Serious security issue with mirroring

Discussion in 'iOS 8' started by SteveJobs2.0, Dec 23, 2014.

  1. SteveJobs2.0 macrumors 6502a

    Joined:
    Mar 9, 2012
    #1
    I was presenting some pictures of my recent vacation at my parents' house and I connected my iPhone 6+ to the family tv. However, I was extremely surprised to find that while mirroring the iphone screen on TV, I could see exactly what my password is since the phone displayed the numbers pressed on the lock screen. This is a serious issue for anyone presenting content of their iOS device and needs to be removed right away. Especially for people without a Touch ID device.
     
  2. I7guy macrumors G5

    Joined:
    Nov 30, 2013
    Location:
    What Exit?/Saguaro Country
    #2
    What's the issue? Someone looking over your shoulder gets to see every key pressed as a password is entered. The key flashes for a brief period of time before turning into an asterisk. All AirPlay does is mirror the screen.

    Turn touchid on.
     
  3. SteveJobs2.0 thread starter macrumors 6502a

    Joined:
    Mar 9, 2012
    #3
    The issue is that while in hand the numbers are largely covered by your hand. When connected to a projector, your access code could be displayed to hundreds.
     
  4. I7guy, Dec 23, 2014
    Last edited: Dec 23, 2014

    I7guy macrumors G5

    Joined:
    Nov 30, 2013
    Location:
    What Exit?/Saguaro Country
    #4
    I hear what you are saying, you could submit feedback to Apple. But this wasn't a surprise to me. You could always change your password If you have concerns. Or don't turn on AirPlay until your past the password screen and temporarily turn off lock the phone.
     
  5. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #5
    This is no different than you verbally speaking your passcode to others or showing them your phone while you enter it. A common sense approach would be to enter your passcode before connecting to AirPlay, and disabling auto-lock until you've completed your AirPlay session. No amount of software security measures can protect against unwise user actions.
    So don't be projecting when you enter your passcode. Simple.
     
  6. SteveJobs2.0 thread starter macrumors 6502a

    Joined:
    Mar 9, 2012
    #6
    I realize that now, but there are many people using the feature for the first who don't know this or who will not notice it. There is no reason why Apple couldn't have programmed the lock screen not to show the key presses when connected to an external display.
     
  7. mercuryjones macrumors 6502a

    Joined:
    May 31, 2005
    Location:
    College Station, TX
    #7
    There's also no reason that you need to be connected to an external display BEFORE displaying what you want to. Isn't that the whole purpose - you want to show a picture or video to someone, then have said picture/video already displayed on the phone.
    Plus, why are you mirroring? Why not simply AirPlay? Then, you are only showing what you want the person to see.
     
  8. SteveJobs2.0 thread starter macrumors 6502a

    Joined:
    Mar 9, 2012
    #8
    Thereis no AirPlay when I am connecting my iPad to a projector at a lecture there is no AirPlay. I have to use the lightning to HDMI adapter.

    Once again, the issue is not that there are no work-arounds... the issue is that Apple has built itself on taking care of the smaller issues. This is a major oversight.
     
  9. The Doctor11 macrumors 603

    The Doctor11

    Joined:
    Dec 15, 2013
    Location:
    New York
    #9
    I don't see the problem here. All AirPlay does and SHOULD do is takes whats on my screen and push it out to another screen. That's what its meant for. You can do any number of things to stop people from seeing your password. Unlock it then AirPlay, turn off password, put password on a delay then unlock it and be good for a few hours or whatever you set it too. Really I find this a non issue.
     
  10. Small White Car macrumors G4

    Small White Car

    Joined:
    Aug 29, 2006
    Location:
    Washington DC
    #10
    Jesus, people. It's a solid idea. It would be cool if Apple disabled those button flashes on the screen outputs.

    It's not like he held a gun to your head and demanded you hand over money to make it happen. Is it so hard to say "yeah, that'd be neat" and leave it at that?
     
  11. CosmoPilot macrumors 65816

    CosmoPilot

    Joined:
    Nov 8, 2010
    Location:
    South Carolina
    #11
    Understand, but it's called "MIRRORING" for a reason. I imagine there is a scenario out there where someone would want the password to show up just as typed/mirrored for demonstration purposes. If you're not that guy, then there are several ways to prevent this behavior. To call it a serious security issue is a huge stretch.
     
  12. richwoodrocket macrumors 68020

    richwoodrocket

    Joined:
    Apr 7, 2014
    Location:
    Hamburg, NY
    #12

    You sir have taken the words out of my mouth.
    If it is such a security concern, then don't put your passcode in when you're mirroring your device. A wise move is also to turn do not disturb on when mirroring so people don't see all the notifications you get. One text could be a career ender...
     
