Pando

Bad Apple? iOS 8 may not be as secure as we thought

By Nathaniel Mott , written on September 24, 2014

From The News Desk

Apple is pitching iOS 8 as one of the most security-focused versions of its mobile platform to date. But there are still questions about just how effective those security measures really are -- and how honest the company was with the promotional page it published earlier this month.

Karl Kornel, an enterprising iOS 8 user curious about the operating system's certificate use, has raised concerns this week about its security based on settings used to automatically "trust" sites with certificates issued by governments such as the United States, China, Taiwan, and Turkey:

When it comes to web sites, it looks like there’s no need to crack the encryption, and you probably don’t even need an inside line to [VeriSign]!  You can just issue your own faux-Microsoft cert (or faux-Google, or faux-Apple, or …) using one of your own governmental CAs, which iOS already recognizes.

Unfortunately, I can not see any way (in Safari on iOS 8.0) to get information on the certificate chain for a web site.  In other words, I can’t tell if the certificate for secure1.store.apple.com was issued by VeriSign, or if it was issued by the US Department of Defense.  Safari does show the green URL bar and company name for EV certificates, but I have no way of knowing ahead of time that Apple uses an EV certificate for their sites. Engadget breaks this down so people who don't often think about these certificates can get it:

This level of trust isn't necessarily bad; you're going to need at least some of these certificates to get things done, such as checking your email or logging into a social networking app. With that said, Kornel is concerned that you can't turn off any of the certificates if you're concerned about the potential for abuse. Governments could theoretically use their credentials to spoof other websites and break into your phone for surveillance purposes, as an example.
Whether this is intentional or if it's a necessary side-effect of being required to trust certain governments, it's disheartening to hear that iOS 8 could leave devices vulnerable to spying even though Apple continues to promise that there's no way for customer data to be stolen -- or in some cases, legally gathered -- because of iOS 8's new encryption standards and securities.

It's a good thing that Apple is at least attempting to secure its customers' data and to explain the steps it's taken to reach that goal. But it would be foolish to take the company at its word, particularly when so many of the National Security Agency programs were conducted without their targets' knowledge. Apple's working to improve its security, but that doesn't mean anyone is secure.