WWDC: Get to know Apple’s 11+ new privacy tools

Credit to Author: Jonny Evans| Date: Fri, 07 Jun 2019 05:22:00 -0700

Apple introduced an array of additional privacy protections at WWDC 2019. Many of these both offer protection and help us better understand how our privacy is undermined.

Apple CEO Tim Cook is passionate about the need to protect user privacy and this is by no means a one man mission.

Speaking with Vector, Apple’s VP Software Technology, Bud Tribble stressed the need to educate people into the needs and benefits of privacy, a topic he believes is much more” widely discussed now than before.

“Back in the 90’s security on the internet didn’t really come up as an issue and at some point it flipped,” he observed. “Now I think [a similar flip] is happening over privacy.”

“Apple has done more than most in pushing our industry forward and being an example of how to do that. Privacy should be available in every device and in every service,” he said.

Please take a look at this report for a detailed explanation of Sign-in with Apple, a service which essentially replaces existing authorization systems with an ultra-secure, ultra-private cross-platform sign-in system available to anyone with an Apple ID. Of course, when used in conjunction with Managed Apple IDs this opens up opportunities for highly secure enterprise service models.

Apple is rolling out big improvements in Maps.

Not only does its service usher in maps it has built following 4 million miles of driving in Apple Maps cars, but it also launches a better than Streetview Look Around feature.

The newly-designed and much improved version of the app Apple is shipping this year has lots of new features, but one you might take for granted may be the most important: privacy. No one but you knows where you go, Apple won’t know, advertisers won’t know and your Favorite places won’t be shared. That’s important as it means your car journeys won’t be tracked, and nor will you.

The company seems open to requests for how to improve its mapping system, with bike lanes a likely candidate for future inclusion. (Parking is another, but the balkanized nature of parking data – where it actually exists – makes this a challenge.) 

Tightened-up privacy protection inside Maps is supplemented by yet more improvements in Location Services. Apple has recognized that location is sensitive to privacy, as knowledge of location can expose a person’s pattern of life and help identify them.

This year, Apple is introducing new enhancements to protect location data:

A new Allow Just Once option in Location settings will let a user choose to give an app just one data point in order to use the app.

Users will get better notifications when an app requests background access. When they are given this information, users will be shown what locations they have shared with an app in a visual way, and can choose to revoke location access, or set it to new states.

Some apps like to side step location data by using information about current networks and beacons to try to identify users and devices. iOS 13 will introduce new controls to limit the access third-party apps have to such information.

These controls will give us a better understanding of what information apps are hoovering up, empowering us to make informed choices as to which apps we trust.

Typically, connected security cameras send video to a third party cloud service for analysis – the thing is, once the video is online users have no control over how it is used, shared or otherwise abused.

HomeKit Secure Video means video will be analysed on your HomeKit hub (HomePod, Apple TV, iPad) and if stored in the cloud will be encrypted with a secure key only you possess.

This means no one can look at that video, but you’ll still get notification alerts and can still watch the video on your device, as that device will know your secure key.

The problem with smart connected devices is that they are connected to the Internet, which turns them into a potential attack target. A smart home device that is successfully compromised can then act as a hub from which malware and other hacks can spread through other devices in the home.

To help protect the devices on your HomeKit network Apple has chosen to focus on the router with a new HomeKit for routers scheme. Routers that support the scheme will be able to automatically partition your smart home devices from each other and will apply firewall rules that restrict device-related internet communications to just those purposes necessary for the functionality of the device.

This both protects the devices from initial attack, and protects other devices in your home/office against secondary attack in the event another device is compromised.

Apple will bundle Find My iPhone and Find My Friends together into one app it is calling ‘Find My’.

It is also supplementing the original two apps with a third talent – the Find My app will be able to find a Mac even if it is offline with the lid closed and is disconnected from the Internet, using Bluetooth.

It works like this:

Apple explains that the finding devices will not seek the beacon message until they are doing this kind of transmission anyway, such as when you ask your iPhone to look for Bluetooth headphones or when the device wakes from Sleep.

During the conference, Tribble revealed another of the ways in which Apple strives to protect end user privacy: App reviews.

He said around 40% of the 100,000 apps submitted to the App Store every week are refused, often privacy grounds. Those grounds may include apps that request unnecessary permissions.

Apple’s new assistive technology, Voice Control, lets people who can’t operate traditional input devices control their Macs entirely with their voice.

This relies on Siri speech recognition tech, but what’s important is that at no stage is information about the user or what they are trying to do shared with Apple using the feature.

macOS Catalina now checks all apps for known security issues, while new data protections require all apps to get user permission before accessing user documents, a process which can now also be managed on Apple Watch.

The app security check is now mandatory and is called App Notarization.

Developers will be required to submit their app for a malware check by Apple. If their app checks out they will receive a ticket which can be attached to the app to show Catalina Macs the app is OK to run.

The idea is that apps acquired from the App Store or online will all be secure and malware-free. It will still be possible to override this protection in order to install a non-notarised app, but this will be the default setting.

macOS Catalina introduces a range of additional protections for your files. The system will try to ensure apps have your permission before they can access files in the Documents, Desktop, or Downloads folders, or those stored on removeable media, iCloud Drive, or other cloud storage providers.

This won’t necessarily involve burdensome prompts, your Mac will instead try to figure out your intent – so if you are in an app, save something, and later want to open it in the same app the system will assume this is OK; Similarly, if you’re using an app and navigate the standard, open and save dialogues through your file or folder structure and pick a folder or file to open, there’s going to be no security prompts to confirm that action.

However, apps (such as pro video creation and asset management tools) that root through your data in the background may require a prompt.

The idea is that in the event some malware happens to sneak onto your Mac, the amount of damage it can do in terms of stealing or destroying your data is severely limited.

Apple continues to invest in on-device machine learning and offers developers models for vision, language sound and speech they can use in their apps.

Core ML 3 supports more types of advanced, real-time machine learning models and allows developers to update machine learning models on-device using model personalization.

The idea is that users will benefit from AI, but not at the cost of privacy as analysis takes place on the device.

Photos is a great example of this. It introduces a range of image presentation and enhancement technologies, all of which rely on machine learning models stashed inside Apple’s neural engine on the device itself. The result? You get the convenience of AI, but information about you is not shared.

You can find some more on privacy and security at WWDC here.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss