Security made by Apple

12 10 2013

Today smartphones are often used to save all the data you need in the digital world. Ring binders, box files, and slips of paper are out. Your device then might be more valuable than your wallet containing cash and credit cards.

Huffington Post reports that about 1.6 million iPhones were stolen in the U.S. last year. UK magazines report over 160 iPhones, and over 314 mobile phones are stolen in London every day. Law enforcement has previously criticized Apple and other mobile phone providers for not offering better mobile phone security or embedding persistent technology to prevent phones from being inoperable once they are stolen.

Finding technical solutions that will remove the economic value of stolen smartphones is critical to ending of violent street crimes commonly known as ‘Apple Picking‘.

You can be lucky if a less sophisticated thieve simply takes your device to make some free calls before you can report and your carrier blocks the SIM card. Then he sells your device and the new proud owner begins setting up the device as a new iPhone with a new Apple ID.

But there are also very bad guys behaving like terrorists and trying to destroy everything they are able to. A victim could suffer humiliation, identity theft, and lifetime suspension from services and social networks.

Loosing a device with sensitive data may compromise your identity in the digital world followed by severe problems with law.

At WWDC 2013, Apple unveiled Activation Lock, a new feature in iOS 7 that locks stolen phones even after thieves wipe them.

Apple’s Craig Federighi (CEO Software Development) …
We think this is going to be a really powerful theft deterrent.

Apple on its website …
Losing your iPhone feels lousy. Thankfully, Find My iPhone can help you get it back. But if it looks like that’s not going to happen, new security features in iOS 7 make it harder for anyone who’s not you to use or sell your device. Now turning off Find My iPhone or erasing your device requires your Apple ID and password. Find My iPhone can also continue to display a custom message, even after your device is erased. And your Apple ID and password are required before anyone can reactivate it. Which means your iPhone is still your iPhone. No matter where it is.

First let’s have a look on what the actual features of iOS are to prevent that your data are compromised?

  • 1 Using a string-based complex Unlock Code
  • 2 Activating Apple’s Find My iPhone service
  • 3 Setup Restrictions with an unlock code different from the device’s unlock code

Additionally a secure password keeper like 1Password is an indispensable tool if you save credentials for banking accounts, E-Mail accounts, and websites on your device what is frequently done because your mobile device is always with you.

1 Using an Unlock Code …

Device Access …

iOS supports flexible security policies and configurations that are easily enforced and managed. This enables enterprises to protect corporate information and ensure that employees meet enterprise requirements, even if they are using devices they’ve provided themselves (BYOD).

Passcode Protection …

In addition to providing a cryptographic protection, passcodes prevent unauthorized access to the device’s UI.

By default, the user’s passcode can be defined as a four-digit PIN. Users can specify a longer, alphanumeric passcode by turning on Settings – General – Passcode – Complex Passcode. Longer and more complex passcodes are harder to guess or attack, and are recommended not only for enterprise use.

By setting up a device passcode, the user automatically enables Data Protection. iOS supports four-digit and arbitrary-length alphanumeric passcodes. In addition to unlocking the device, a passcode provides the entropy for encryption keys, which are not stored on the device. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.
The passcode is tangled with the device’s UID unique identifier of your device), so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than 5 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers, or 21 years for a nine-digit passcode with numbers only.

To further discourage brute-force passcode attacks, the iOS interface enforces escalating time delays after the entry of an invalid passcode at the Lock screen. Users can choose to have the device automatically wiped after 10 failed passcode attempts.

20130801-090617.jpg

For details about passcode policies, see the

iPhone Configuration Utility documentation

For more details regarding further suitable settings of your device see my blog

Emergency Guide

The article contains download links for the related mind map visualizing all recommended settings.

2 Activating Find My iPhone service …

The first action you probably do is to look where your mobile device actually is by using Apple’s Find My iPhone service. But if the thief is at all smart he won’t give you a chance to find your iPhone or iPad. Instead of leaving Find My iPhone on, the thief might turn it off and/or factory reset/wipe the device themselves. If the goal is to resell the device and not steal your personal information, this method is pretty handy.

You never heard of Apple’s Find My iPhone feature?

Here is a short visualized description.

These settings only work after turning on iCloud.
Admittedly this feature only works if your iPhone (or iPad) is connected to the internet.
So don’t forget to activate the option ‘Notify me when found’.

3 Setup Restrictions …

You find this security feature when going to Settings – General – Restrictions. There you can prevent different settings of your device from being changed. If a thief already hacked the device’s unlock code he again is confronted with a barrier, the 4-digit passcode for restrictions. If you use this recommended feature enter a 4-digit passcode which is different from your device’s unlock code to improve security. See my mind map ‘Emergency Guide’ for details about functions for which access should be restricted or in other words, changes are not allowed.

It’s out of question that you usually will not get back your iPhone if it’s stolen. Additionally many thieves are professionals so that your iPhone usually will be reset to factory settings and all the actions you undertook to secure your device are useless.

What did Apple add to iOS 7?

The new feature ‘Activation Lock‘, which works alongside Find My iPhone, should make it much harder for iPhone thieves to use or even resell stolen phones. If the thief hacked your unlock code and wants to resell the iPhone he usually goes to Settings – General – Reset and resets all settings. That means the iPhone can be easily activated with a new Apple ID.

Activation Lock in iOS 7 now won’t let that happen because your iPhone now is bound to your Apple ID and cannot be reactivated without this ID and the related password. This makes iPhones worthless to thieves (at the time!).

20130801-101138.jpg

It starts working the moment you turn on Find My iPhone. With Activation Lock, your Apple ID and password will be required before anyone can:

  • Turn off Find My iPhone on your device
  • Erase your device
  • Reactivate and use your device

This can help you keep your device secure, even if it is in the wrong hands, and can improve your chances of recovering it. Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.

We have to keep in mind that the efficacy of activation lock as a deterrent is directly tied to how many potential thieves know it exists. Few bad guys are going to think twice about snatching iPhones until many bad guys know that they won’t be able to sell the things afterwards.

This feature is only available for devices compatible with iOS 7. That means the iPhone 4, iPhone 4S, iPhone 5, iPad 2, iPad 3, iPad 4, the iPad Mini, and the iPod Touch 5th generation and up are all compatible. Everyone else will need to keep a better eye on their stuff.

Requirements …

Does activation lock mean that you never can resell your iPhone if you upgraded to a newer model?

No. Activation lock can be removed by going to Settings – General – … and deactivating the feature by entering your Apple ID and your password. This must be done before reselling the device!

Reselling your device …

Before you resell your device follow these steps:

Method 1
You can remove all settings and information from your iPhone, iPad, or iPod touch by going to Settings – General – Reset and tapping on Erase All Content and Settings.

If you wish to recover the data again, ensure that you have an iCloud or iTunes backup and that it’s up to date.

Newer devices running on iOS 5 and later support hardware encryption. Erasing the device means removing the encryption key that protects the data. This process takes just a few minutes.

Method 2
Use iTunes to restore your iPhone to factory settings.

Plug the phone into a computer running iTunes and wait for it to appear in the ‘Devices’ section of the iTunes sidebar. Select the iPhone from the sidebar and then make sure you’re on the “Summary” tab. Under ‘Version’ select ‘Restore‘. You’ll receive a pop-up dialog informing you that this step will erase your phone and reset it to factory settings. Click Restore to continue.
iTunes will now download the latest firmware for the iPhone, which may take several minutes depending on your connection speed. Once downloaded, iTunes will automatically begin the restore process during which your phone will reboot twice. After the process is completed, the phone will appear in iTunes as a new device and ask you for a device name. Before entering any information, disconnect the phone. It has now been wiped of your personal information and is ready for sale.

