About Privacy

18 01 2015

If you are an Apple fan and can’t take a joke just skip this post and accept my sincere apology.

2015/01/img_3898.png

In reality you can be sure that Apple takes care of your privacy.

About  Pay …

If you are not familiar with Apple’s payment system, here is what the company publishes on

This is what Apple publishes on its website …

Your wallet.
Without the wallet.
Paying in stores or within apps has never been easier. Gone are the days of searching for your wallet. The wasted moments finding the right card. Now payments happen with a single touch.

Apple Pay will change how you pay with breakthrough contactless payment technology and unique security features built right into the devices you have with you every day. So you can use your iPhone, Apple Watch, or iPad to pay in a simple, secure, and private way.

Related links …

Security Made by Apple

Tim Cook about Privacy

Apple Pay with iPhone 6

Thanks for being sympathetic.





iOS 8 Security

5 01 2015

When government comes knocking …

Here is what The Washington Post published on September 18, 2014, shortly after Apple’s Keynote on September 9, the day Tim Cook introduced the iPhone 6 and 6 Plus and the updated operating system iOS 8 for mobile devices.

IMG_3471.PNG

Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information.

The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails and recordings. Apple once maintained the ability to unlock some content on devices for legally binding police requests but will no longer do so for iOS 8, it said in the new privacy policy.

Please read the full article here …

About iOS 8 Security

Beside 2-Step Verification also available for iCloud in many countries this is a further step to more security for Apple’s customers. It should be mentioned that the so-called fragmentation is kept low for Apple’s devices.

See this concept map which shows the iOS versions in relation to all iPhone models on which they can be installed. The map includes what’s published about iOS 8 on Apple’s website after the WWDC event on June 2, 2014 in San Francisco.

IMG_3425.PNG

Just look at the iOS version and count the number of outgoing arrows.

It starts with compatibility to 2 models. Since iOS 6 the installation on the actual model and 3 predecessors is supported. With iOS 7 and 8 Apple’s mobile OS is ready to install on 5 models.

It needs enormous efforts to bring hardware and software engineers together to look into the future and design hardware components usable also for future versions of an OS.

Competitors show us that the alternative way is to build devices regardless what happens with newer versions of the OS.

According to a scary graphic for Android users published by Business Insider in Aug 2014 there are 18,796 unique devices running the Android OS. That fragmentation is tough on developers. It’s too difficult to make sure that an app runs well on each device. It’s one of the reasons why Android has severe disadvantages for customers using their device over years. The issue gets thornier if you look at the OS versions Android devices are running today. Many of them are still running Gingerbread (2.3), a version launched 4 years ago!
In contrast to Android about 91% of iOS devices are running the latest version (7.x) and it’s most likely that a significant percentage of devices will be updated to iOS 8 on the first day of its launch.

It’s a vicious circle to always buy a new (subsidized) device to get the latest OS version. Fragmentation is what developers and customers don’t like because it hampers a unique user experience and needs additional efforts. This might be one of the reasons why iOS is still the preferred platform for developing powerful apps.

Apple wants a perfect user experience for most of it’s loyal customers and developers are supported by the iOS feature ‘Size Classes’ with which Apple said Goodbye to an increasing complexity of code needed to support sizes like 3.5″ (iPhone 4), 4.0″ (iPhone 5), 4.7″ and 5.5″ (iPhone 6), 7.9″ (iPad Mini), and 9.7″ (iPad). Google with its Android OS is still faced with a lot of different form factors and it seems to be an impossible task for developers to ensure a perfect user interface and user experience on all devices.

Summary …

Security isn’t what Apple is just talking about like many other companies.
Today security is strongly related to updated applications and operating systems.

Apple reported that nearly half of the users installed the latest version of the mobile operating system less than a week after its introduction on Sept 17, 2014. The company said 46 percent are using iOS 8 as of Monday, with slightly more (49 percent) using the previous generation of software.

This is an adoption process happening nearly with the speed of light if you compare it with the competitors.

Related links …

Security made by Apple

2-Step Verification

Android Fragmentation

Interested in creating mind maps and concept maps?
See an app review of the app Inspiration here

Inspiration

Thanks for flying with iNotes4You.





About Encryption

29 12 2014

Would you like to be able to use QR-Codes in order to let people quickly get some sensitive information, but also want to be able to restrict the number of people with access to the data? And what about iWork documents containing personal data? Is there a way to securely manage them?

IMG_3645-2.PNG

If you use an app like Qrafter by Kerem Erkan you may have the idea to use password-protected QR-Codes for sending sensitive data e.g. via mail or a messaging app like iMessage.

IMG_3322.PNG

The idea seems to be fascinating but let’s face the facts with an answer of the developer Kerem I got via E-Mail:

The encryption is 48-bit, meaning it is weak for any sensitive information. More secure encryption methods take too much data and QR Codes do not have such capacity. You should not use QR Code encryption for anything sensitive.

For the sake of security, it’s hard to beat the old-school, in-person hand off. It’s not the most sexy of options in the digital age, but surely there’s something titillating about a top-secret document hand off. Bring your briefcase and make it like a spy movie. Or don’t.

Don’t send your sensitive documents over email. It may seem private, but even if you’re using an email account that uploads attachments over a more secure HTTPS connection, like GMail, you have no control over your recipient’s server, and they may download your attachment from an unencrypted HTTP connection. Now say they did that from a public Wi-Fi network. Things just got very un-secure.

