Tag Archives: Apple

Apple vs. FBI: The Debate between Privacy and Security

What is the fuss about? The reason that the FBI and Apple are in a heated debate is over one iPhone, but it is much more than that.  The argument began after a shooting in San Bernardino, California on December 2, 2015.  Considered as the worst mass shooting in modern US history since 2012, says NBC, the shooting ended with 14 killed and 21 wounded.    The 2 suspects for the shooting were both killed in a gun fight with policemen.  Terrorism is suspected (Ortiz, 2015).  With the FBI’s hands on the iPhone of one of the suspects, the FBI is desperately trying to gain access to the information on it to see if there was another shooter; law enforcement had previously believed that there may have been 3 shooters rather than just 2 (Ortiz, 2015).

In order to collect this information, the FBI needs access to the iPhone.  However, they are are struggling to gain access.  The FBI had contacted Apple and asked that they help them get information off of the device.  When asked, Apple denied helping, claiming that the FBI wants them to create a backdoor to get into all iPhone products.  The issue here is that iPhones are encrypted.

Why is this topic so controversial? This topic is so controversial because it goes so much further beyond just one simple iPhone; this situation magnifies the debate of security versus privacy.  This is something that the US government has been in turmoil over for years, especially when terrorism is involved.

The FBI is more concerned with security over privacy, while Apple is more concerned with privacy over security.  The FBI wants access to an iPhone that they have been locked out of when they reset the iPhone’s password when attempting to get into it.  Unfortunately, Apple says that since the password has been reset, there is no longer a connection to the cloud information because there is a password disconnect (Burchette, 2016). This is why the FBI has asked for a program to hack into the encrypted iPhone.  This is also why Apple is non-compliant .

Apple has exposed this situation because this shows a government that is no longer concerned with privacy, or with the consequences of creating such a program.  The difficulty of the matter is that this all comes back around to the Patriot Act, an amendment to the United States’ Electronic Communication Privacy Act (ECPA).  The Patriot Act has been around to create a loop hole for the Wiretap Act in order for law enforcement to surpass the need for a warrant for wiretapping, if there is suspected terrorism (Craig, 2013).  Given the controversy of this Act, there is clarity as to why this iPhone dilemma has gotten so big.

Can you see both sides?  Of course.  This entire thing has two different ways of looking at one case:

  • FBI’s Point of View:  There is a need to put the security of the United States over the general privacy of the people.  There is a need to look at the risk of not knowing crucial information on terrorism.  If you do not know what is going on, there is no way that another attack can be prevented.
  • Apple’s Point of View:  There is a need to put privacy before everything else.  If a program is made to get into the encrypted iPhone, it can be used by anyone who has it, and that is why there is so much resistance to make it.  This would not be one case, this would be the start of a further loss of privacy.

What is happening as of right now?  People have begun picking sides, and sticking to them.  Apple has written up its legal response detailing their refusal to the FBI’s request(s) (Heisler, 2016).  The FBI has continued to defend itself, claiming that it is not asking for a backdoor into all iPhones, but means to get into this one in particular.

All in all… This is a highly controversial topic and it is going to be one of many cases that will further influence the Crypto Wars, the battle between privacy-minded technologists and the U.S. government (McLaughlin & Froomkin, 2016).

__

Sources:

Burchette, J. (2016, February 21). FBI Admits It Reset San Bernardino Shooter’s iPhone Password. Retrieved from The Wrap: http://www.thewrap.com/fbi-admits-it-reset-san-bernardino-shooters-iphone-password/

Craig. (2013). Cyber Law: The Law of the Internet and Information Technology First Edition (pp. 92-131). Pearson.