Reset …

Keep in mind that a reset (to factory settings with all data being erased) is different from a reset which is necessary if the device stucks that means it’s not responding or not operating as expected. This troubleshooting assistant can help you resolve these most common issues:

  • Display remains black or blank
  • Touch screen not responding
  • Application unexpectedly closes or freezes

Because it’s in the context here are the steps to reset your device without erasing data:

Press and hold the Sleep/Wake button and the Home button at the same time for at least 10 seconds, until the Apple logo appears.

To just restart the iPhone (after it stucks) first turn iPhone off by pressing and holding the Sleep/Wake button until a red slider appears. Slide your finger across the slider and iPhone will turn off after a few moments. Next, turn iPhone on by pressing and holding the Sleep/Wake button until the Apple logo appears. Then enter your passcode and the PIN of your SIM-Card.

An overview …

Over years Apple improved security features and today it’s computer operating system OS X as well as the mobile operating system iOS are seen as the most secure approaches on the market. See this overview of security features of all components of Apple’s ecosystem.

20131011-093759.jpg

Feel free to download this mind map.

The alternative file formats have been created with iThoughts HD for iPad (.ITMZ file format). Compatibility to other tools is limited.

Application File format
Adobe Reader PDF
iThoughts ITMZ
MindManager MMAP
XMind XMIND

Summary …

Activation Lock is a first step to reduce crime caused by smartphones. It’s another innovative step of the company and other manufacturers have to follow.

Nothing is really secure today. It’s an ongoing fight between hackers improving their knowledge and companies finding the (ultimate) next step to prevent users from attacks. So it’s a question of time that professional thieves will figure out a way to circumvent Apple’s new anti-theft solution.

So even with Activation Lock I recommend to keep an observing eye on your device which is the best added protection beside all the other security settings mentioned in my mind map ‘Emergency Guide’.

Related links …

The Apple ID

Emergency Guide

Apple about iOS Security
for more technical details of the operating system.

Glad to have you here on iNotes4You.
Thanks for visiting my blog.





Point.io

5 10 2013

Point.io offers an enterprise Backend-as-a-Service (BaaS) platform (launched on July 16, 2013) and Enterprise Gateway products for specialized enterprise mobile application development. Focused on document management and workflow, the platform is designed to help enterprises embrace BYOD while maintaining control of their content.

Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications.

Since the Point.io Gateway handles all secure communication across the firewall, a VPN is no longer required. Users have access to more types of remote storages, including behind-the-firewall repositories like SharePoint, FTP, SFTP, Google Drive and Amazon S3.

20130729-073549.jpg

In addition to its platform launch, Point.io is unveiling two new partnerships. The first is with Stratospherix. The other is with TheHostingPros, which is offering a free Sharepoint site when a Point.io account is setup.

FileBrowser by Stratospherix is one of the top-ten most-downloaded apps in the Utilities section of The App Store. The company has over 600,000 users in 60 countries. FileBrowser is now powered by Point.io and includes all the features of the Point.io platform.

I first take a look on the native app of Point.io because I think it should contain the main features and gives an overview of how the company’s service is intended for.

The native app Point.io …

Starting in July 2013 the version 1.001 of Point.io was offered for iPhone only.
The app is ugly designed but can be used to show how the platform works.

After installing the app on an iPad I recognized some mysterious behaviors:

- available storage sites are different on iPhone and iPad
- access to Dropbox and Box was not possible on the iPhone
- switching from portrait to landscape mode on the iPad mostly doesn’t work
- files on Google Drive cannot be displayed
- file transfer from one storage site to another is not possible

Here is a complete update list from July to October 2013:

20130923-085659.jpg

Features announced by Point.io:

  • 1 You can see all your storage connections in one place. For example, Point.io provides a combined view of Box and SharePoint and will be adding additional storage locations such as Dropbox and Documentum in the coming weeks.
  • 2 With Point.io, you get access to your documents on any mobile device, from anywhere, regardless of where the document is stored.
  • 3 Share any file with anyone using secure links. Precisely control what any person can do with your files at all times (e.g. print, edit, save).
    •There is no need to ever send file attachments again.
  • 4 Remove access to any file(s) as soon as they have been used for their intended purpose. Prevent any loss of control over your documents – your files always stay on your network.
  • 5 Ensure control and security over your documents, even when others use their own mobile devices (BYOD).

An interesting application is sending a document not as an attachment but as a secured link.
This feature is new and provided neither by actual file management apps nor by any well-known cloud client apps for Box, iDriveSync, Dropbox, Google Drive, etc.

20130729-073742.jpg

About FileBrowser …

With FileBrowser, the iPad or iPhone becomes a powerful tool for business and private use, allowing users to access content on company file servers, workstations or cloud storage from anywhere. The FileBrowser app is easy to use and allows files to be downloaded, edited and uploaded back to the original location or distributed to other employees, partners or customers. With FileBrowser, users can access their documents from their mobile device and no longer need to take bulky laptops to meetings or out of the office when visiting clients.

Let’s take a look on the universal app FileBrowser by Stratospherix, UK.
FileBrowser is the only file management app with Point.io integration at the time.
The best way to summarize all the features is to visualize them in a mind map.

Feel free to download the complete mind map in the following file formats:

PDF

ITMZ (Native format of iThoughts)

MMAP (Mindjet)

XMIND (XMind)

FileBrowser allows to create an account on Point.io.

20130729-101007.jpg

Stratospherix announced …

FileBrowser’s integration with the Point.io platform provides real benefits for users. With Point.io, access is simpler than ever before – users need only enter a single username and password to gain access to all their file servers and cloud storage locations.

At the time this announcement is far away from reality. One more time an app was released although it doesn’t meet the basic requirements of users yet. This is definitely the best way to lose favor with customers or to lose customers. A basic rule of app development was ignored: Release when finished.

Note
See my article
App Development + Marketing

Summary …

What are the benefits when using Point.io?

For private use with an installed version of FileBrowser your file management will look like this if and only if your different cloud accounts are supported by Point.io and, in case of connections to Windows networks, a suitable gateway is installed on the server:

20130729-124751.jpg

A benefit?
As you can see there is just one Point.io account necessary to access different cloud storages and Windows network drives. Instead of listing your connections in the left navigation window they are now listed on the right side. Not supported accounts have to be configured as usual and will still appear in the left navigation section of FileBrowser.

This image shows the situation without using Point.io but VPN:

20130729-131800.jpg

A benefit?
Point.io says that a VPN connection is no longer needed. I cannot see any benefit in that because VPN is a well-functioning and developed technique which is secure and totally controlled by yourself. If connecting via Point.io there is an additional security risk with services and tools of Point.io.

Definitely no benefits!
At the time other disadvantages are the incompleteness of services and some mysterious behaviors of FileBrowser on the iPad (no feedback when loading large files) and FileBrowser in general when accessing files on Google Drive (No display, Point.io operation failed, Error retrieving file info, Folder not found).

So the only remaining benefits are:

  • Supported cloud storages on multiple devices require just one configuration for Point.io.
    Access to Point.io then enables access to all storages configured on Point.io.
  • Sharing options increasing security like
    Allow/Disallow Print, Download Original File, Download as PDF, Expiry Date, Screen Capture, Password
    These sharing options control the level of access granted by this link.

What should be mentioned is that FileBrowser is still a powerful app with a perfect UI.
Stratospherix would be well-advised not to move Point.io integration into the foreground as they did when releasing version 2.9.1 on July 18, 2013.