Some basics …

If you want your data to be NSA-resistant all files must be encrypted on your device before being transferred to the cloud. Your password should never be stored on your device or, if it’s stored there should never leave it. So no unauthorized user, not even employees of your provider, could ever access your data. Client-side encryption is the keyword.

Since encryption occurs before files leave your device it effectively wraps a protective wall around your data in the cloud. Employees then have very limited access to your data. They can only see how many files you have stored and how much storage space they occupy. The files themselves, as well as all metadata (folder names, file names, comments, preview images, etc.), are encrypted. The following chart illustrates three typical encryption schemes. The scheme in the middle is what is used by most cloud storage providers.

IMG_3323.PNG

What matters most when encrypting data is not the particular encryption algorithm (e.g. AES), but how it is used. Basically, there are three encryption schemes:

  • 1 None
    No encryption is used. Your data is sent to the storage in plain view, visible to anyone who has access to your network connection as well as to the storage provider. This is a little bit like sending someone a postcard: everyone involved in handling the postcard can read it.
  • 2 Encrypted connection (e.g. SSL)
    In this scheme, a secure channel is established between your computer and the storage provider before data is uploaded. That way, no one can eavesdrop on the transfer. However, the provider sees all your data. Often storage providers implement additional measures like creating corporate policies that disallow their employees to view your data. Another additional measure is using encrypted disks to store your data, so someone breaking into the data center and stealing the hard drives won’t be able to read it. However, it is still visible to the provider and its employees. This approach has the advantage that the provider can process your data for you, such as for creating a search index. Also, it is technically easy to make the data available in the web browser or through an API. The problem with this approach is that your privacy is limited. The storage provider can, for example, be forced to provide your data to a government agency. What’s more, employees will be able to read your data even if prohibited by company policies. It is also much more likely that bugs or other errors could result in data leaks. This is the most widespread approach implemented by cloud storage providers.
  • 3 Client-side encryption
    This approach is inherently more secure than the others. Apart from Box and Wuala, there are only a few other cloud storage providers following this scheme, mostly backup services. All data is encrypted locally on your device before it is uploaded. No one not explicitly authorized by you can see your data. Since not even the storage provider can see your data, they cannot be forced to hand it over to government agencies. The employees are also not able to read your data. As a side effect, it is impossible to recover your password in case you forget it. You can test your cloud storage provider’s security by checking whether they offer password recovery or password reset. If yes, then it does not employ client-side encryption. With client-side encryption, security is embedded deeply in the design of the storage.

    One of the main challenges with client-side encryption is key management. If you only want to back up, a single master key is enough. However, if you want to be able to share data selectively, your cloud storage must feature a sophisticated key management scheme.

With this in mind here is a more secure method to store sensitive data permanently or to exchange information with others.

Use a secure cloud storage, e.g. WUALA or BOX or an encryption software like BOXCRYPTOR and send the information as an encrypted file, a simple text message, a PDF file, or an iWork document.

Say you and your tech-savvy recipient set up a shared folder. Anything you put in that folder would travel encrypted from your folder to the provider’s servers to your recipient’s folder. That’s it.

Boxcryptor …

You use a cloud storage with standard, that means no, additional sevcurity?
Don’t worry. There is a solution for all well-known clouds including all other clouds which support the WebDAV protocol. It’s an application developed by the German company Secomba GmbH.

This video explains how Boxcryptor works.

(2:36 min)

Boxcryptor creates a virtual drive on your device that allows you to encrypt your files locally before uploading them to your cloud or clouds of choice. It encrypts individual files – and does not create containers.

IMG_3324.PNG

Any file dropped into an encrypted folder within the Boxcryptor drive will get automatically encrypted before it is synced to the cloud. To protect your files, Boxcryptor uses the AES-256 and RSA encryption algorithms.

Boxcryptor is free for one device and one cloud provider. You cannot use two iOS devices to manage encrypted files as long as both devices are linked to Boxcryptor. If you want to share encrypted files with others you can do that without a subscription.

A workaround …

You cannot turn off iCloud for individual iWork documents. So, creating a new document with sensitive data is a risk because the content automatically finds its way into iCloud.
Even if you turn off iCloud for documents but still use iCloud for backing up your device, your documents will be stored in iCloud and Apple has the key to decrypt them.

Here is a workaround which lets you manage encrypted iWork documents using Boxcryptor.

IMG_3325-0.PNG

This is definitely not a comfortable way but the only option to keep sensitive information away from unauthorized people. Even if government comes knocking there is no chance to decrypt your data regardless of the provider keeping your files. I would understand if you say “I hear the message well but lack faith’s constant trust.”.

Summary …

Sad to say that effective encryption is still not a standard feature of using cloud storages. Even Apple doesn’t use client-side encryption and so you should be careful when creating documents with sensitive data. Even if you deactivate syncing via iCloud your documents will find their way into the cloud when your iPad or iPhone initiates the next backup to iCloud.

Related links …

About QR-Codes

Mystic signs of progress

About encryption

Notes on encryption

About clouds

The cloudy iCloud

Risky free clouds

iOS cloud clients

Box for iOS

Thanks for flying with iNotes4You.





Saying Goodbye

30 10 2014

If it’s time to say Goodbye to one of your Apple devices because you are impressed by an innovative new model and cannot wait to order, here is what you should know and what you should do with your old device if you plan to sell it.

20140731-081720-29840253.jpg

In my example I talk about an iPhone 5 running on iOS 7 and temporarily used by my wife. This version of Apple’s mobile operating system turns ‘Find my iPhone’ and ‘Activation Lock’ automatically on. Additionally the Apple ID is secured with 2-Step-Verification.

Activation Lock
Loosing a device with sensitive data may compromise your identity in the digital world followed by severe problems with law. At WWDC 2013, Apple unveiled Activation Lock, a new feature in iOS 7 that locks stolen phones even after thieves wipe them.
Apple’s Craig Federighi
“We think this is going to be a really powerful theft deterrent.”
The company on its website
“Losing your iPhone feels lousy. Thankfully, Find My iPhone can help you get it back. But if it looks like that’s not going to happen, new security features in iOS 7 make it harder for anyone who’s not you to use or sell your device. Now turning off Find My iPhone or erasing your device requires your Apple ID and password. Find My iPhone can also continue to display a custom message, even after your device is erased. And your Apple ID and password are required before anyone can reactivate it. Which means your iPhone is still your iPhone. No matter where it is.”

If activated, 2-Step-Verification needs a SMS capable device. Every time you want to have access to your Apple account you need a verification code Apple will send to one of your trusted device. So, selling a device should always be followed by removing the device from the list of trusted devices. But don’t worry, if you didn’t go the recommended way you can manually remove a device from this list.

Your Apple account …

Apple’s mobile devices are connected with the Apple ID you used during setup. If you go to your support profile you will see all devices connected to this ID.

20140731-081813-29893625.jpg

Sold devices or devices you do not own any longer (giveaway or theft) must be removed from your account to avoid abuse.

Backup your device …

If you want to purchase a new iPhone or iPad backup your old device to iCloud (and/or iTunes) to use this backup for configuring to predecessor. Keep in mind that account and other personal data are only included in an iOS backup if you use an Unlock Key on your device. If you later run through the setup process of your new device you can restore the backup from iCloud and there is nothing more to do.

You can use an iOS backup of an iPhone to configure an iPad and vice versa.

The only thing you have to do is to install apps that are designed for just one of the two devices.

Two cases …

Distinguish between these two cases:

If you still have access to your iOS device …

Follow these steps to protect your data and get your device to its factory default state for the new owner:

Go to Settings – General – Reset, then tap
Erase All Content and Settings.
This will completely erase your device and turn off iCloud, iMessage, FaceTime, Game Center, and other services.
If you’re using iOS 7 and have Find My iPhone turned on, your Apple ID and password will be required. After you provide your password, the device will be erased and removed from your account so that the next owner can activate it. If you don’t remove you device from your account, Activation Lock will prevent other users to activate the device.

When the device is turned on for the first time by the new owner, Setup Assistant will guide them through the setup process.

Important …

Do not manually delete contacts, calendars, reminders, documents, photo streams, or any other iCloud data while signed in to your iCloud account.

The content would also be deleted from the iCloud servers and all of your other iCloud devices.

20140731-081914-29954047.jpg

Apple will send you an E-Mail which confirms that you erased your device and that it’s removed from your device list and the list of trusted devices defined for an account with 2-Step-Verification. You now can say Goodbye and sell it or shed love and give it to your wife or your child.

If you no longer have access to your iOS device …

If you didn’t follow the steps above before selling or giving away your iOS device:

Ask the new owner to erase all content and settings as described above.
If you’re using iCloud and Find My iPhone on the device, you can erase the device remotely and remove it from your account by signing in to icloud.com/find, selecting the device, and clicking Erase.

Erasing a device remotely is only possible if it’s still connected to the internet (via cellular network or WiFi and turned on). If this is not the case then the device will be erased when it connects to the internet again.

When the device has been erased, click Remove from Account.

If you’re unable to complete either of the above steps, you should change your Apple ID password. Changing your password won’t remove any personal information that is cached on the device, but it will make sure that the new owner can’t delete your information from iCloud.

I removed the SIM card from the iPhone to simulate a SIM, deactivated by the carrier and turned the phone off. On my iPhone 4S I opened ‘Find my iPhone’, signed in with the Apple ID used on the iPhone 5 and started the process of erasing the device.

20140731-082013-30013251.jpg

Because the iPhone 5 was turned off, it couldn’t receive anything and so ‘Erase’ couldn’t be executed. After turning the device on it connected to the internet via my WLAN which basically simulates the insert of a new SIM card with which the device can connect to the internet via cellular connection.

20140731-082058-30058102.jpg

It’s over now.

20140731-082135-30095942.jpg

A new liaison is waiting. What should be said is that the whole procedure is incapable for being used in human relations.

Troubleshooting …

After erasing the iPhone and removing it from the account via the app ‘Find my iPhone’ something went wrong. The device couldn’t be activated any longer. The iOS setup procedure stopped with the message ‘… activation server temporarily unavailable …’. Several further attempts to activate the device weren’t successful.

20140801-181743-65863625.jpg

It turned out that there is just one way to fix the problem, doing a RECOVERY. It needs a computer with an installation of the latest version of iTunes. There is no need to do more than just a recovery. Follow these steps to make your device ready for a new activation:

  • Turn off your device.
    If you can’t turn it off, press and hold the Sleep/Wake and Home buttons at the same time and wait a few seconds for it to turn off.
  • Plug the device’s USB cable into your computer only.
  • Hold down the device’s Home button as you connect the USB cable to it.
  • When you see the ‘Connect to iTunes’ screen, release the Home button.
  • Follow the instructions in iTunes after clicking on ‘Recover’.

Summary …

This concept map (created with the app INSPIRATION for the iPad) summarizes the steps to sell an iOS device.