  13. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #13

    This happens in my class all the time. All my pupils now know my ipad's unlock code.

    That said, I agree that it makes more sense for you to unlock your phone first before connecting it to the projector. What if, as suggested below, someone wants the demo the screen unlocking process for whatever reason?
     
  14. eelw macrumors 6502a

    eelw

    Joined:
    Sep 19, 2012
    #14
    It's been like this since mirroring was first available. Apple hasn't done anything about it yet.
     
  15. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #15
    Seems like the fix is simpler than that, basically not have the flashes on PIN/password entry screens. Fairly basic concept as there simply isn't any useful reason to mirror that--sure it's simpler to just blindly mirror everything but that doesn't make it the best or the right way to do it simply because it's simpler to do it that way. Too much digging to needlessly justify something that pretty much anyone can clearly say can and should be improved if even just a bit of rational thought is applied.
     
  16. sbailey4 macrumors 68030

    sbailey4

    Joined:
    Dec 5, 2011
    Location:
    USA
    #16
    I agree with the work arounds but it would make since to enable a "unlock first" option before any mirror or external display became active. Imagine you are getting ready for a presentation and are connected to a TV or projecter in preparation for the presentation. All the lock screen notifications, text, emails whatever you have set would pop up constantly while you are waiting for the participants to assemble. How would it NOT make since to be connected and ready but have to enter password before the screen share became active? Sounds like a logical idea to me.

    Or you could wait til the class is assembled then begin trying to get it to "just work" and deal with the potential connectivity issues, display issues etc while your participants are assembled and waiting for you to get it working.
     
  17. I7guy macrumors G5

    Joined:
    Nov 30, 2013
    Location:
    What Exit?/Saguaro Country
    #17
    What happens if I want that intended behavior to be shown on a big screen for whatever reason?

    It's a slippery slope when software starts to make the determination of how things should be mirrored. It's much more reasonable to know you mirror or AirPlay a replica of your screen is shown on the big screen.

    Got the same thing with windows desktops used for presentations.
     
  18. NoBoMac macrumors 6502a

    Joined:
    Jul 1, 2014
    #18
    Ugh! No. On a real computer keyboard, there is enough gap between keys, combined with muscle memory, and worst case, ease of actually seeing what keys you are hitting, to be able to get a password entered successfully. With an iOS keyboard, especially on a phone where it's really easy to hit the neighboring key, and burning through one's limit on entering an invalid password. Heck, even with an iPad in landscape, I'll get a password entered incorrectly far more than on my Mac.

    OP has a 6+, so, another option is to use the finger print sensor: noone sees anything there.

    This and this. As other's have said, there are tons of other things that can be equally bad re: text/e-mail/IM notifications that can pop-up when mirroring, that can be embarrassing, at worst, career ender.
     
  19. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #19
    Clearly all of what I said was in relation to the mirroring part of it all (as that is the topic and focus of the discussion).
     
  20. sik08amg macrumors regular

    sik08amg

    Joined:
    Feb 19, 2012
    Location:
    Tampa, FL
    #20
    Solution: Turn mirroring on after you are on the screen you wish to display.
     
  21. sunking101 macrumors 603

    sunking101

    Joined:
    Sep 19, 2013
    #21
    There must always be an effort made to see Apple's way of doing something as being the best way. All other ways are stooopid.
     
  22. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #22
    Isn't that what do-not-disturb mode is for?
     
  23. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #23
    That's a workaround not an actual solution to the issue. There's a difference.

    ----------

    Quite so. Apple decided after years that it was finally a worthy enough feature for them to implement. Perhaps after some more years they'll decide to do something about this when people will praise Apple for introducing such a useful and important feature (despite not even willing to give it a second thought now).
     
  24. Abazigal macrumors 604

    Abazigal

    Joined:
    Jul 18, 2011
    Location:
    Singapore
    #24
    You are assuming this is indeed a problem with airplay-mirroring itself, rather than it simply working as intended, and the user himself trying to find fault where none existed.

    What's next? Should, as suggested earlier, all notifications automatically be suspended for as long as my iPad is being mirrored? What if I want them to come in (say as a demonstration of how push notifications work)?
     
  25. sunking101 macrumors 603

    sunking101

    Joined:
    Sep 19, 2013
    #25
    It's unlikely that anyone would wish to demonstrate that.
    A simple toggle preventing notifications and passcodes/PINs from being mirrored would suffice.
     

Share This Page