Videos about Point.io …

Point.io ad

Point.io with FileBrowser

Related links …

Point.io

Stratosherix

Thanks for dropping by.





iPhone Configuration Utility

23 09 2013

iPhone and iPad are often seen as gadgets.
The reality is also that many companies successfully integrate mobile devices in the company’s IT infrastructure to improve business processes.
Apple offers some tools which help companies to manage their mobile devices. Theses tools are mainly for configuration purposes and take into account that mobile devices for business use have to fulfill strong security requirements and should be configurable from a central point instead of doing this for each single device.

Apple
iPhone Configuration Utility (iPCU) lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.

Configuration profiles are XML files that contain device security policies, VPN configuration information, Wi-Fi settings, APN settings, Exchange account settings, mail settings, and certificates that permit iPhone and iPod touch to work with your enterprise systems.

Note
Apple’s iPhone Configuration Utility can also be used for configuring the iPhone of your daughter or son to set some useful age-dependent limitations like access to the App Store or other requirements like using a strong passcode for unlocking the device. This prevents some severe troubles if the device gets stolen or lost.

With the iPCU you can create so-called profiles which can be transferred directly to a device, saved to a cloud storage from which they can be installed, or simply sent to the destination device by E-Mail as an attachment. Tapping on the attachments then starts the installation procedure.

I want to show you how Apple’s iPhone (and iPad) Configuration Utility basically works.

Installation …

You can download the free app iPCU for Mac or PC here:

iPhone Configuration Utility Mac

iPhone Configuration Utility Windows

Note
The screenshots were taken from the German version as it was not possible to install an English version. Sorry about that.

After installing the application the home screen looks like this:

20130514-082442.jpg

Among others it shows all technical details of your device as well as profiles configured in former sessions.

Feature overview …

With iPCU you can configure important settings of Apple’s mobile devices and deploy them later. Here is a brief feature overview. You will see all the configuration options when clicking on Provisions and select a profile.

  • 01 General Settings
  • 02 Passcode Setting
  • 03 Restriction Settings

    Allow installing apps
    When this option is off, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their apps using the App Store or iTunes.

    Allow use of camera
    When this option is off, cameras are completely disabled and the Camera icon is removed from the Home screen. Users can’t take photographs or videos, or use FaceTime.

    Allow screen capture
    When this option is off, users can’t save a screenshot of the display.

    Allow voice dialing
    When this option is off, users can’t dial their phone using voice commands.

    Allow In-App purchase
    When this option is off, users can’t make in-app purchases.
    Force user to enter store password for all purchases
    Requires users to enter their Apple ID password before making any purchase. Normally, there’s a brief grace period after a purchase is made before users have to authenticate for subsequent purchases.

    and more

  • 04 WiFi Settings
  • 05 VPN Settings
  • 06 E-Mail Settings
  • 07 Exchange ActiveSync Settings
  • 08 LDAP Settings
  • 09 CalDav Settings
  • 10 Subcribed Calendars Settings
  • 11 CardDav Settings
  • 12 WebClip Settings
  • 13 Credentials Settings
  • 14 SCEP Settings
  • 15 MDM Settings
  • 16 APN Settings

Creating a profile …

I took an easy example for explaining the basic actions of configuring, deploying, and using iPCU.

Let’s create a configuration profile for an icon on the homescreen which allows to directly edit an E-Mail and send it to a given recipient.
We can do so using the section WebClip Settings.

Transferring and using a profile …

To transfer the profile to an iOS device you can

  • transfer it directly by connecting the device via the USB connector
  • send the profile (an XML file) as an attachment to an E-Mail account accessible from the iOS device

By tapping on the attachment the installation process starts.
Follow the instructions shown during installation.

20130514-083528.jpg

When exporting a profile iPCU allows to generate the profile with the following options regarding security:

  • 1 without
  • 2 sign profile
  • 3 sign and encrypt profile for (just) this device

If the .mobileconfig file is signed it can be installed by any device, as long as the profile hasn’t been altered. So signing a profile is an essential security feature.
Once installed, the profile can be updated only by a profile that has the same identifier and is signed by the same copy of iPhone Configuration Utility, which provides the certificate.

If the profile is signed a ‘Verified‘ note appears if you go to Settings – General – Profiles and select the profile immediately after installation.

Useful Links …

He are some further links for those who are interested in using iOS devices in businesses:

Mobile Device Management

iOS Deployment Scenarios

iPad @ Work

iPad @ Work Vol 2

Apps @ Work

Thanks for visiting http://iNotes4You.com.
Comments and Likes are highly appreciated.





Fingerprint Technology

12 09 2013

Many publishing media predicted that Apple would introduce the fingerprint scanner for it’s model iPhone 5S presented on Apple’s Keynote on September 10, 2013. Rumors were based on a patent application in 2012 and leaked images posted in publishing media around the world.

20130911-073254.jpg

General information …

A friction ridge is a raised portion of the epidermis on fingers consisting of one or more connected ridge units of friction ridge skin.

These epidermal ridges serve to amplify vibrations triggered, for example, when fingertips brush across an uneven surface, better transmitting the signals to sensory nerves involved in fine texture perception. These ridges may also assist in gripping rough surfaces and may improve surface contact in wet conditions.

The flexibility of friction ridge skin means that no two finger prints are ever exactly alike in every detail.

Identification …

Fingerprint identification, known as dactyloscopy is the process of comparing two impressions of friction ridge skin impressions from human fingers to determine whether these impressions could have come from the same individual.

Since the early 20th century, fingerprint detection and analysis has been one of the most common and important forms of crime scene forensic investigation. More crimes have been solved with fingerprint evidence than for any other reason.

The procedure for capturing a fingerprint using a sensor consists of rolling or touching with the finger onto a sensing area, which according to the physical principle in use (optical, ultrasonic, capacitive, or thermal) captures the difference between valleys and ridges.

The electronic scan is the more modern way to take prints.

All the possible methods can be grouped into two major families:

  • Solid-State fingerprint readers
  • Optical fingerprint readers.

When a finger touches or rolls onto a surface, the elastic skin deforms. The quantity and direction of the pressure applied by the user, the skin conditions and the projection of an irregular 3D object (the finger) onto a 2D flat plane introduce distortions, noise and inconsistencies in the captured fingerprint image.

These problems result in inconsistent, irreproducible and non-uniform irregularities in the image.

During each acquisition, therefore, the results of the imaging are different and uncontrollable. The representation of the same fingerprint changes every time the finger is placed on the sensor plate, increasing the complexity of any attempt to match fingerprints, impairing the system performance and consequently, limiting the widespread use of this biometric technology.

In order to overcome these problems, as of 2010, non-contact or touchless 3D fingerprint scanners have been developed. Acquiring detailed 3D information, 3D fingerprint scanners take a digital approach to the analog process of pressing or rolling the finger. By modelling the distance between neighboring points, the fingerprint can be imaged at a resolution high enough to record all the necessary details. It’s done by sophisticated software which digitizes analogous information.

Features of a fingerprint …

In biometrics and forensic science, minutiae are major features of a fingerprint, using which comparisons of one print with another can be made.

The major Minutia features of fingerprint ridges are

  • ridge ending
  • bifurcation
  • short ridge (or dot).

20130910-152724.jpg

The ridge ending is the point at which a ridge terminates. Bifurcations are points at which a single ridge splits into two ridges. Short ridges (or dots) are ridges which are significantly shorter than the average ridge length on the fingerprint. Minutiae and patterns are very important in the analysis of fingerprints since no two fingers have been shown to be identical.