20140803-210815-76095142.jpg

If you have to say Goodbye, do not cry. I’m quite sure that each iteration of an iOS device and the operating system will let you forget your former darling in a jiffy.

Related links …

iOS Device Backup

Recovery

The Apple ID

2-Step-Verification

Inspiration

Thanks for surfing by.





2-Step Verification

7 05 2014

Strong efforts have to be undertaken to secure data in the digital world. Even your identity can be countermined if you think about a hacked social media account where a bad guy publishes using your name.

Sometimes hackers behave like terrorists and try to destroy everything they are able to. A victim could suffer humiliation, identity theft, and lifetime suspension from services and social networks.

See this article to understand what I mean

How Apple and Amazon Security Flaws Led to My Epic Hacking

There are many different approaches to secure accounts …

  • 1 Using strong passwords
    that means passwords consisting of characters, special characters, and numbers.
    Apps like 1Password by AgileBits Inc., USA, are able to randomly generate complex passwords up to a length of 30 characters. Good idea but from then on you are bound to access accounts via the integrated browser of this app if you don’t want to write the password down on a sheet of paper. If you temporarily do not have access to your device there is no chance to access your account.
  • 2 2-Step Verification
    Your personal device is needed to receive a code with which you then identify yourself.
  • 3 Additional hardware
    to generate a code which has to be entered on a website. A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security and are used in different kinds

    • Classical TAN
      numbers generated by a bank and printed on a sheet of paper
    • Indexed TAN
      called iTAN where the user is not asked to use an arbitrary TAN from the list but to enter a specific TAN as identified by a sequence number (index). As the index is randomly chosen by the bank, an arbitrary TAN acquired by an attacker is usually worthless.
    • iTAN with CAPTCHA
      Prior to entering the iTAN, the user is presented a CAPTCHA, which in the background also shows the transaction data and data deemed unknown to a potential attacker, such as the user’s birthdate. This is intended to make it hard (but not impossible) for an attacker to forge the CAPTCHA.
      This variant of the iTAN is method used by some German banks adds a CAPTCHA to reduce the risk of man-in-the-middle attacks. Some Chinese banks have also deployed a TAN method similar to iTANplus. A recent study shows that these CAPTCHA-based TAN schemes are not secure against more advanced automated attacks.
    • Mobile TAN
      mTANs are used by banks in many countries. When the user initiates a transaction, a TAN is generated by the bank and sent to the user’s mobile phone by SMS. The SMS may also include transaction data, allowing the user to verify that the transaction has not been modified in transmission to the bank.
    • Simple TAN generators
      The risk of compromising the whole TAN list can be reduced by using security tokens that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smart card inserted into the token.
    • ChipTAN
      is a TAN scheme used by many German banks. It uses a TAN generator which only works if the bank card for the account is inserted into it. The TAN generated is specific to the current transaction. There are two variants: In the older variant, the transaction details (at least amount and account number) must be entered manually. In the modern variant, the user enters the transaction online, then the TAN generator reads the transaction details via a flickering field on the computer screen (using a photodetector). It then shows the transaction details to the user for confirmation before generating a TAN.
  • Smart Card
    An example for a smart card you all know is the SIM card (subscriber identity module).

or this suggestion, using a complex password and a simple trick to not forget it

20140130-205135.jpg

If you are lucky and have just one bank account you just need one additional device to identify yourself or to verify a transaction. All these more sophisticated methods are not used by companies engaged in eCommerce. Instead, some companies still allow to buy with an eMail address and the password 1234.

Apple and passwords …

Ronald Carlson published interesting stats on tapscape.com (Jan 25, 2014) about how companies handle security:

Dashlane, a company that sells a password manager of the same name, has assessed the world’s top 100 websites for password security and published the results (pdf) for all to see. Unsurprisingly, Apple comes out on top with a perfect password security score of 100, while a long list of “trusted” companies, like Amazon, do less well:

The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site — Dashlane.

  • 55 % still accept notoriously weak passwords, such as “123456” or “password”
  • 51 % of websites, including Amazon, Dell and Best Buy, make no attempt to block entry after 10 incorrect password entries
  • 64 % have highly questionable password practices
  • 61 % do not provide any advice on how to create a strong password during signup and 93 percent do not provide an on-screen password strength assessment
  • 10 % scored above the threshold for good password policies (i.e. 45 points or more in the roundup)
  • 8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email

The research study puts Apple on #1 with a score of 100, Microsoft on #3 with 65, Nike on #10 with 45, Toys R Us got a score of -60, and MLB -75 which means that this e-commerce offer was the leader of the bottom 10.

Thanks to Ronald Carlson for sharing Web Password Security, Apple Protects Users Best, Amazon Less So on Google+.

Securing web-based services …

It’s indispensable to secure access to web-based services to increase reliance. This must be an integral part when building up customer relationships.

My article describes two ways to securely access accounts offered by Apple and Google. While Apple’s solution is limited to account access and purchases within Apple’s ecosystem Google’s solution supports 2-Step Verification for a whole range of services even from other vendors like Dropbox, Facebook, or WordPress.

Today companies make it easy to register for services.

Usually you need an E-Mail address (as a username) and a password. Instead of separating username, password, and email address for communication purposes nearly all companies reduce these three properties to just two which makes it easier to use their services but it goes along with less security.

To increase security the so-called 2-Step Verification was developed.
The basic idea is that apart from a password a second input is required to successfully access an account. Additionally access is limited to so-called trusted devices, devices you personally own and have access to.

