Apple pushes privacy theme in Safari for iOS 12, 'Mojave'

Credit to Author: Gregg Keizer| Date: Fri, 22 Jun 2018 03:23:00 -0700

Apple upgrades its Safari browser on macOS and iOS just once a year, making the refresh more strategic than most of its rivals, notably Google, which last year had eight separate opportunities to add features or functionality to Chrome.

The next Safari, which will be bundled with macOS 10.14 ‘Mojave’ and iOS 12, and offered as a separate download for those who stick with macOS High Sierra (10.13) and Sierra (10.12), thus must make its enhancements count.

On the security and privacy side, Safari tries its hardest to build a case. Here are the important ways Apple’s browser – which shed user share on both the desktop and on mobile over the past year – has staked its reputation for the next 12 months.

Apple introduced a new API (application programming interface), Password Manager, which when called by developers, can auto-fill password fields from a third-party password manager in Safari and appropriately-coded apps.

AgileBits, the creator of the popular 1Password app, applauded the API’s impact on iOS, where dealing with passwords from a third-party manager has been, at best, awkward.

“This new capability is transformational in our ability to integrate with iOS. Starting in the next version of iOS, 1Password will be able to fill your credentials into every app that has opted into the Password Autofill functionality that Apple introduced with iOS 11 last year,” wrote Michael Fey, who leads the 1Password-on-Apple team, in a post to a company blog.

In Safari on an iPhone, passwords will be automatically extracted from the password manager via Safari’s QuickType bar, and validated by a fingerprint scan or Face ID.

Safari on iOS and macOS can automatically create, save and store, then later retrieve and auto-fill passwords that, by default, will be composed of 20 random characters, including lower- and uppercase letters, at least one number and at least one dash. Third-party managers often apply similar, or even stricter, rules for auto-generated passwords.

An example: jutjyx-nickiq-pezdE3

Safari stores the passwords in iCloud Keychain, so a site’s or service’s credentials crafted on a Mac will be available when accessing the same site or service from, say, an iPhone or iPad logged into the same iCloud account.

And as an additional check on password practices, Safari will also brand those that have been used and reused – and reused and reused – for multiple services and sites. (Security experts have warned against password reuse since the Web’s expansion 20+ years ago; arguing that doing so lets criminals break into several accounts when they manage to steal just one set of credentials.) Small yellow markers tag the too-often-used passwords under the “Passwords” section of the browser’s Preferences pane on macOS, and accompanying text tells the user what other sites or services rely on the same password. From there, the user can easily change passwords or ask Safari to auto-create strong passwords.

Last year, Apple introduced “Intelligent Tracking Protection,” or ITP, to Safari on macOS High Sierra and in iOS 11. This year, ITP gets even tougher on macOS Mojave and iOS 12.

In 2017, ITP automatically deleted some browser cookies – the small bits of code used by sites to “remember” previous visitors – to crack down on cross-site tracking. The practice had been widely criticized by privacy advocates for its use by advertisers to follow users from site to site, then bombard them with ads similar to those clicked on previously.

Safari’s ITP 1.0 ignored those cross-site cookies after 24 hours unless the user again interacted with the original site during that one-day stretch.

Groups representing online advertisers went ape, claiming that Apple’s move would “sabotage the economic model for the Internet” and asked the company to reconsider before “disrupting the valuable digital advertising ecosystem.”

Apple refused to budge. And it took another step with ITP in Safari this year.

For one, the 24-hour access by sites to the cross-site cookies has been revoked, requiring that “the user interacts with the embedded content” before the originating site can use the cookie to track the user’s movement elsewhere. And a new alert pop-up will appear, asking the user if he or she wants to allow tracking when the original cookie is retrieved from local storage.

Other improvements on both iOS 12 and macOS Mojave – courtesy of Safari’s tracking protection – will prevent “share” and “like” buttons, such as those posted by sites for Twitter and Facebook, from tracking users without their permission. “These can be used to track you, whether you click on them or not, and so this year, we are shutting that down,” asserted Craig Federighi, who leads Apple’s software engineering, during the June 4 keynote kickoff to the Cupertino, Calif. firm’s Worldwide Developers Conference (WWDC).

And Safari on iOS 12 and Mojave will be stingier on what information it offers sites, information that some leverage to essentially fingerprint a user by examining specific pieces of evidence, like the combination of fonts and individual plug-ins installed.

“It turns out that when you browse the web, your device can be identified by a unique set of characteristics, like its configuration, its fonts that you have installed, and the plug-ins you might have on the device,” Federighi explained at WWDC. The newest Safari reveals much less to sites, offering up only a “simplified system configuration,” and only the built-in system fonts.

“Your Mac will look like every else’s Mac,” said Federighi, making fingerprinting much more difficult.

http://www.computerworld.com/category/security/index.rss