The software …

Pattern based algorithms compare the basic fingerprint patterns (arch, whorl, and loop) between a previously stored template and a candidate fingerprint. This requires that the images be aligned in the same orientation. To do this, the algorithm finds a central point in the fingerprint image and centers on that. In a pattern-based algorithm, the template contains the type, size, and orientation of patterns within the aligned fingerprint image. The candidate fingerprint image is graphically compared with the template to determine the degree to which they match.

The importance …

Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals. They are often categorized as physiological versus behavioral characteristics. Physiological characteristics are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand geometry, iris recognition, retina etc. Behavioral characteristics are related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics to describe the latter class of biometrics.

Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods.

Performance …

The following are used as performance metrics for biometric systems.

  • FAR or FMR
    false acceptance rate or false match rate

    It’s the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value.
  • FRR or FNMR
    false rejection rate or false non-match rate

    It’s the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected.
  • ROC
    receiver operating characteristic or relative operating characteristic

    The ROC plot is a visual characterization of the trade-off between the FAR and the FRR. In general, the matching algorithm performs a decision based on a threshold which determines how close to a template the input needs to be for it to be considered a match. If the threshold is reduced, there will be fewer false non-matches but more false accepts. Correspondingly, a higher threshold will reduce the FAR but increase the FRR. A common variation is the Detection error trade-off (DET), which is obtained using normal deviate scales on both axes. This more linear graph illuminates the differences for higher performances (rarer errors).
  • EER or CER
    equal error rate or crossover error rate

    It’s the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.
  • FTE or FER
    failure to enroll rate

    It’s the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.
  • FTC
    failure to capture rate

    Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly.

From theory to reality …

Are you ready to unlock your iOS device by using the fingerprint technology?

Honestly said, I was not when I saw all the rumors and read all the articles about the reliability of this technology. That’s why I published a bet on Google+.

Is it really a unique biometrical identifier?

It might be but that’s not the first question which has to be answered. It’s the question whether the detection method and the underlying software keeps the assumed uniqueness under all conditions like temperature, degree of contamination, age, etc.

Scientists say …

No completely accurate method exists. Current methods only can tell us with a degree of certainty if two fingerprint images match.

Access can be denied because of the following reasons …

  • 1 Displacement
  • 2 Rotation
  • 3 Partial overlap
  • 4 Non-linear distortion
  • 5 Variable pressure
  • 6 Skin condition
  • 7 Noise and feature extraction errors

So it’s indispensable to offer an alternative access method which usually is a more old-fashioned but also more secure way to get access.

Since 2011, Atrix smartphones from Motorola have included a fingerprint scanner in the power/lock button. But the devices also require users to set a recovery PIN, which highlights how enterprising attackers might simply attempt to crack that, instead of trying to fool with fingerprints.

The Informationweek
A fingerprint reader, could definitely make life more convenient by freeing users to not have to enter the four-digit passcode or a complex alphanumeric passphrase.

That’s because entering a passcode or passphrase on a smartphone is a usability chore. Blame small screen size and the absence of tactile feedback, which make it all too easy to “fat-finger” a virtual keyboard, especially when entering long passphrases.

Fingerprint scans, obviously, could eliminate the need to enter a complex password, arguably without compromising access security. One crucial related success factor, however, will be speed. If the average user employs a four-digit iPhone passcode and can enter it in less than a second, then the new biometric feature will need to be faster. Otherwise, the majority of users will stick with a faster option, which for many continues to involve no passcode at all.

From a hardware standpoint, making a fingerprint scanner small enough and fast enough to meet that requirement will be a challenge. Notably, less expensive fingerprint scanners tend to involve swiping a sensor, which serves the dual purpose of also keeping the sensor clean. Apple’s description of the feature describes a user “touching the home button with their thumb,” and such technology is trickier to package in an iPhone form factor. “Full-finger scanners are more expensive as they must have the necessary resolution to scan your entire finger in one go,” noted ExtremeTech, “and they also have a tendency to get crudded up, because you’re not constantly cleaning them with a swiping action.”

Furthermore, the technology — unless packaged in dedicated, standalone devices like the eyeball and fingerprint scanners used in some airports — remains unproven. “Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods” in non-dedicated, mass-produced devices, says SMS authentication pioneer Andy Kemshall, technical director at SecurEnvoy, via email. “The technology simply isn’t sophisticated enough.”

The solid state technology, younger than the optical one, has the undoubted advantage of allowing a greater miniaturization of the scanner, and this makes it more well-suited for the integration into small devices like smartphones and tablets.

  • Sensing area
    Manufacturing large and pure silicon chips is difficult and rather expensive; therefore, the solid state sensors nowadays available in the market are characterized by a small area.
  • Robustness and lifetime
    The silicon surface is in direct contact with the finger, or sometimes protected by a very thin coating, makes the solid state scanners rather weak with respect to mechanical damages or (in the case of capacitive sensor) to electrostatic charges. For a solid state scanner the cost of the sensing elements is dominant. The lifetime of a solid state scanner is usually shorter than optical’s.
  • Maintenance
    Solid state scanners need a more frequent cleaning, to remove from the sensor surface deposits of grease or dirt left from the fingers which highly deteriorate the quality of the acquired images.

Apple’s solution …

Apple purchased the company AuthenTec, Melbourne, Florida, in 2012. This company is specialized on fingerprint technology and so the essential know-how to use the technology in iOS devices was transferred to Apple.
The U.S. Patent and Trademark Office on July 18, 2013, published one of the first AuthenTec patent applications assigned to Apple, with the property describing an advanced method of fingerprint identification that can be implemented into a mobile device.

20130911-071755.jpg

Apple is the first company to bring a well-functioning fingerprint sensor (Touch ID)) to a smartphone.

Motorola Mobility implemented one such sensor into the back of its 2011 flagship the Motorola Atrix, which allowed users to swipe their fingers across it to unlock the device. The crucial issue though was that the sensor itself seemed awfully finicky and wouldn’t always correctly accept a user’s finger inputs. That little stumbling block ultimately meant that the fingerprint sensor wound up being more hassle than it was worth in most cases.

The home button of the iPhone 5S is now made of sapphire glass to reduce the potential for damaging one of the 5S’ most notable features, and it’s bounded by a steel detection ring that determines when your finger is on the home button and fires up the Touch ID sensor. Touch ID is also capable of keeping tabs of multiple different fingerprints. This is quite useful if the device is e.g. used by family members.

Mikey Campbell (AppleInsider)
(2 days before Apple’s announcement)

There stands a variety of ways to accomplish biometric fingerprint readings, including the stereotypical “swiping” motion made famous in movies, as well as methods using optical, thermal, pressure and capacitive measurements, among others. AuthenTec, which Apple purchased in 2012 for $356 million, uses a few different capture methods in its products, though the tech most likely to be used in the iPhone doesn’t involve swiping. Typical methods of swipe authentication, usually direct capacitance, involve a thin “strip” sensor that captures and stitches together multiple images of a fingerprint as a user sweeps their finger across the sensing plate. With direct capacitance, an electrical field is applied to the sensor, which detects ridges and valleys — the skin structures that form fingerprint whorls — by measuring variations in capacitance at the sensor plate. Lower capacitance denotes skin that is farther from the sensor, or valleys, while higher capacitance is associated with ridges.

A more accurate and robust method of capture is called radio frequency field sensing, or AC capacitance. Like direct capacitive sensing, this technique also measures capacitance of a sort, but the similarities end there. Instead of measuring the effect on an electrical field, a low frequency RF signal is inserted into the finger and received by the sensor. In this case, RF signal strength captured by the pixel traces are measured and the corresponding data is translated to form an image of the print.

Benefits of RF field/AC capacitance sensing include static non-swipe readings, resistance to dust and capability for the sensor to operate even when covered by layers of protective material. These types of sensors are usually larger in size to allow for a wider capture area.