2-Step Verification means “something you know” (like a password) and “something you have” (like a smartphone). Once you activated 2-Step Verification you have to use both, your password and an authorized device to sign in. To increase usability Apple as well as Google let you authorize a device to not asking for an authentication code again.

With 2-Step Verification security is drastically increased but not perfect at all. The only way to further increase the level is to use biometric identifiers (like a fingerprint) which are actually not supported for mobile devices. A standardized solution implemented in all operating systems would be a great step forward.

Many authentication processes could be made much more easier if “something you are” (fingerprint, iris) would replace “something you know” and it would increase security drastically if all these three methods are combined to identify yourself.

Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. Biometric identifiers are often categorized as physiological versus behavioral characteristics. A physiological biometric would identify by iris scan, DNA or fingerprint. Behavioral biometrics are related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics to describe the latter class of biometrics.
More traditional means of access control include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems, such as a password or personal identification number. Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods; however, the collection of biometric identifiers raises privacy concerns about the ultimate use of this information.
(Wikipedia)

Apple did a first step with a fingerprint scanner implemented in it’s flagship iPhone 5S, released in October 2013.

Apple’s solution …

For a comprehensive description of the 2-Step Verification process visit:

Frequently asked questions about 2-Step Verification for Apple ID

or see this concept map which contains all information in a visualized layout.

20140507-082044.jpg

On your iOS device 2-Step Verification will look like this:

20140130-205257.jpg

Unsurprisingly Apple did not follow the open standard Google, Microsoft, and many others use. So this optional security feature is just made for Apple services and devices that means for Apple’s ecosystem. It requires you to verify your identity using one of your devices before you can:

  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBookstore purchase from a new device
  • Get Apple ID-related support from Apple

The complete process …

I published a How To for the complete activation process on Snapguide com.

http://snapguide.com/guides/activate-and-use-apples-2-step-verification/

Note
You can view this public guide via Safari but I suggest to download the app Snapguide from Apple’s App Store (universal, free). The iPad version enjoys all the advantages of a perfect user experience.

Google’s solution …

Sorry. But as usual Google spreads information about the internet and it’s hard to find out a simple description which contains all the information a normal user needs to understand this additional layer of security. So here is a description I found on MacWorld for configuring 2-Step Authentication:

2-Step Verification by Google

My opinion: This is not the way to let users accept the efforts made by the company. It seems to be quite difficult to explain this approach to more security to a broad number of unexperienced users.

The flaws …

Apple …

  • Access to iCloud is not secured by 2-Step Verification. So your data are without the additional layer of security.
  • 2-Step Verification is still not available in all countries.

Google …

  • After you turn on 2-Step Verification, non-browser applications and devices that use your Google account (such as the Gmail app on your phone), will be unable to connect to your account. Google solves this by generating application-specific passwords to allow these applications to connect to your account. Although this must be done only once for each device and application it’s an additional hassle to manage these settings.

Common flaws …

  • What will users do to keep usability on an acceptable level.
    They first declare their device as a trusted device. That means this device has direct access to all services because the apps generating security codes are fully accessible. Furthermore Google’s authentication provokes to grant access to all the installed applications by using application-specific passwords and setting the option “Remember Password”.
  • Security is still bound to the unlock code of your device.
    The progress coming up with 2-Step Verification is limited because it doesn’t secure your device but only reduces the chance to successfully hack an account.

Some FAQs …

01 What to do if the phone doesn’t have a carrier signal but is on WiFi?

Google
You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.
Apple
You can use the app Find My iPhone to get a verification code.

02 What to do if the phone runs out of power, is broken, or is stolen?

Google
You can print out 10 one-time backup codes and put them in your wallet. Use those one-time codes to log in even without your phone.
Go to your 2-step verification settings page. Under the “Advanced” section, you’ll have the choice to remove a device. The device will automatically sign out of your account, and you’ll be prompted for a verification code next time you try to sign in from them.

Apple
While activating 2-Step Verification you will get a so-called Recovery Key which has to be printed out. This code can be used in the event that none of your trusted devices are available. You have to sign in to My Apple ID and remove the stolen or sold device from the trusted devices. Access from this device to your Apple ID (Settings – iTunes+App Stores – Apple ID) or purchases from Apple’s stores are no longer possible.

03 What to do if an authentication within an app like Apple Mail fails?

Google
For apps you can create so-called ‘application-specific passwords’ (ASPs) that your app can use instead of your regular password. You can revoke ASPs at any time.
Apple
Not applicable

The worst case …

If you lost two or more of the required sign-in items (your Apple ID password, access to one of your trusted devices, your Recovery Key) you cannot regain access to your Apple account. You will need to create a new Apple ID. You can do so on one of your devices or on the web at My Apple ID.

Costs …

If you use SMS as the transmission service for verification codes you will be charged by your provider. The sender of the SMS is located in UK (+44).

To clarify costs you should ask your provider. Best practice is to activate Find My iPhone. The app is ready for receiving verification codes. It’s obvious that this transmission only works if you are connected to the internet.

The main features …

These are the main features of Apple’s 2-Step Verification

  • 2-Step Verification is bound to your Apple ID.
  • You can use any device capable of receiving SMS.
  • If you loose two or more sign-in items you cannot regain access to your account.
  • If you sell your device or if it’s stolen immediately go to My Apple ID and remove this device from the list of trusted devices.

Summary …

Use 2-Step Verification to improve security and to avoid compromising your identity which can cause severe problems with law if it’s obvious that you did not follow well-known security advices.