Heisler, Y. (2016, February 25). Here’s Apple’s long-awaited legal response to the FBI. Retrieved from BGR: http://bgr.com/2016/02/25/apple-vs-fbi-legal-filing/

McLaughlin, J., & Froomkin, D. (2016, February 26). FBI vs Apple Establishes a New Phase of the Crypto Wars. Retrieved from The Intercept: https://theintercept.com/2016/02/26/fbi-vs-apple-post-crypto-wars/

Ortiz, E. (2015, December 3). San Bernardino Shooting: Timeline of How the Rampage Unfolded. Retrieved from NBC News: http://www.nbcnews.com/storyline/san-bernardino-shooting/san-bernardino-shooting-timeline-how-rampage-unfolded-n473501

 

 

 

 

 

Apple App Store Suffers First Malware Infiltration

I would like to start today’s post with a question to my fellow iPhone-owning students, faculty and staff. How many apps do you have installed on your device? For comparison’s sake, I’ll limit this example to just iPhones. At the time of this post I counted 47 installed on my own device. Now that you have that number for your own device, stop and ask yourself, how many of these apps do I know were written and published using trusted code sets and verified publishers? Would I have installed these apps if I knew that they were not trusted and potentially malicious?

In order to thwart the publication of malicious apps Apple, Inc. has developed stringent policies and review processes around application development for their OS X and iOS platforms. To complement these processes, developers are required to use a specific software development package called Xcode.

Earlier this week Apple News announced that it had found that an unprecedented number of apps had made it past the review process and were published to the App Store, subsequently downloaded. To put this in perspective, “Prior to this attack, a total of just 5 malicious apps had ever been found in the App Store, according to cyber security firm Palo Alto Networks, Inc.”, says Jim Finkle from Reuters.  To be more precise, 344 apps have been discovered by Chinese security firm Qihoo360 Technology Co. to be potentially affected by this attack.

This begs the question, how could this have happened? How could an organization with such strict requirements on app development inadvertently release apps infected with malicious code? The answer to this question lies with the software that we discussed earlier. Essentially a malicious copy of Xcode was created, also known as XcodeGhost. This framework almost identically mimics Xcode, with the exception that it can be modified to contain malicious code. While this may appear to be a rather simple concept the underlying logic of XcodeGhost is far more complex, a discussion which deserves its own white paper.

The fundamental issue with XcodeGhost is that it could potentially be used by legitimate app developers without their knowledge. Therefore we can assume that legitimate applications that leverage this malicious framework could be susceptible to SQL injection, XSS, or other client-based security flaws that could result in data leakage from a mobile device. Considering the types of apps that are available for banking, location tracking and social media, the problem of data leakage poses a very large and very real problem.

With that in mind, I think back to the 47 apps I have installed on my iPhone and wonder which apps I have installed that could potentially be vulnerable. Should there be a more strict verification process for app development that evaluates even the underlying development software that is being used? While we could leverage peer review methods or even the use of trusted certificates to avoid these situations we may continue to see these types of threats at a high frequency in the very near future. What do you think? Any discussion is welcome in the comments on how an organization might be able to avoid these situations.

Source:
http://www.reuters.com/article/2015/09/20/us-apple-china-malware-idUSKCN0RK0ZB20150920?utm_source=applenews

IPv6 may see a Usage Boom from Apple’s iOS 9

Apple’s newest mobile operating system, iOS 9, is scheduled to release on Wednesday, September 16, 2015, and may have a big impact on the use of IPv6.

Each device (mobile phone, laptop, router, etc.) connected to the Internet must have a unique Internet Protocol (IP) address.  IPv4, the previous version of the protocol, is running out of unused Internet addresses due to the massive use of the Web that was unexpected when the protocol was developed.  IPv6 is a newer Internet Protocol that was designed to have more than enough Internet addresses, long into the future.  IPv6 was released in 1998 but has been slow to adoption and is still not in widespread use today.

When iOS 9 hits the market, it will treat IPv6 as an equal to IPv4, rather than favoring the old system.  This means that iOS devices will start to use IPv6 much more than they have in the past.  In addition, Apple has noted that they will require all apps submitted to the Apple App Store to support IPv6 starting early next year.

What does this all mean?  An increase in usage of IPv6 would speed up service provider networks for consumers, and possibly allow for more development to happen in the areas of home automation, the Internet of Things (connecting non-computer devices to networks for more/remote control), and self-driving vehicles.  On the flip side, this could mean quite a bit more work for mobile developers, as apps and other software will need to be modified to use IPv6.

If you want to read more about it:
IT News:  IPv6 will get a big boost from iOS 9, Facebook says
TNW News:  OS X 10.11 and iOS 9 now prefer IPv6 for connections
Internet Society: Apple will require IPv6 support for all iOS 9 apps