Mike, you said,

It remains wholly unknown if Apple has incorporated this particular fingerprint technology into the next-gen iPhone …

but you hit the nail right on the head. You are definitely an AppleInsider.

Summary …

We now have the fingerprint sensor in Apple’s iPhone 5S, the flagship of the company. The technology is quite complicated but the engineers of AuthenTec and Apple solved all the problems and Apple is rehabilitated as an innovative company. And it’s not only the fingerprint sensor that can be seen as a breakthrough but also the 64 Bit processor architecture, and, and, and.

Regarding security everyone should know that the fingerprint is stored on the device only in a digitized format and does not go the way into iCloud when backing up a device. Authorities like “Nothing Secure Any longer” may knock on Apple’s door but the fingerprint remains a secret of the A7 processor.

20140210-134437.jpg

Feel free to download this map summarizing essential points from my Box account.

The alternative file formats have been created with iThoughts HD for iPad (.ITMZ file format). Compatibility to other tools is limited.

Application File format
Adobe Reader PDF
Apple iWork/Microsoft Office DOCX
iThoughts ITMZ
MindManager MMAP
XMind XMIND

Where’s the beef?

The technology is quite complicated and we heard scientists saying the technology isn’t reliable. But Apple implemented it.

Are Apple’s and AuthenTec’s technicians magicians?

Well, I cannot assess this issue. But as a programmer I know that the software digitizing the scanner’s more or less precise information can be excellent or a bit more fault-tolerant. So the system works seamlessly but is not qualified to take a UNIQUE impression of the fingerprint.
It just works (the companies slogan when introducing Mac OS X in 2007) if the number of measured points is low but it goes along with a decreased quality and it’s likely that uniqueness gets lost.

Related links …

Touch ID Security

Using Touch ID

Apple Patent, acquired from AutheTec

Motorola Fingerprint Scanner

Solid State Fingerprint Sensor National Institute of Standard and Technology, USA

Handbook of Fingerprint Recognition Konda Jayashree, University of Nevada, Reno

Fingerprint Recognition Andrew Ackermann, University of California, Los Angeles

If you visited my site with your mobile device, I promise not to abuse your fingerprint you left behind on my website when using your touchscreen.

Thanks for dropping by.





Emergency Guide

15 07 2013

Today smartphones are often used to save all the data you need in the digital world.
Ring binders, box files, and slips of paper are out. Your device then might be more valuable than your wallet containing cash and credit cards.

If you save sensitive data on your iPhone it’s a MUST to secure and backup them.
For backing up your device regularly use iCloud or iTunes.
For preventing unauthorized access by third parties follow the instructions described in this article.

What can happen if your device gets stolen?

Bad guys may access

  • data enclosed in documents
  • E-Mails and SMSs
  • banking accounts
  • a low cost password keeper like Safety Notes

and more up to the amount of information stored on your device.

You can be lucky if a less sophisticated thieve simply takes your device to make some free calls before you can report and your carrier blocks the SIM card. Then he sells your device and the new proud owner begins setting up the device as a new iPhone with a new Apple ID.

But there are also very bad guys behaving like terrorists and trying to destroy everything they are able to. A victim could suffer humiliation, identity theft, and lifetime suspension from services and social networks.

Loosing a device with sensitive data may compromise your identity in the digital world followed by severe problems with law.

In Germany for example you have to explain yourself if you did not follow well-known security advices and you are automatically partially at fault when it comes to court proceedings.

Also keep in mind that

increased security goes along with decreased usability
So it’s recommended to firstly set the highest level of security and then, as a well-considered decision, decrease it step by step.

Murphy’s law ‘Anything that can go wrong, will go wrong’ is still valid.

With all this in mind, learn what you should do when the black day comes and what you can do prior to your device being lost or stolen. Here is a mind map with all essentials.

20131203-130105.jpg

Please tap on these magnified parts of the map to see the details.

Feel free to download this map from my Box account.

The alternative file formats have been created with iThoughts HD for iPad (.ITMZ file format). Compatibility to other tools is limited.

Application File format
Adobe Reader PDF
iThoughts ITMZ
MindManager MMAP
XMind XMIND

Secure use of the browser …

Many accounts are accessed by using the installed browser on your device.

Say NO if your browser asks you to save credentials for an account on your device.

In case of an unlocked device thefts have full access to all web-based services for which you saved the credentials to access them more more easily but with high risk.

If you want to delete already existing credentials see my article
Managing website data

It’s recommended to use a high-end password keeper like 1Password (by AgileBits Inc.) and access sensitive web-based data only via the integrated browser. So your credentials remain in a highly secured part of your device’s memory.

2-Step Verification …

Your Apple ID is the key to a lot of things you do with Apple, so it’s important that only you have the ability to access your account details, update your password, or make other changes to your account. Two-step verification is a feature you can use to keep your Apple ID account as secure as possible.

Two-step verification is an optional security feature for your Apple ID.
It requires you to verify your identity using one of your registered devices before you can:

  • Sign in to My Apple ID to manage your account.
  • Make an iTunes, App Store, or iBookstore purchase from a new device.
  • Get Apple ID-related support from Apple.

Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.

Detailed information for 2-Step Verification on

Apple: 2-Step Verification

IMEI, ICCID, Serial Number …

You should know the IMEI, the ICCID and the Serial Number when reporting a stolen or lost device.

IMEI or International Mobile Station Equipment Identity is a unique number. It’s used by a GSM network to identify a devices and therefore can be used for stopping a stolen phone from accessing that network. If an IMEI is set on a blacklist gets useless on the network of your carrier and sometimes other networks too, whether or not the phone’s SIM is changed.

ICCID or Integrated Circuit Card Identifier, which identifies each SIM globally and unique

Your back-up inside iTunes of your iOS device will show both of your IMEI and Serial Number. Inside iTunes go to Edit – Preferences and under Devices, hover your mouse over the last backup and both numbers will show up, this works even though there is no iOS device connected to iTunes present.

You can also visit your Apple Support Profile to find a list of Serial Numbers for devices you purchased or registered with your Apple ID.

My Support Profile

The IMEI will neither be shown here nor on your carriers contract or invoices. To retrive the IMEI of an iOS device, if you still have it, go to Settings – General – About where the Serial Number, the IMEI, and the ICCID is shown.

From my point of view it’s a lack in the security concept to easily access these unique numbers which could be used to identify the owner if it would only be shown in a secured environment.

Keep all these numbers at a secure place and ensure that you have access to them and all the relevant emergency numbers even if you are on travel.

Find my iPhone …

Apple’s free app Find My Phone is the only way to loacate any lost or stolen iPhone or iPad. However, this requires that Find My Phone be setup and activated BEFORE your phone was lost or stolen. If your phone has been restored or is not connected to the internet, then there is no way to locate it.

To install Find My iPhone go to the App Store.
The app is a universal app that means you can install it on all of your iOS devices and you should do so.

To activate Find My iPhone go to Settings – iCloud and turn the switch Find My iPhone to ON.

For using features of Find My iPhone you need a computer with internet connection and have to login on https://www.icloud.com/ using your Apple ID.

Access to your device via Find my iPhone is also available from another iOS device. Just open the app, tap on Sign Out (from the owners account), tap on Sign In and enter your Apple ID and password.
You can then use the app’s features Play Sound, Lost Mode, and Erase Device.

With Play Sound you can force the device to play a sound at full volume for two minutes regardless of your volume settings even if the device is locked.
If you are favored by fortune you here the sound coming from you bathroom. Maybe your device just wanted to get rid of all the bullshit which came with ad mails.

