Hi Ben, By all means, disagree, I may be entirely wrong, I just don't think I am. You write: Not security theater at all. If you are seriously insinuating that a casual Google search will allow your run of the mill mugger to bypass your passcode and or touch ID in a way that allows them to access your data then I'd be very interested in hearing some specifics.
I could be saying that a casual Google search would allow the run of the mill mugger to bypass a passcode, it would be true for some versions of iOS, but I'm not saying that. Obviously, the original poster's issue was not a security hole at all, but that doesn't mean that there haven't been exactly such holes in the past and I would be absolutely stunned if there weren't any in future. I'm not terribly concerned about the run of the mill mugger because he's already been given multiple headaches to the point where he may well not want the phone. First, in Canada, the United States, and the UK at least, he's going to have to get the phone out of the country given that all three countries block by IMEI. Secondly, even if he does get the phone to somewhere it can be used, given that a great deal of the phone's value is in the apple systems, anyone activating it is going to have a hard time if I've reported it as lost. Now I'm sure that these things can be overcome somehow, but is it worth it for under $500? That is, let's say that there was a way through which the IMEI could be changed, and then a way in which Apple could be fooled, or a server set up, so that the phone could act exactly like a good, non-blacklisted, iPhone. Would that be worth doing, even on a large scale, to get phones that would have to go for under $500? I can buy a known-good iPhone for less than that, why would I buy a sketchy one for the same price or higher? Honestly, I don't see the point of stealing an iPhone for sale. I may well be wrong, but I think the mugger who wants to sell the phone would be making a bad bet without any passcode being involved. He would only know about the passcode after the theft, so he'd know he was making a bad bet before he grabbed my phone. As for the three letter agencies, they wouldn't want the phone, but rather the information on it. I'm sure they could bypass a passcode with great ease, even assuming they couldn't get what they wanted from the wire. Also, I'm of no importance to them, and if I were, I wouldn't use my phone for anything at all, it would probably be best not to have a phone. So a passcode won't protect me from them, either. The only thing a passcode could plausibly be for in actual security, rather than security theatre, would be to protect against the middle range, the jealous wife, the angry business partner, the irritated teenager... The lower end of the range has already been protected against, while the higher end of the range is too difficult to protect against if you're going to use mobile phones at all. Here is where I say that a passcode is just security theatre. Even assuming that one has the said wife/business partner, and even assuming that the user has updated to the latest version of iOS, and even assuming that the Google search doesn't turn up anything about that version, there are many companies which claim to have software that would spy on your iPhone. They would undoubtedly come up on Google. If you are close enough, physically, to the person you're spying on so as to have unrestricted physical access to the phone, you can very probably manage to get it in a state where it's unlocked, know the person well enough to guess the passcode, fool the person into compromising the phone, install a sniffer on the network... Basically, if my problem is that I'm involved with people who are physically close to me and who I don't trust or don't trust me, I have bigger problems than my phone, I need to sort things out elsewhere. As I said to Sieghard, even security theatre may be of use, consider the two-year old who just loves to press numbers or the cleaner who wants to know what emails you're getting. What I'm saying is that it shouldn't be relied on as real security and, given the inconvenience of entering the code, I don't use it. Other people may find it useful to have it, but I would put some thought, in anyone's position, in relying on it. You write: As a side note, I'd wager that my iPhone is more secure than your average computer due to the amount of control that Apple has at a very low level. I wouldn't take the other side of that wager. In fact, I would join you in it if you don't mind. You are almost certainly correct, the iPhone is more secure than the average computer. That is setting the bar very low, though, most computers are hopelessly insecure. Many people simply have a Windows password protecting their machines. To say that the iPhone is more secure than most computers is like saying that a heart attack is less painful than the death of a thousand cuts. Great as far as it goes but it doesn't go too far. I should also say that the iPhone is not at all secure against Apple themselves. The amount of data they can collect makes me shudder. If I weren't blind, I would never use such a thing. You write: Additionally, with all due respect, whilst we could debate the definition of secure data, I'd wager that you might not be aware of quite how much data iOS stores without making it overly clear to you. You're probably right, there is probably data that is being saved that I don't know about, though I do try to keep up. I have, not uncharitably, been described as a privacy nut. My concerns, such as they are, are not of the thief getting that data, as I said, theft of the phone isn't too much of a problem, but of it leaking to advertisers and others over the network, I have