The digital world offers great benefits but increased security always goes along with decreased usability. That’s the price we have to pay. Be sure it’s a good investment.

The solution of both companies, Apple and Google, do not meet the requirements of their users. You cannot keep a recovery key or up to 10 backup codes in mind but your biometric identifiers are always with you. So let’s wait for the next step of a more innovative technological progress where you have access to all your accounts just with ‘something you are’.

Related links …

Apple …

Security made by Apple

Emergency Guide

The Apple ID

Apple ID: Frequently asked questions about 2-step Verification for Apple ID

Apple ID: Can’t sign in with 2-Step Verification

Google …

Google: 2-Step Verification

Google: Install Google Authenticator

Google: Sign in using Backup Code

Overview …

Overview about 2-Step Verification of other companies

Thanks for dropping by.





Security made by Apple

12 10 2013

Today smartphones are often used to save all the data you need in the digital world. Ring binders, box files, and slips of paper are out. Your device then might be more valuable than your wallet containing cash and credit cards.

Huffington Post reports that about 1.6 million iPhones were stolen in the U.S. last year. UK magazines report over 160 iPhones, and over 314 mobile phones are stolen in London every day. Law enforcement has previously criticized Apple and other mobile phone providers for not offering better mobile phone security or embedding persistent technology to prevent phones from being inoperable once they are stolen.

Finding technical solutions that will remove the economic value of stolen smartphones is critical to ending of violent street crimes commonly known as ‘Apple Picking‘.

You can be lucky if a less sophisticated thieve simply takes your device to make some free calls before you can report and your carrier blocks the SIM card. Then he sells your device and the new proud owner begins setting up the device as a new iPhone with a new Apple ID.

But there are also very bad guys behaving like terrorists and trying to destroy everything they are able to. A victim could suffer humiliation, identity theft, and lifetime suspension from services and social networks.

Loosing a device with sensitive data may compromise your identity in the digital world followed by severe problems with law.

At WWDC 2013, Apple unveiled Activation Lock, a new feature in iOS 7 that locks stolen phones even after thieves wipe them.

Apple’s Craig Federighi (CEO Software Development) …
We think this is going to be a really powerful theft deterrent.

Apple on its website …
Losing your iPhone feels lousy. Thankfully, Find My iPhone can help you get it back. But if it looks like that’s not going to happen, new security features in iOS 7 make it harder for anyone who’s not you to use or sell your device. Now turning off Find My iPhone or erasing your device requires your Apple ID and password. Find My iPhone can also continue to display a custom message, even after your device is erased. And your Apple ID and password are required before anyone can reactivate it. Which means your iPhone is still your iPhone. No matter where it is.

First let’s have a look on what the actual features of iOS are to prevent that your data are compromised?

  • 1 Using a string-based complex Unlock Code
  • 2 Activating Apple’s Find My iPhone service
  • 3 Setup Restrictions with an unlock code different from the device’s unlock code

Additionally a secure password keeper like 1Password is an indispensable tool if you save credentials for banking accounts, E-Mail accounts, and websites on your device what is frequently done because your mobile device is always with you.

1 Using an Unlock Code …

Device Access …

iOS supports flexible security policies and configurations that are easily enforced and managed. This enables enterprises to protect corporate information and ensure that employees meet enterprise requirements, even if they are using devices they’ve provided themselves (BYOD).

Passcode Protection …

In addition to providing a cryptographic protection, passcodes prevent unauthorized access to the device’s UI.

By default, the user’s passcode can be defined as a four-digit PIN. Users can specify a longer, alphanumeric passcode by turning on Settings – General – Passcode – Complex Passcode. Longer and more complex passcodes are harder to guess or attack, and are recommended not only for enterprise use.

By setting up a device passcode, the user automatically enables Data Protection. iOS supports four-digit and arbitrary-length alphanumeric passcodes. In addition to unlocking the device, a passcode provides the entropy for encryption keys, which are not stored on the device. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.
The passcode is tangled with the device’s UID unique identifier of your device), so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than 5 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers, or 21 years for a nine-digit passcode with numbers only.

To further discourage brute-force passcode attacks, the iOS interface enforces escalating time delays after the entry of an invalid passcode at the Lock screen. Users can choose to have the device automatically wiped after 10 failed passcode attempts.

20130801-090617.jpg

For details about passcode policies, see the

iPhone Configuration Utility documentation

For more details regarding further suitable settings of your device see my blog

Emergency Guide

The article contains download links for the related mind map visualizing all recommended settings.

2 Activating Find My iPhone service …

The first action you probably do is to look where your mobile device actually is by using Apple’s Find My iPhone service. But if the thief is at all smart he won’t give you a chance to find your iPhone or iPad. Instead of leaving Find My iPhone on, the thief might turn it off and/or factory reset/wipe the device themselves. If the goal is to resell the device and not steal your personal information, this method is pretty handy.

You never heard of Apple’s Find My iPhone feature?

Here is a short visualized description.

These settings only work after turning on iCloud.
Admittedly this feature only works if your iPhone (or iPad) is connected to the internet.
So don’t forget to activate the option ‘Notify me when found’.

3 Setup Restrictions …

You find this security feature when going to Settings – General – Restrictions. There you can prevent different settings of your device from being changed. If a thief already hacked the device’s unlock code he again is confronted with a barrier, the 4-digit passcode for restrictions. If you use this recommended feature enter a 4-digit passcode which is different from your device’s unlock code to improve security. See my mind map ‘Emergency Guide’ for details about functions for which access should be restricted or in other words, changes are not allowed.