With Lost Mode you can enter a phone number where you can be reached. It will be shown on the device you are searching for. If you just lost your device you may be lucky and someone calls you back.

It’s highly recommended to alway Sign Out from Find My iPhone after usage. All features are still available but third parties will have no access. The only way to stop this service is to disable Find My iPhone in Settings – iCloud – Find My iPhone.

Reporting …

Apple cannot help you here and does not maintain a database of lost or stolen Apple products with which it would be possible to block or track devices.

Report IMEI, Serial Number, Phone Number, and ICCID to

  • the police
  • your carrier
  • your insurance company, if you have one
  • the Apple support

and immediately change the Password of your Apple ID and your banking accounts.

Note
Changing your other passwords might be the next worst case scenario.
Maybe you use your Google mail address to sign in to many accounts.
Changing the password causes some days or weeks to reenable access to all of your accounts.
I myself did it once and I tell you, it’s near to a disaster.
So use complex passwords and protect them with a #1 password keeper like 1Password for iOS.

Then lock your SIM Card via your carrier’s hotline AFTER trying to delete the device with the app Find my iPhone or the corresponding functionality on Apple’s iCloud website. By locking the SIM Card phone calls and cellular internet connections are no longer possible.

Only if you are sure you just misplaced the device use the ‘Play Sound’ or ‘Lost Mode’ feature. If you are not sure a theft would see that you started your search and if he is a professional he would cut the internet connection and with this stops all your remaining options to keep the damage as low as possible.

Replaced SIM card …

If the bad guy replaces your SIM Card it doesn’t affect any services connected to your Apple ID. That means:

  • 1 iCloud backups are still present (and block space)
  • 2 Syncing Reminders, Contacts, Calendars, iWork documents, and other data where syncing is supported and turned on across all of your devices with the same Apple ID still works
  • 3 Purchasing from Apple’s stores is still possible.

Keep in mind that blocking a SIM card just affects services provided by your carrier.

Here are some screenshots of Find My iPhone where my primarily used SIM card from the German provider Telekom was replaced by my second SIM card from DTAC, Thailand. As long as the iPhone is not connected to the internet it’s not locatable. It’s locatable again if an internet connection (in this case I connected it via a public WiFi) is established. If the option ‘Notify Me When Found’ is activated you will get a popup message on your other device (in this case my iPad) as well as an E-Mail which contains the successful location on a map. The E-Mail is sent to your E-Mail account you entered when applying an Apple ID.

Note
If this account is also configured on the lost device even your lost device get’s this E-Mail, but the bad guy wouldn’t see the incoming mail if you deactivated the display of new mails in your device’s notification center.

20130509-170313.jpg

Apple’s service Find My iPhone is not affected by any type of SIM cards but only by your Apple ID and the activation of the related service in Settings.

Online status of your stolen/lost device …

If you want to find out whether your stolen/lost device is connected to the internet use Find My iPhone on https://www.icloud.com/ or on another iOS device, your new or your friends one.

If you try to locate the device you and there it’s not connected to the internet the app shows you the ‘Old location’ and after some seconds displays the option ‘Notify Me When Found’. Activate the checkbox and you will get a message (as a popup, containing: Find My iPhone Alert/Device has been found) when the location process succeeds. Some minutes later you will get an additional E-Mail showing the location on a map.
So you are informed that the bad guy went online.
Then try to erase the device.

Further questions …

There are some pending questions e.g.

  • What should you do if someone hacked your Apple ID?
  • What happens with your purchases, registered products, Apple Care Protection Plan, and your data on iCloud if you apply for a new Apple ID?

My researches weren’t really successful when it came to qualify the answers as just an opinion or an actually validated procedure of the author.
In case of doubt don’t read the uncountable articles you will find in the internet. Contact the Apple support and prior to this read these articles:

Here are some questions where I myself validated the answers:

How can I delete the iCloud backup of a stolen device?
If you are using the same Apple ID on your new device go to Settings – iCloud – Storage + Backup – Manage Storage – Your Device and tap on ‘Delete Backup’.

How can I change the password of my Apple ID?
You can change your password by going to Settings – iTunes + App Stores and tap on Apple ID. Follow the instructions there.
Alternatively you can do so via any browser by visiting

Managing your Apple ID

For more information about the Apple ID see my article

The Apple ID

Summary …

The most important advice is to follow all the instructions that hamper an unlocking of your device. Once someone gets access to the device’s functionalities and apps you will have a really dark day.
Access to everything you had access to without using a password can be accessed by others. So best practice is to use a complex Unlock Code instead of a simple 4-Digit-Code (see the link below to Daniel Amitay’s website).

Keep highly sensitive information off your device and use the more old-fashioned methods as reminders.

Your carrier can help you blocking your SIM card.

Apple could help you by blocking all services related to your Apple ID.
But there is need for significant improvement when it comes to identification of customers. There is still no secure verification process which ensures that you are the person you say you are. Apple’s support is thus limited to advise you to change your password.

So I only can recommend to look at all options you have for securing your Apple ID.

Useful links …

Related links …

Security made by Apple

If you visit iNotes4You with your mobile device keep an eye on it.
I don’t want to loose readers.

Thanks for dropping by.





Notes on Encryption

10 02 2013

Apple released its 1st iPhone in 2007.

At this time people mainly saw it as a processor-based gadget for mobile gaming.
At the time, just five years later, our devices are interconnected, and that linking where everything can access everything is the dark side of this technology. All that connectivity makes it much easier for an attacker to compromise all our data, no matter where it is.
Tons of bits are streamed through the ether containing some useful information for bad guys. It often seems that most of the users don’t care. Around the world there was and is and intensive discussion about Google’s Street View infringing the privacy. On the other hand people send unencrypted E-Mails with data worth being protected. What is the reason for this contrariness?
Even well informed people often turn off the brain-settings for security. Why?
Well, following all these security advices hampers fast communication and provision of information. To enter your credentials 50 times a day is hard work, if you don’t let the browser save it for you.
Howsoever, everybody has to go the way he wants to go.

For those, who always hear the word ENCRYPTION but do not really know what it is should continue reading this post.

A simple encryption method …

20130107-173952.jpg

When you see this encryption you might say: forget it, encrypting my password with Caesar’s cipher is like committing hara-kiri.
If you think so, try to decrypt this encrypted word where the shift is not 3 … PWOVUL
I will help you. You are on iNotes4You.com so there can only be one iOS device with 6 letters.
This is a well-known product name and for real words it is not so difficult to decrypt. But think about your password which might be an artificial combination of letters. Then you have to start a brute force attack that means: try all possible shifts for digits (9) at an ATM until you get money or starve to death.

Here you can try a more complex method online …

https://www.maxa-tools.com/crypt/crypt.php

A fully secure encryption method does not exist.
But you can extend the time someone finds out the right key with a powerful computer to millions of years. So we can talk of a secure technique.

Symmetric and asymmetric encryption …

There are two basic techniques for encrypting information: symmetric encryption (also called secret key encryption) and asymmetric encryption (also called public key encryption).

Symmetric Encryption

Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

Asymmetric Encryption

The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

About Digital Certificates

To use asymmetric encryption, there must be a way for people to discover other public keys. The typical technique is to use digital certificates (also known simply as certificates). A certificate is a package of information that identifies a user or a server, and contains information such as the organization name, the organization that issued the certificate, the user’s e-mail address and country, and the user’s public key.

When a server and client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party’s public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.

How to use certificates for a secure E-Mail communication see my blog

S/MIME Secure E-Mail communication

Further information …

1 Password Password Management App

Apple about iOS-Security

Ars Technica Apple Holds the Key

MIT Technology Review





Managing Website Data

14 01 2013

Saving usernames and passwords on your device is a comfortable feature of browsers as you can access websites without filling in your credentials every time you visit the site.