no doubt that's happening. As to the two items you mention, passwords and contacts, the first thing I would do if any phone with saved passwords, for wireless networks or anything else, went missing is to change those passwords. I would do that whether I did or didn't have a passcode on the phone, there would be no reason to take the risk of those passwords getting out even if I had a passcode and thought the passcode was secure. As to my travels, they're open to anyone who wants them, any private travels would mean that I should leave my phone at home. As to contacts, I keep them in my head, not on the phone. Finally, let me say that it's a pleasure to find someone who has actually thought about these things, most people don't even think about what is on their phone, they just apply the quickest security method and leave it there. Aman From: viphone@googlegroups.com [mailto:viphone@googlegroups.com] On Behalf Of Ben Mustill-Rose Sent: Sunday, April 26, 2015 6:26 PM To: viphone@googlegroups.com Subject: Re: Iphones no longer secure Hi, I'm sorry but I have to disagree with a number of your points. You said: On 4/26/15, Aman Singer <aman.sin...@gmail.com> wrote: > A smartphone is nothing more or less than a computer. The > passcode/fingerprint is simply security theatre, it makes things look > secure and may be secure against someone who doesn't have Google, but > it is not secure in fact. Once the phone is in the hands of someone > who wants and is willing to bypass the security, nothing is secure in > fact, it only depends on how much trouble the attacker is willing to > go to. Not security theater at all. If you are seriously insinuating that a casual Google search will allow your run of the mill mugger to bypass your passcode and or touch ID in a way that allows them to access your data then I'd be very interested in hearing some specifics. Lets not forget that the hardware hack that got a lot of media attention a month or so ago no longer works. As a side note, I'd wager that my iPhone is more secure than your average computer due to the amount of control that Apple has at a very low level. > This is one of the reasons why I have no passcode on my phone, it > offers very little extra security but does offer an inconvenience when > I want to unlock the phone. I do not keep any secure data on my phone, > any data that I object to the public having access to, simply because > the chance of theft is too high and, as we see, the passcode is not of > much use. Whilst I agree that to a certain extent where there's a will there's a way, unless you've been annoying any 4 letter agencies, I personally feel that saying that a passcode offers very little extra security is incorrect. Lets not forget that the workaround that was posted to the list has now been proven to be ineffective. Additionally, with all due respect, whilst we could debate the definition of secure data, I'd wager that you might not be aware of quite how much data iOS stores without making it overly clear to you. For example, do you really consider your wireless network password/s, where you've traveled to and any contact information data that you wouldn't mind sharing with the public? Cheers, Ben. > Aman > > -- > The following information is important for all members of the viphone list. > All new members to the this list are moderated by default. If you have > any questions or concerns about the running of this list, or if you > feel that a member's post is inappropriate, please contact the owners > or moderators directly rather than posting on the list itself. The > archives for this list can be searched at > http://www.mail-archive.com/viphone@googlegroups.com/. > --- > You received this message because you are subscribed to the Google > Groups "VIPhone" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to viphone+unsubscr...@googlegroups.com. > To post to this group, send email to viphone@googlegroups.com. > Visit this group at http://groups.google.com/group/viphone. > For more options, visit https://groups.google.com/d/optout. > -- The following information is important for all members of the viphone list. All new members to the this list are moderated by default. If you have any questions or concerns about the running of this list, or if you feel that a member's post is inappropriate, please contact the owners or moderators directly rather than posting on the list itself. The archives for this list can be searched at http://www.mail-archive.com/viphone@googlegroups.com/. --- You received this message because you are subscribed to the Google Groups "VIPhone" group. To unsubscribe from this group and stop receiving emails from it, send an email to viphone+unsubscr...@googlegroups.com. To post to this group, send email to viphone@googlegroups.com. Visit this group at http://groups.google.com/group/viphone. For more options, visit https://groups.google.com/d/optout. -- The following information is important for all members of the viphone list. All new members to the this list are moderated by default. If you have any questions or concerns about the running of this list, or if you feel that a member's post is inappropriate, please contact the owners or moderators directly rather than posting on the list itself. The archives for this list can be searched at http://www.mail-archive.com/viphone@googlegroups.com/. --- You received this message because you are subscribed to the Google Groups "VIPhone" group. To unsubscribe from this group and stop receiving emails from it, send an email to viphone+unsubscr...@googlegroups.com. To post to this group, send email to viphone@googlegroups.com. Visit this group at http://groups.google.com/group/viphone. For more options, visit https://groups.google.com/d/optout.