It’s out of question that you usually will not get back your iPhone if it’s stolen. Additionally many thieves are professionals so that your iPhone usually will be reset to factory settings and all the actions you undertook to secure your device are useless.

What did Apple add to iOS 7?

The new feature ‘Activation Lock‘, which works alongside Find My iPhone, should make it much harder for iPhone thieves to use or even resell stolen phones. If the thief hacked your unlock code and wants to resell the iPhone he usually goes to Settings – General – Reset and resets all settings. That means the iPhone can be easily activated with a new Apple ID.

Activation Lock in iOS 7 now won’t let that happen because your iPhone now is bound to your Apple ID and cannot be reactivated without this ID and the related password. This makes iPhones worthless to thieves (at the time!).

20130801-101138.jpg

It starts working the moment you turn on Find My iPhone. With Activation Lock, your Apple ID and password will be required before anyone can:

  • Turn off Find My iPhone on your device
  • Erase your device
  • Reactivate and use your device

This can help you keep your device secure, even if it is in the wrong hands, and can improve your chances of recovering it. Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.

We have to keep in mind that the efficacy of activation lock as a deterrent is directly tied to how many potential thieves know it exists. Few bad guys are going to think twice about snatching iPhones until many bad guys know that they won’t be able to sell the things afterwards.

This feature is only available for devices compatible with iOS 7. That means the iPhone 4, iPhone 4S, iPhone 5, iPad 2, iPad 3, iPad 4, the iPad Mini, and the iPod Touch 5th generation and up are all compatible. Everyone else will need to keep a better eye on their stuff.

Requirements …

Does activation lock mean that you never can resell your iPhone if you upgraded to a newer model?

No. Activation lock can be removed by going to Settings – General – … and deactivating the feature by entering your Apple ID and your password. This must be done before reselling the device!

Reselling your device …

Before you resell your device follow these steps:

Method 1
You can remove all settings and information from your iPhone, iPad, or iPod touch by going to Settings – General – Reset and tapping on Erase All Content and Settings.

If you wish to recover the data again, ensure that you have an iCloud or iTunes backup and that it’s up to date.

Newer devices running on iOS 5 and later support hardware encryption. Erasing the device means removing the encryption key that protects the data. This process takes just a few minutes.

Method 2
Use iTunes to restore your iPhone to factory settings.

Plug the phone into a computer running iTunes and wait for it to appear in the ‘Devices’ section of the iTunes sidebar. Select the iPhone from the sidebar and then make sure you’re on the “Summary” tab. Under ‘Version’ select ‘Restore‘. You’ll receive a pop-up dialog informing you that this step will erase your phone and reset it to factory settings. Click Restore to continue.
iTunes will now download the latest firmware for the iPhone, which may take several minutes depending on your connection speed. Once downloaded, iTunes will automatically begin the restore process during which your phone will reboot twice. After the process is completed, the phone will appear in iTunes as a new device and ask you for a device name. Before entering any information, disconnect the phone. It has now been wiped of your personal information and is ready for sale.

Reset …

Keep in mind that a reset (to factory settings with all data being erased) is different from a reset which is necessary if the device stucks that means it’s not responding or not operating as expected. This troubleshooting assistant can help you resolve these most common issues:

  • Display remains black or blank
  • Touch screen not responding
  • Application unexpectedly closes or freezes

Because it’s in the context here are the steps to reset your device without erasing data:

Press and hold the Sleep/Wake button and the Home button at the same time for at least 10 seconds, until the Apple logo appears.

To just restart the iPhone (after it stucks) first turn iPhone off by pressing and holding the Sleep/Wake button until a red slider appears. Slide your finger across the slider and iPhone will turn off after a few moments. Next, turn iPhone on by pressing and holding the Sleep/Wake button until the Apple logo appears. Then enter your passcode and the PIN of your SIM-Card.

An overview …

Over years Apple improved security features and today it’s computer operating system OS X as well as the mobile operating system iOS are seen as the most secure approaches on the market. See this overview of security features of all components of Apple’s ecosystem.

20140704-061234-22354121.jpg

Feel free to download this map from my Box account.

The alternative file formats have been created with iThoughts for iOS (.ITMZ file format). Compatibility to other tools is limited. The DOCX file format is suggested for those who don’t use a mind mapping tool. The file contains the image as well as a detailed outline of all topics.

Application File format
Adobe Reader PDF
Apple iWork/Microsoft Word DOCX
iThoughts ITMZ
MindManager MMAP
XMind XMIND

Summary …

Activation Lock is a first step to reduce crime caused by smartphones. It’s another innovative step of the company and other manufacturers have to follow.

Nothing is really secure today. It’s an ongoing fight between hackers improving their knowledge and companies finding the (ultimate) next step to prevent users from attacks. So it’s a question of time that professional thieves will figure out a way to circumvent Apple’s new anti-theft solution.

So even with Activation Lock I recommend to keep an observing eye on your device which is the best added protection beside all the other security settings mentioned in my mind map ‘Emergency Guide’.

Related links …

The Apple ID

Every app is an island

2-Step Verification

Fingerprint Technology

Emergency Guide

Apple about iOS Security
for more technical details of the operating system.

Glad to have you here on iNotes4You.
Thanks for visiting my blog.





Point.io

5 10 2013

Point.io offers an enterprise Backend-as-a-Service (BaaS) platform (launched on July 16, 2013) and Enterprise Gateway products for specialized enterprise mobile application development. Focused on document management and workflow, the platform is designed to help enterprises embrace BYOD while maintaining control of their content.

Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications.

Since the Point.io Gateway handles all secure communication across the firewall, a VPN is no longer required. Users have access to more types of remote storages, including behind-the-firewall repositories like SharePoint, FTP, SFTP, Google Drive and Amazon S3.

20130729-073549.jpg

In addition to its platform launch, Point.io is unveiling two new partnerships. The first is with Stratospherix. The other is with TheHostingPros, which is offering a free Sharepoint site when a Point.io account is setup.

FileBrowser by Stratospherix is one of the top-ten most-downloaded apps in the Utilities section of The App Store. The company has over 600,000 users in 60 countries. FileBrowser is now powered by Point.io and includes all the features of the Point.io platform.

I first take a look on the native app of Point.io because I think it should contain the main features and gives an overview of how the company’s service is intended for.

The native app Point.io …

Starting in July 2013 the version 1.001 of Point.io was offered for iPhone only.
The app is ugly designed but can be used to show how the platform works.

After installing the app on an iPad I recognized some mysterious behaviors:

– available storage sites are different on iPhone and iPad
– access to Dropbox and Box was not possible on the iPhone
– switching from portrait to landscape mode on the iPad mostly doesn’t work
– files on Google Drive cannot be displayed
– file transfer from one storage site to another is not possible

Here is a complete update list from July to October 2013:

20130923-085659.jpg

Features announced by Point.io:

  • 1 You can see all your storage connections in one place. For example, Point.io provides a combined view of Box and SharePoint and will be adding additional storage locations such as Dropbox and Documentum in the coming weeks.
  • 2 With Point.io, you get access to your documents on any mobile device, from anywhere, regardless of where the document is stored.
  • 3 Share any file with anyone using secure links. Precisely control what any person can do with your files at all times (e.g. print, edit, save).
    •There is no need to ever send file attachments again.
  • 4 Remove access to any file(s) as soon as they have been used for their intended purpose. Prevent any loss of control over your documents – your files always stay on your network.
  • 5 Ensure control and security over your documents, even when others use their own mobile devices (BYOD).

An interesting application is sending a document not as an attachment but as a secured link.
This feature is new and provided neither by actual file management apps nor by any well-known cloud client apps for Box, iDriveSync, Dropbox, Google Drive, etc.

20130729-073742.jpg

About FileBrowser …

With FileBrowser, the iPad or iPhone becomes a powerful tool for business and private use, allowing users to access content on company file servers, workstations or cloud storage from anywhere. The FileBrowser app is easy to use and allows files to be downloaded, edited and uploaded back to the original location or distributed to other employees, partners or customers. With FileBrowser, users can access their documents from their mobile device and no longer need to take bulky laptops to meetings or out of the office when visiting clients.

Let’s take a look on the universal app FileBrowser by Stratospherix, UK.
FileBrowser is the only file management app with Point.io integration at the time.
The best way to summarize all the features is to visualize them in a mind map.

Feel free to download the complete mind map in the following file formats:

PDF

ITMZ (Native format of iThoughts)

MMAP (Mindjet)

XMIND (XMind)

FileBrowser allows to create an account on Point.io.

20130729-101007.jpg

Stratospherix announced …

FileBrowser’s integration with the Point.io platform provides real benefits for users. With Point.io, access is simpler than ever before – users need only enter a single username and password to gain access to all their file servers and cloud storage locations.

At the time this announcement is far away from reality. One more time an app was released although it doesn’t meet the basic requirements of users yet. This is definitely the best way to lose favor with customers or to lose customers. A basic rule of app development was ignored: Release when finished.

Note
See my article
App Development + Marketing

Summary …

What are the benefits when using Point.io?

For private use with an installed version of FileBrowser your file management will look like this if and only if your different cloud accounts are supported by Point.io and, in case of connections to Windows networks, a suitable gateway is installed on the server:

20130729-124751.jpg

A benefit?
As you can see there is just one Point.io account necessary to access different cloud storages and Windows network drives. Instead of listing your connections in the left navigation window they are now listed on the right side. Not supported accounts have to be configured as usual and will still appear in the left navigation section of FileBrowser.

This image shows the situation without using Point.io but VPN:

20130729-131800.jpg

A benefit?
Point.io says that a VPN connection is no longer needed. I cannot see any benefit in that because VPN is a well-functioning and developed technique which is secure and totally controlled by yourself. If connecting via Point.io there is an additional security risk with services and tools of Point.io.

Definitely no benefits!
At the time other disadvantages are the incompleteness of services and some mysterious behaviors of FileBrowser on the iPad (no feedback when loading large files) and FileBrowser in general when accessing files on Google Drive (No display, Point.io operation failed, Error retrieving file info, Folder not found).

So the only remaining benefits are:

  • Supported cloud storages on multiple devices require just one configuration for Point.io.
    Access to Point.io then enables access to all storages configured on Point.io.
  • Sharing options increasing security like
    Allow/Disallow Print, Download Original File, Download as PDF, Expiry Date, Screen Capture, Password
    These sharing options control the level of access granted by this link.

What should be mentioned is that FileBrowser is still a powerful app with a perfect UI.
Stratospherix would be well-advised not to move Point.io integration into the foreground as they did when releasing version 2.9.1 on July 18, 2013.

Videos about Point.io …

Point.io ad

Point.io with FileBrowser

Related links …

Point.io

Stratosherix

Thanks for dropping by.








Follow

Get every new post delivered to your Inbox.

Join 311 other followers

%d bloggers like this: