or less.

Do Samsung Pay next! Talk about old tech being rebranded.

 

[SFjohn]

Please read my post here https://forums.macrumors.com/thread...finding-vulnerabilities.2400054/post-32417133

It's totally for you I believe. Sideloading is already supported right now. It's just somehow paid. But you can push any code to your device just now. So nothing changes from the security standpoint.

Also

That's not how iOS security architecture works. Every app is sandboxed and thus can not access any other's app data nor it can access features you don't allow permissions to.



I disagree with this and so does EU thankfully.

Apple could send the EU iPhones that run Android with an iOS looking skin for that matter. If you have issues with the OS they can refer you to Google… 😉

 

[TracesOfArsenic]

Attaboy, Timmy! Outsource your security QA like your bug testing of OS's. As Lil Dicky says, "$ave Dat Money".

 

[tranceme]

This! Sideloading will get iPhone to another level.

And the best thing is - it is optional. You don't have to sideload anything if you don't want to!

Yet, people will and get owned. Should be fun.

 

[svish]

Good. This should make iPhone and iOS more secure

 

[3530025]

Apple could send the EU iPhones that run Android with an iOS looking skin for that matter. If you have issues with the OS they can refer you to Google… 😉

Funny, but no. Apple have to fulfill EU's mandate, because exiting EU (and Japan and possibly more) market is not on the table.

Very funny how this optional feature is hard to swallow for some Apple customers. Is it really that hard to ignore this feature? Also sideloading is already here - you can sideload stuff to your iPhone already today with self-signed certificate. So I guess you should quickly throw away such evil device.

 

[3530025]

Yet, people will and get owned. Should be fun.

Any source on such claim or this is such your opinion based on nothing?

 

[jaworq]

You mean a thief knowing the passcode to a person’s phone AND having physical access to the phone?

Sounds like being surprised that someone with access to the keys to my car AND my car can drive away in it.

Yes. But stolen car can be recovered unlike stolen iCloud account. If thief has your phone and changes password to your iCloud, you're done. You lose access to your iCloud forever (your pictures etc - gone). You get also logged out on your mac and ipad and you need to create a new iCloud account. And all this drama just by knowing 6-digit passcode.... That's insane.

 

[Shirasaki]

Yes. But stolen car can be recovered unlike stolen iCloud account. If thief has your phone and changes password to your iCloud, you're done. You lose access to your iCloud forever (your pictures etc - gone). You get also logged out on your mac and ipad and you need to create a new iCloud account. And all this drama just by knowing 6-digit passcode.... That's insane.

You know, thieves really dont need sideloading to steal/lock your data today. The almighty too powerful passcode can give everything away in just minutes. Yet, Apple still somehow is convinced that 6-digit passcode is more secure than alphanumeric passcode and promote it again via another beta feature. And here, we are bickering about a feature that has no specifications and no details, 100% speculation and no proof.

 

[3530025]

Yes. But stolen car can be recovered unlike stolen iCloud account. If thief has your phone and changes password to your iCloud, you're done.

Same can be said with car. If thief disassembles your car to parts and start selling them - you're pretty much done.
Just saying. Not that I defend 6 digits code.

 

[amartinez1660]

If this is not just your subjective point of view but if you present your points as facts, please provide appropriate sources. Otherwise I stand by my last response. And I don't mean it in a wrong way.

Also comparison of sideloading with phishing is nonsensical.

Also sideloading is already there. You can already be forced into sideloading some app into your phone just now. Why is this not happening?

The insistence “that’s already there” then why do you still want it? Just get it there already.
For a tech person having to get Xcode (free), an apple dev account (free) and deal with the 7 days refresh is quite the lowest of barriers.
If that’s deemed safe enough for grandpa Jim mentioned above, then by all means, proceed and enjoy sideloading. Since really, it’s already there. Nothing else needs to be done.

 

[3530025]

The insistence “that’s already there” then why do you still want it? Just get it there already.
For a tech person having to get Xcode (free), an apple dev account (free) and deal with the 7 days refresh is quite the lowest of barriers.

Because it's

1. inconvenient - 7 days refresh is quite a big barrier for real world usage. It's useful really only for the development purposes.
2. expensive - I really don't want to pay 99 USD yearly for feature which should (and will) be free

If that’s deemed safe enough for grandpa Jim mentioned above

I never said it's safe for grandpa Jim. (even though it should be safe from the iOS data standpoint - thanks to iOS sandboxing; only concern may be if he logs in with some 3rd party credentials - but same can be achieved with much more simple phishing website, so why doing extra step of releasing phishing app?)

I only said that argument about scamming users into sideloading - in the future - is invalid. Grandpa Jim can be scammed into sideloading already today. Is he? Probably not. Then why he should be in the future?

• 7 days expiration limit is not an issue for scammers (you basically just need the scam app to be installed and used once)
• and tricking someone into logging with their Apple credentials is just as easy as tricking someone into installing weird suspicious app and acknowledging several warnings and toggling some settings on the way
• and even more - supposed scammer may even trick Jim into installing sideloadly which will refresh the app automatically via his home wifi (and install the app first time at the same time)...

 

[t0rqx]

what is the use if they not even react swiftly with the current security exploit program.

 

[Unregistered 4U]

But stolen car can be recovered unlike stolen iCloud account.

Tell that to someone that has their car stolen and chopped up for parts.

And all this drama just by knowing 6-digit passcode.... That's insane.

But, it must be remembered that knowing the 6-digit passcode does absolutely nothing. I could post my 6-digit passcode on reddit for thousands to see, and my phone is just as secure as before I posted it.

So, the drama is not caused by someone knowing the passcode. The drama is caused by someone knowing the passcode AND having access to the device. To say it’s “just knowing 6-digit passcode” is only telling half the story.