Unfortunately there are no detailed descriptions about credentials stored on an iOS-Device neither in the iPad User Guide or help texts in the Settings section nor on Apple’s website ‘Support’. For a normal user without deep technical knowledge the Settings section is very confusing and definitely not self explaining.

20121226-110835.jpg

The different functionalities are based on different actions websites may initiate. In general you cannot know what actions take place when you open a website. It’s specific for the website. Let’s look on the cookies first.

Quoting Wikipedia HTTP Cookies

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity. Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past. This can include clicking particular buttons, logging in, or a record of which pages were visited by the user even months or years ago.
Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories — a major privacy concern that prompted European and US law makers to take action in 2011.
Other kinds of cookies perform essential functions in the modern Web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate himself by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie’s data to be read by a hacker, used to gain access to user data, or used to gain access (with the user’s credentials) to the website to which the cookie belongs.

This article will answer the following questions …

  • Where are the passwords when you open a website, enter your credentials and say YES answering the question of your browser ‘Would You like to save this password?’.
  • How can saved passwords be deleted from your device?
  • What is the best practice to set up the device?

Your iOS-Device can save your usernames and passwords for different websites. The browser can then automatically complete the sign-in fields for you when you next visit these websites. This is highly comfortable but it’s a risky undertaking and you may compromise yourself.

Locations of saved credentials …

Local
The passwords are stored in the iOS-Keychain of your device.
If you have more than one iOS-Device the credentials of one device are not synced with another device via iCloud. On every device you have save your credentials separately.
iCloud
All your credentials are stored in the encrypted iCloud-Backup of your device but only if you use an unlock code for the device. If not, you have to fill in your credentials again if you restore an iCloud- or iTunes-Backup.

Available Settings for Safari …

To manage your passwords and the ability to or not to save them go to
Settings – Safari.

Turning on the AutoFill – Option …

You may turn on the AutoFill option if you often visit websites where you have to sign in first. If this option is turned on you will be asked whether your device should save the login information or not.

20121226-114855.jpg

It is highly recommended not to save credentials for online banking, online shops or other websites containing sensitive data.

Deleting all saved credentials …

Go to Settings – Safari – AutoFill (section General) – Clear All

Deleting the data for a specific website …

Go to Safari, scroll down to Advanced and tap on Edit to delete the stored data for a specific site.

20121226-113427.jpg

This in general does not delete the credentials you provided for the website.
The feature is not described in the user manual and its a bit cloudy what this function really does. So do not use it.

Summary …

  • The only way to delete all website credentials from your device is:
    Go to Settings – Safari – AutoFill and tap on Clear All
  • McAfee Best Practices for Avoiding iOS Security Issues
  • Use a password keeping application with an integrated browser like 1Password (AgileBits) to securely access websites managing personal data of you.
  • As you can see there is a lack in iOS because there is no functionality for deleting all data (credentials, cookies and other data) of a specific website. If you go to Safari – Advanced – Website Data and delete the data for e.g. apple.com your username and your password will still be available when opening the site.

If you are interested in some technical details …

Apple iOS Security Basics





The cloudy iCloud

8 01 2013

Some years ago, the word cloud mostly related to the clouds in the sky, now it immediately makes me think of Data Clouds. Although a recent study totally contradicts this saying that most people think it is run on actual clouds in the sky. Most businesses manage their data in the cloud, because it’s an easy way to collaborate and all the information is accessible anywhere and anytime from any platform. Private users use cloud services like Dropbox, Google Drive, Box and SkyDrive to easily share or backup pictures, music and documents. Although these solutions are easy and often reliable, how much of your private data do you really want to entrust to big corporations?

When it comes to privacy, there is a very fine line of knowing what these companies are doing with your data and whose hands are actually on it. Security breaches have been very common and they aren’t going anywhere. Sometimes it’s not the question of will someone steal your data, it’s when will they steal your data.

iCloud is one of the largest improvements ever made to increase usability and productivity of electronic devices.

But …

Are my backups and synced data secure on iCloud?

What this blog contains …

  • The simple answer
  • Some details about iCloud-Security
  • The good news
  • The worse news
  • The Apple ID
  • Summary
  • An example how it should be
  • Attachments
    Encryption techniques
    Recommendations
    Managing data with iWork

20121216-162309.jpg

The simple answer …

The simple answer is that your data is at least as safe as it is when stored on any remote server, if not more so. All data is transferred to computers and mobile devices using secure sockets layer via WebDAV, IMAP or HTTP. All data (except E-Mail and Notes) are stored and encrypted on Apple’s servers. Secure authentication tokens are created on mobile devices to retrieve information without constantly transmitting a password.

Some details about iCloud-Security …

(quoted from Apple’s Terms and Conditions for iCloud)

Access to Your Account and Content
Apple reserves the right to take steps Apple believes are reasonably necessary or appropriate to enforce and/or verify compliance with any part of this Agreement. You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.

This means that Apple employees have the technical ability to read your data.

There may be procedural, technical, or policy controls to make this unlikely, but the capability is there. That means that if Apple’s cloud ever gets compromised by a sophisticated attacker, the attacker could potentially access all your data. In other words, any data breach or accident on Apple’s part could potentially expose your data. This may not be too likely but even respected companies like Google have been breached. A breach or other exposure of the iCloud servers is not unthinkable.

E-Mails and Notes are not stored in encrypted form, while on Apple’s servers. This might be dangerous as E-Mails often contains sensitive information (e.g., account passwords, reset links, etc.).

When Government comes knocking Apple will not be transparent about requests for access to your data and not telling users when their data has been disclosed to the government.

The risks are not limited to government requests.
If you get sued, or end up in a contentious divorce, the opposing party’s lawyers could subpoena your data from Apple, and Apple would be required to disclose it to them, if they are relevant to the case. But who knows it before investigating the contents?

The good news …

Data is encrypted using SSL while it is transferred (in transit) between your computer and the iCloud servers. Also, data is encrypted while it is stored on the iCloud servers (at rest).

The worse news …

iCloud uses server-side encryption, not client-side encryption. When sending data to the cloud, it gets encrypted on your machine with SSL, then decrypted at the iCloud servers, then re-encrypted using an encryption key that only Apple knows for storage.

The Apple ID …

The security of your data on iCloud is only as good as the passphrase on your Apple ID.
Therefore, if you want your data to be secure, you need to choose a long and strong passphrase. Unfortunately, there are some aspects of the current systems that tend to nudge users towards choosing short, weak passphrases.

    The OS refuses to store this passphrase in the keychain, requiring you to type it in frequently. If you use an iOS-Device, you will frequently need to type in your Apple ID passphrase (e.g., every time you install or update an app). Because entering a long and strong passphrase is a major pain on an iPhone, many users may end up choosing a short, poor passphrase just for convenience sake — which unfortunately leaves their iCloud data poorly secured. So, the current design may tend to encourage many users to use a weak password, leaving their data at risk.

Summary …

iCloud’s security practices are largely in line with mainstream practice in this area. iCloud appears to have a reasonable and professionally designed security architecture. While there are some security risks, for most people, iCloud’s security is likely to be good enough, and the convenience benefits of iCloud will likely outweigh any risks for most folks.

However, storing your data in the cloud does increase the risk. For some particularly sensitive users (health records, financial institutions, lawyers, etc.) it might be prudent to avoid storing the most sensitive data in the cloud.

An example how it should be …

The solution are apps which already store their data encrypted on your device and use the highest level of iOS Protection classes that is ‘Accessible only when Unlocked’ (disadvantage: syncing won’t start happening immediately when your phone is turned on) and ‘Non-migratable’ (disadvantage: if you migrate all of your device settings and data to a different device you will have to re-enter the password).
These data will be, let me say DOUBLE-ENCRYPTED, when transferred to iCloud and stored there. They cannot be accessed with server-side keys only.
An example is 1Password (AgileBits) for managing passwords, bank accounts and beyond.

20121217-160953.jpg

Interested people even with less technical understanding should read these articles about security design basics …

AgileBits Cloud Storage Security

Lost iPhone and Safe Passwords

Attachments …

Encryption techniques …

Full-strength, randomly generated, user-managed key
This is the most secure setting. Access to the full server data gives the attacker no useful information. Unfortunately, it is also the most difficult to use. Enabling a new device requires coordination with an existing device. If users lose all of their devices, e.g. if they only have one device and it breaks, there’s no way to recover.

Password-derived key
The data is encrypted with a key derived from the user’s password. This is not as secure as the previous setting, since most user passwords are not nearly as strong as full-strength crypto keys. However, as my colleague Brian Warner is exploring, it may be possible to still make it quite expensive to break into a single user’s dataset, and prohibitively expensive to go fishing for data across many user accounts. Usability is significantly increased: a user can set up a new device simply by typing in their password. However, the crypto conundrum remains: lose your password, lose your data.

Server-side security (applied to Apple’s iCloud)
Users don’t manage keys, and servers technically have access to the user data. A number of techniques can be used to meaningfully restrict the chance of a leak (e.g. disk encryption or other type of encryption where the server holds the key somewhere.) Security against insider attackers is not nearly as high as with the two previous solutions. This is, of course, how almost every service on the Internet works today. It is the only model that maps to user intuition, where a user can forget their password, lose their devices, and still recover. Apple holds the (encryption) key!

Turn off apps which should not sync their data using iCloud or which should not include their data into iCloud backups. To do this go to

Settings – iCloud – Storage + Backup – Manage Storage – Your device

and deactivate all apps which data you do not want to be handled by iCloud services.
Do something similar with data of Apple’s pre-installed apps
(Mail, Calendars, Contacts, Reminders, Safari, Notes, Photo stream).
But if you do so you will loose all the benefits coming with iCloud.

Recommendations …

Consider three vulnerabilities …

  • Access in accordance with Terms and Conditions of the cloud provider
  • Stealing of the device
  • Hacking of your device
  • Hacking of the cloud storage

To keep your data secure there is no simple workaround.
But you can do your best with theses settings and keeping your sensitive data away from apps not supporting encryption.

  • Use a strong password for you Apple ID even if it is not convenient
  • Use an Unlock Code for your device
  • Use the Auto-Lock option for time-based automatic locking
  • Use unlock codes for lockable apps managing sensitive data
  • Do not use cloud storages for saving data managed by apps not supporting encryption already on your device

If your thoughts are still in turbulence …
Keep your devices under lock in Fort Knox, switch them off and lock the door with your one and only key. Don’t loose the key!

Managing data with iWork …

The most powerful setting is using the iCloud service for syncing iWork-Documents across your devices. It’s simple and automatic and predestined for frequent usage of different devices.

But keep in mind that these documents should not contain sensitive data as they are NOT DOUBLE-ENCRYPTED like those of the app 1Password mentioned above.

As an alternative manage sensitive data e.g. in NUMBERS and exclude this application from iCloud syncing and iCloud backup. To back up the data use iTunes with a strong backup password.

Note
Another solution would be to store iWork documents highly encrypted via WebDAV on a cloud storage which does not use server-side encryption. At the time Apple does not support this feature.

20121216-211438.jpg





S/MIME Secure E-Mail communication

27 11 2012

If you want to communicate via E-Mail in a secure way, activate S/MIME for your E-Mail-Account in the settings of your iOS-Device. S/MIME was first introduced by Apple in iOS 5.

The problem …

Maybe you experienced an E-Mail from a friend where the subject line seems a little odd. Upon opening the E-Mail you noticed that it was SPAM. Somehow a spammer was able to use your friends E-Mail address (spoofing an address) which, understandably, made you feel comfortable enough to open and read the message. These experiences forced the need for having a more secure form of E-Mail.

If you send a letter through the post office do you simply print a piece of paper and drop off in a mailbox, or do you put it in an envelope? If you are worried about people reading your message, why do you send an email without a ‘virtual envelope‘? As an email passes through routers, switches, and from one mail server to another without it being inside a virtual ‘envelope’ (thus encrypted), anyone could look at your letter.

How it works …

Secure/Multipurpose Internet Mail Extensions (S/MIME) can secure your mail by encrypting a message at the source and only decrypting it once it’s in the hands of the receiver. S/MIME also supports digital signatures, so you can know for sure who sent the message and that it wasn’t changed in transit.

If S/MIME is activated the iOS-Mail application will show a little checkmark (within a gearwheel) after the sender’s name if a message was signed.

If something is wrong with the certificate or the message was changed after it was signed, iOS-Mail displays the senders name in red followed by an open padlock.

A common reason for signature failures is people using self-signed certificates or using CAcert, which isn’t considered a trusted authority by Apple and others.

The bad news is that you normally have to pay for a Digital ID from a Certificate Authority (CA) e.g. VeriSign.

If certificates are cheap (or even free) the certificate authority only checks whether the person requesting a certificate is actually in control of the E-Mail address in question, with no actual identity checking.

What you need …

A Class 1 Digital ID e.g. from Symantec/VeriSign.

The process from APPLY to INSTALL …
20121113-110418.jpg

How to install …

  • Apply for a Digital-ID.
  • Wait for confirmation and issue. It may last up to several days depending on the verification strategy of the CA.
  • CA issues your digital certificate for installation on a PC/Mac.
    Follow the instructions of CA, when you get the download link for your certificate.
  • Install the certificate in the certificate storage of Safari/Internet Explorer.
  • Export it using file format PFX.
  • Send the PFX-File as an attachment to the appropriate E-Mail-Account (the account the certificate was applied for).
  • Open it on your iOS-Device and tap on the attachment (PFX-File).
  • iOS identifies this format as an importable Identity Certificate for installation as a Profile. Follow the instructions. Pay no heed to any strange message.
  • Turn on S/MIME-Option.
    Two additional sections (Sign, Encrypt) will be displayed.
  • Turn on Sign and Encrypt.
    You can select one of the certificates you own a private key for. Clicking it puts a checkmark next to it and this is the certificate that will be used to sign all outgoing messages from this account.

How to communicate securely …

  • Send a Mail to the recipient.
  • The Recipient must install your certificate (by tapping on the sender’s name) for future secure communication.

20121113-122142.jpg

Additional information …

  • Apple has chosen to not indicate that a message was signed in the standard configuration under iOS. To enable this feature, you have to go into the Settings… Account… Advanced for each E-Mail-Account, and then enable S/MIME. If you have other iOS-Devices you have to repeat all steps for every device.
  • Recipients will get an attachment smime.p7s if you send an E-Mail with your certificate. This attachment can be ignored.
  • iOS doesn’t automatically store the certs of people who sent a signed E-Mail to you. Instead, when someone has sent you a signed message, you have to tap the sender’s name and then you can install the certificate for future use. If you try to send a message to someone you don’t have a certificate for while encryption is enabled, their name turns red to alert you to the problem. A lock icon indicates that a message was encrypted.

Related links …

Apple about S/MIME

IBM about S/MIME

Thanks for visiting iNotes4You.








Follow

Get every new post delivered to your Inbox.

Join 152 other followers

%d bloggers like this: